af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1

Analysis

max time kernel
182s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
Size

361KB
MD5

562cbf4546a3f48af1f772502289edb1
SHA1

c2b9469d5d69b18a69aca5e22afd3f7dfa8c2b64
SHA256

af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1
SHA512

21e9c1809f4f503518dd0ce6815b5dbbd7fe415af7b49b93c15449b9fbfe5e9e95f9da7e8b407663a31989a9872923eb357ece892cbb4b581ba071201021fef8
SSDEEP

6144:1flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:1flfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 1428 created 4644	1428	svchost.exe	83
PID 1428 created 896	1428	svchost.exe	86
PID 1428 created 2240	1428	svchost.exe	91
PID 1428 created 5024	1428	svchost.exe	95
PID 1428 created 1172	1428	svchost.exe	97
PID 1428 created 4440	1428	svchost.exe	100
PID 1428 created 1144	1428	svchost.exe	108
PID 1428 created 2532	1428	svchost.exe	110

Executes dropped EXE 14 IoCs

pid	Process
3588	jwuomgezwrojhbzt.exe
4644	CreateProcess.exe
2560	kicausnkfd.exe
896	CreateProcess.exe
2240	CreateProcess.exe
1664	i_kicausnkfd.exe
5024	CreateProcess.exe
772	xvpnifaysq.exe
1172	CreateProcess.exe
4440	CreateProcess.exe
1588	i_xvpnifaysq.exe
1144	CreateProcess.exe
3964	tomgeywqoj.exe
2532	CreateProcess.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2968	ipconfig.exe
2656	ipconfig.exe
3808	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000d4cdf2493ac4bf1bf38ed1df965dcff9e9022cb6a62f8f1f557fd3c70594e041000000000e8000000002000020000000dcd1f896bb636cf266d2dbcc3f9a9ab583d32be212a56f2fc7391a982e2cf88420000000d2929181a49c67692a4bab54ff046895c04d8cd2f7e0488b76a907361f048c20400000000e041c375ce36458804a1ee454a239f56f345f6ce647141afbeaa64fa3c903dfd8706fc6f78cf8e2fba5178a35be5a39b369ae7b08808b04857e9c1439125136	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b4dfac1e05d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9F15801-7111-11ED-919F-FAE5CAF4041A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000001ebb49d02d5b03943a1df7e161ade3beff6c0be95c006449f6bc483db2cb51a3000000000e80000000020000200000004d9ddeaa93553d3b82fb6cf3f9f30281aca9af8ff06c85af524c0a943984e4fb20000000772a0e1aaa7cee5fac3884428ffba9f81f5e1888e382d9e1e28ca09922e94eba400000002f281bfbd4fde49fe6c5039f92c012300f8cac10cb8013e92c075f99f5ab163d8438cd936a17092e5c3c728cdde76351e51c5d04508a97975372318c35886f5d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376620683"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dda3af1e05d901	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
3588	jwuomgezwrojhbzt.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
640	Process not Found
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	1428	svchost.exe
Token: SeTcbPrivilege	1428	svchost.exe
Token: SeDebugPrivilege	1664	i_kicausnkfd.exe
Token: SeDebugPrivilege	1588	i_xvpnifaysq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4592	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4592	iexplore.exe
4592	iexplore.exe
4784	IEXPLORE.EXE
4784	IEXPLORE.EXE
4784	IEXPLORE.EXE
4784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3588	4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe	80
PID 4852 wrote to memory of 3588	4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe	80
