f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd

Analysis

max time kernel
208s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
Size

361KB
MD5

f5a64b55e5154ef7bc386df96d4d2258
SHA1

fd0d37af8ea14e71f1ec91b7c184c7a03059048c
SHA256

f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd
SHA512

f94a5967012b9d622b2aa06bba5c096c299571d8d716a05297481d4fad644aa5ce75be59e0f425f066f86837f0d8480755115cac85fb626e3d5c389aeef0f5cd
SSDEEP

6144:vflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:vflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 2400 created 4304	2400	svchost.exe	87
PID 2400 created 2556	2400	svchost.exe	91
PID 2400 created 732	2400	svchost.exe	94
PID 2400 created 768	2400	svchost.exe	99
PID 2400 created 4148	2400	svchost.exe	101
PID 2400 created 4492	2400	svchost.exe	105
PID 2400 created 880	2400	svchost.exe	113
PID 2400 created 3484	2400	svchost.exe	115
PID 2400 created 1532	2400	svchost.exe	119

Executes dropped EXE 16 IoCs

pid	Process
2672	sqkicausnkfdxvpn.exe
4304	CreateProcess.exe
4676	jhczuomhez.exe
2556	CreateProcess.exe
732	CreateProcess.exe
1484	i_jhczuomhez.exe
768	CreateProcess.exe
2488	kidavtnlfd.exe
4148	CreateProcess.exe
4492	CreateProcess.exe
4552	i_kidavtnlfd.exe
880	CreateProcess.exe
1392	igbytrljdb.exe
3484	CreateProcess.exe
1532	CreateProcess.exe
3860	i_igbytrljdb.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4228	ipconfig.exe
392	ipconfig.exe
3144	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{72144690-7111-11ED-919F-6EDF9685419A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "878744905"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376620537"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999838"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "878744905"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
2672	sqkicausnkfdxvpn.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTcbPrivilege	2400	svchost.exe
Token: SeTcbPrivilege	2400	svchost.exe
Token: SeDebugPrivilege	1484	i_jhczuomhez.exe
Token: SeDebugPrivilege	4552	i_kidavtnlfd.exe
Token: SeDebugPrivilege	3860	i_igbytrljdb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2672	1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe	84
PID 1588 wrote to memory of 2672	1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe	84
PID 1588 wrote to memory of 2672	1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe	84
PID 1588 wrote to memory of 2888	1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe	85
PID 1588 wrote to memory of 2888	1588	f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe	85
PID 2672 wrote to memory of 4304	2672	sqkicausnkfdxvpn.exe	87
PID 2672 wrote to memory of 4304	2672	sqkicausnkfdxvpn.exe	87
PID 2672 wrote to memory of 4304	2672	sqkicausnkfdxvpn.exe	87
PID 2888 wrote to memory of 4972	2888	iexplore.exe	88
PID 2888 wrote to memory of 4972	2888	iexplore.exe	88
PID 2888 wrote to memory of 4972	2888	iexplore.exe	88
PID 2400 wrote to memory of 4676	2400	svchost.exe	90
PID 2400 wrote to memory of 4676	2400	svchost.exe	90
PID 2400 wrote to memory of 4676	2400	svchost.exe	90
PID 4676 wrote to memory of 2556	4676	jhczuomhez.exe	91
PID 4676 wrote to memory of 2556	4676	jhczuomhez.exe	91
PID 4676 wrote to memory of 2556	4676	jhczuomhez.exe	91
PID 2400 wrote to memory of 4228	2400	svchost.exe	92
PID 2400 wrote to memory of 4228	2400	svchost.exe	92
PID 2672 wrote to memory of 732	2672	sqkicausnkfdxvpn.exe	94
PID 2672 wrote to memory of 732	2672	sqkicausnkfdxvpn.exe	94
PID 2672 wrote to memory of 732	2672	sqkicausnkfdxvpn.exe	94
PID 2400 wrote to memory of 1484	2400	svchost.exe	95
PID 2400 wrote to memory of 1484	2400	svchost.exe	95
PID 2400 wrote to memory of 1484	2400	svchost.exe	95
PID 2672 wrote to memory of 768	2672	sqkicausnkfdxvpn.exe	99
PID 2672 wrote to memory of 768	2672	sqkicausnkfdxvpn.exe	99
PID 2672 wrote to memory of 768	2672	sqkicausnkfdxvpn.exe	99
PID 2400 wrote to memory of 2488	2400	svchost.exe	100
PID 2400 wrote to memory of 2488	2400	svchost.exe	100
PID 2400 wrote to memory of 2488	2400	svchost.exe	100
PID 2488 wrote to memory of 4148	2488	kidavtnlfd.exe	101
PID 2488 wrote to memory of 4148	2488	kidavtnlfd.exe	101
PID 2488 wrote to memory of 4148	2488	kidavtnlfd.exe	101
PID 2400 wrote to memory of 392	2400	svchost.exe	102
PID 2400 wrote to memory of 392	2400	svchost.exe	102
PID 2672 wrote to memory of 4492	2672	sqkicausnkfdxvpn.exe	105
PID 2672 wrote to memory of 4492	2672	sqkicausnkfdxvpn.exe	105
PID 2672 wrote to memory of 4492	2672	sqkicausnkfdxvpn.exe	105
PID 2400 wrote to memory of 4552	2400	svchost.exe	106
PID 2400 wrote to memory of 4552	2400	svchost.exe	106
PID 2400 wrote to memory of 4552	2400	svchost.exe	106
PID 2672 wrote to memory of 880	2672	sqkicausnkfdxvpn.exe	113
PID 2672 wrote to memory of 880	2672	sqkicausnkfdxvpn.exe	113
PID 2672 wrote to memory of 880	2672	sqkicausnkfdxvpn.exe	113
PID 2400 wrote to memory of 1392	2400	svchost.exe	114
PID 2400 wrote to memory of 1392	2400	svchost.exe	114
PID 2400 wrote to memory of 1392	2400	svchost.exe	114
PID 1392 wrote to memory of 3484	1392	igbytrljdb.exe	115
PID 1392 wrote to memory of 3484	1392	igbytrljdb.exe	115
PID 1392 wrote to memory of 3484	1392	igbytrljdb.exe	115
PID 2400 wrote to memory of 3144	2400	svchost.exe	116
PID 2400 wrote to memory of 3144	2400	svchost.exe	116
PID 2672 wrote to memory of 1532	2672	sqkicausnkfdxvpn.exe	119
PID 2672 wrote to memory of 1532	2672	sqkicausnkfdxvpn.exe	119
PID 2672 wrote to memory of 1532	2672	sqkicausnkfdxvpn.exe	119
PID 2400 wrote to memory of 3860	2400	svchost.exe	120
PID 2400 wrote to memory of 3860	2400	svchost.exe	120
PID 2400 wrote to memory of 3860	2400	svchost.exe	120

C:\Users\Admin\AppData\Local\Temp\f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe
"C:\Users\Admin\AppData\Local\Temp\f001b3ee80941f7ba2ac1c11b1173d1102fdc16f090d35a7d5bcf56833ccb5dd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Temp\sqkicausnkfdxvpn.exe
  C:\Temp\sqkicausnkfdxvpn.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhczuomhez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4304
  - - C:\Temp\jhczuomhez.exe
      C:\Temp\jhczuomhez.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2556
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhczuomhez.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:732
  - - C:\Temp\i_jhczuomhez.exe
      C:\Temp\i_jhczuomhez.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kidavtnlfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:768
  - - C:\Temp\kidavtnlfd.exe
      C:\Temp\kidavtnlfd.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4148
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kidavtnlfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4492
  - - C:\Temp\i_kidavtnlfd.exe
      C:\Temp\i_kidavtnlfd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4552
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:880
  - - C:\Temp\igbytrljdb.exe
      C:\Temp\igbytrljdb.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3484
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3144
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1532
  - - C:\Temp\i_igbytrljdb.exe
      C:\Temp\i_igbytrljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit
C:\Temp\i_igbytrljdb.exe

Filesize
361KB

MD5
1fbf1431add5301e7f4e5fea77387d98

SHA1
f551ecf247f176754e3ab4e4e2b9039f4642974d

SHA256
c606536d6b9ba294a217ccf87a04cdc2eeb821932389f7c0557271b59a698cbf

SHA512
fb20013d21d83f7858cb752defd5413c2e3f3d4e053afd25e46ea8014237a1e5cd95fcc63ce5fc47f8aa724d80b82af2b1075cc0a651e32c46011beaf779d9a7

Download Submit
C:\Temp\i_igbytrljdb.exe

Filesize
361KB

MD5
1fbf1431add5301e7f4e5fea77387d98

SHA1
f551ecf247f176754e3ab4e4e2b9039f4642974d

SHA256
c606536d6b9ba294a217ccf87a04cdc2eeb821932389f7c0557271b59a698cbf

SHA512
fb20013d21d83f7858cb752defd5413c2e3f3d4e053afd25e46ea8014237a1e5cd95fcc63ce5fc47f8aa724d80b82af2b1075cc0a651e32c46011beaf779d9a7

Download Submit
C:\Temp\i_jhczuomhez.exe

Filesize
361KB

MD5
97de615974df12d36ce026fda7ef5ddf

SHA1
5ba95d52e8bf0199148c0068b6b292f5789776f3

SHA256
5c588cfd6b2932ddb35347035689bfd9eb623472664d325d4266d81f949fd624

SHA512
587d3440876a7e9e32dc81ff374eb98105181d4a1b91523fdca93b2b252c9390127593d8e65b66abe49b69444081feb02f3ca19948b5a819364f1d1d140a5531

Download Submit
C:\Temp\i_jhczuomhez.exe

Filesize
361KB

MD5
97de615974df12d36ce026fda7ef5ddf

SHA1
5ba95d52e8bf0199148c0068b6b292f5789776f3

SHA256
5c588cfd6b2932ddb35347035689bfd9eb623472664d325d4266d81f949fd624

SHA512
587d3440876a7e9e32dc81ff374eb98105181d4a1b91523fdca93b2b252c9390127593d8e65b66abe49b69444081feb02f3ca19948b5a819364f1d1d140a5531

Download Submit
C:\Temp\i_kidavtnlfd.exe

Filesize
361KB

MD5
70eef0b550fc3d4f6c209f9611bdf477

SHA1
4c837a30d165c2daa9e07c3a5d787d8c6264930c

SHA256
5f19769d640f0422f642a8063138f8d0a088693c9d36719a2722a98e8dee0e9a

SHA512
f82156484c73ccb1fc59092ad6a703ea3f4826aad0a59e82c6dba2bee0e86c48a4b2f5b7854b188196a8992e78a2a9c902aaf12199626fdfdc4c1391faf24dc7

Download Submit
C:\Temp\i_kidavtnlfd.exe

Filesize
361KB

MD5
70eef0b550fc3d4f6c209f9611bdf477

SHA1
4c837a30d165c2daa9e07c3a5d787d8c6264930c

SHA256
5f19769d640f0422f642a8063138f8d0a088693c9d36719a2722a98e8dee0e9a

SHA512
f82156484c73ccb1fc59092ad6a703ea3f4826aad0a59e82c6dba2bee0e86c48a4b2f5b7854b188196a8992e78a2a9c902aaf12199626fdfdc4c1391faf24dc7

Download Submit
C:\Temp\igbytrljdb.exe

Filesize
361KB

MD5
dfc19cc97f8a8e83725f2205c0d7a80d

SHA1
59d12f9be511de2a40723f882721b3fad3dc1923

SHA256
c96d359c85fe11a053d111239558afc53766fa5980547031ee9289d10d235ff5

SHA512
20c2f0851a21e19439577a9f0ed890e97169439709e5c48ed96f44e6269147f544f25c890999b1984629329a84dbd1d76306f1daead865260f9b8dab9341c506

Download Submit
C:\Temp\igbytrljdb.exe

Filesize
361KB

MD5
dfc19cc97f8a8e83725f2205c0d7a80d

SHA1
59d12f9be511de2a40723f882721b3fad3dc1923

SHA256
c96d359c85fe11a053d111239558afc53766fa5980547031ee9289d10d235ff5

SHA512
20c2f0851a21e19439577a9f0ed890e97169439709e5c48ed96f44e6269147f544f25c890999b1984629329a84dbd1d76306f1daead865260f9b8dab9341c506

Download Submit
C:\Temp\jhczuomhez.exe

Filesize
361KB

MD5
3cffc0ba4a99736279b70a065a8303c1

SHA1
ebc5ec00967f930e1ffd076ec11eedf2f07ffa46

SHA256
07784d63fcbbf9dd63693693649327a0c5b3bc13ece3800e3528b923605ba882

SHA512
188c6ae44007775451c9761ae4da77754bce259b2015024d9e3ef151c6effdb1de29c22a82a34ad67d3833a7fbe8d808197a11c5a175b1413843d8c465f811a1

Download Submit
C:\Temp\jhczuomhez.exe

Filesize
361KB

MD5
3cffc0ba4a99736279b70a065a8303c1

SHA1
ebc5ec00967f930e1ffd076ec11eedf2f07ffa46

SHA256
07784d63fcbbf9dd63693693649327a0c5b3bc13ece3800e3528b923605ba882

SHA512
188c6ae44007775451c9761ae4da77754bce259b2015024d9e3ef151c6effdb1de29c22a82a34ad67d3833a7fbe8d808197a11c5a175b1413843d8c465f811a1

Download Submit
C:\Temp\kidavtnlfd.exe

Filesize
361KB

MD5
bb015b3655c89553b5d2eab97789c18e

SHA1
7efc02843558c9b3d14ca996e2322e45965750e5

SHA256
56a7f8262d36a8e7da59ce85113f770920aa36ce63986b7201fa3fa988702ba8

SHA512
23d9e8521325d78c102f8f3e2565236e9e611018487765b5fc243d12279f9ffa27e31c403e146e59dd2c42b659f94e10c7d189590c4452d3196e3aa780429036

Download Submit
C:\Temp\kidavtnlfd.exe

Filesize
361KB

MD5
bb015b3655c89553b5d2eab97789c18e

SHA1
7efc02843558c9b3d14ca996e2322e45965750e5

SHA256
56a7f8262d36a8e7da59ce85113f770920aa36ce63986b7201fa3fa988702ba8

SHA512
23d9e8521325d78c102f8f3e2565236e9e611018487765b5fc243d12279f9ffa27e31c403e146e59dd2c42b659f94e10c7d189590c4452d3196e3aa780429036

Download Submit
C:\Temp\sqkicausnkfdxvpn.exe

Filesize
361KB

MD5
d9a1e426bfc93742a10123dc6000cbba

SHA1
d2fd311cd7b72b01e310c71a65b20542b56599bc

SHA256
85ea509c7daeeefbc99522b4d715972a701733292a37669a992e215db5c4b27c

SHA512
5fe5f6f2e1ddb6d533d1432292f10cb9b76fe645677b4d4fceb1c2da37f3cb019facacb172963cf085a6733b64e13e6be6ab8a0de7a9f6110a9849eb8a44e49b

Download Submit
C:\Temp\sqkicausnkfdxvpn.exe

Filesize
361KB

MD5
d9a1e426bfc93742a10123dc6000cbba

SHA1
d2fd311cd7b72b01e310c71a65b20542b56599bc

SHA256
85ea509c7daeeefbc99522b4d715972a701733292a37669a992e215db5c4b27c

SHA512
5fe5f6f2e1ddb6d533d1432292f10cb9b76fe645677b4d4fceb1c2da37f3cb019facacb172963cf085a6733b64e13e6be6ab8a0de7a9f6110a9849eb8a44e49b

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
d46b9b43bc16536f2a8260f21ec8acc2

SHA1
f853d8d52880dc52bd6d4bfcd633a66e6d00077d

SHA256
ba8cdfc839461fb3ddb37d36e98a210a760e0eaa1643efcc2fe4a24eae2c3d4d

SHA512
09c44d3c4722302b72a61f7085bcdaa644eedc9ce7638c2634c516ea0c4f8ad6db0f21cc68cd9d361db54a8f16d39b7eccdaf9ae36c6ebceee0824a3cabc135b

Download Submit