PID 4852 wrote to memory of 3588	4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe	80
PID 4852 wrote to memory of 4592	4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe	81
PID 4852 wrote to memory of 4592	4852	af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe	81
PID 4592 wrote to memory of 4784	4592	iexplore.exe	82
PID 4592 wrote to memory of 4784	4592	iexplore.exe	82
PID 4592 wrote to memory of 4784	4592	iexplore.exe	82
PID 3588 wrote to memory of 4644	3588	jwuomgezwrojhbzt.exe	83
PID 3588 wrote to memory of 4644	3588	jwuomgezwrojhbzt.exe	83
PID 3588 wrote to memory of 4644	3588	jwuomgezwrojhbzt.exe	83
PID 1428 wrote to memory of 2560	1428	svchost.exe	85
PID 1428 wrote to memory of 2560	1428	svchost.exe	85
PID 1428 wrote to memory of 2560	1428	svchost.exe	85
PID 2560 wrote to memory of 896	2560	kicausnkfd.exe	86
PID 2560 wrote to memory of 896	2560	kicausnkfd.exe	86
PID 2560 wrote to memory of 896	2560	kicausnkfd.exe	86
PID 1428 wrote to memory of 2968	1428	svchost.exe	87
PID 1428 wrote to memory of 2968	1428	svchost.exe	87
PID 3588 wrote to memory of 2240	3588	jwuomgezwrojhbzt.exe	91
PID 3588 wrote to memory of 2240	3588	jwuomgezwrojhbzt.exe	91
PID 3588 wrote to memory of 2240	3588	jwuomgezwrojhbzt.exe	91
PID 1428 wrote to memory of 1664	1428	svchost.exe	92
PID 1428 wrote to memory of 1664	1428	svchost.exe	92
PID 1428 wrote to memory of 1664	1428	svchost.exe	92
PID 3588 wrote to memory of 5024	3588	jwuomgezwrojhbzt.exe	95
PID 3588 wrote to memory of 5024	3588	jwuomgezwrojhbzt.exe	95
PID 3588 wrote to memory of 5024	3588	jwuomgezwrojhbzt.exe	95
PID 1428 wrote to memory of 772	1428	svchost.exe	96
PID 1428 wrote to memory of 772	1428	svchost.exe	96
PID 1428 wrote to memory of 772	1428	svchost.exe	96
PID 772 wrote to memory of 1172	772	xvpnifaysq.exe	97
PID 772 wrote to memory of 1172	772	xvpnifaysq.exe	97
PID 772 wrote to memory of 1172	772	xvpnifaysq.exe	97
PID 1428 wrote to memory of 2656	1428	svchost.exe	98
PID 1428 wrote to memory of 2656	1428	svchost.exe	98
PID 3588 wrote to memory of 4440	3588	jwuomgezwrojhbzt.exe	100
PID 3588 wrote to memory of 4440	3588	jwuomgezwrojhbzt.exe	100
PID 3588 wrote to memory of 4440	3588	jwuomgezwrojhbzt.exe	100
PID 1428 wrote to memory of 1588	1428	svchost.exe	103
PID 1428 wrote to memory of 1588	1428	svchost.exe	103
PID 1428 wrote to memory of 1588	1428	svchost.exe	103
PID 3588 wrote to memory of 1144	3588	jwuomgezwrojhbzt.exe	108
PID 3588 wrote to memory of 1144	3588	jwuomgezwrojhbzt.exe	108
PID 3588 wrote to memory of 1144	3588	jwuomgezwrojhbzt.exe	108
PID 1428 wrote to memory of 3964	1428	svchost.exe	109
PID 1428 wrote to memory of 3964	1428	svchost.exe	109
PID 1428 wrote to memory of 3964	1428	svchost.exe	109
PID 3964 wrote to memory of 2532	3964	tomgeywqoj.exe	110
PID 3964 wrote to memory of 2532	3964	tomgeywqoj.exe	110
PID 3964 wrote to memory of 2532	3964	tomgeywqoj.exe	110
PID 1428 wrote to memory of 3808	1428	svchost.exe	111
PID 1428 wrote to memory of 3808	1428	svchost.exe	111

C:\Users\Admin\AppData\Local\Temp\af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe
"C:\Users\Admin\AppData\Local\Temp\af7c978196579d2d14db30a488bd1d89c147c9e7ab5b50aed730c515076751d1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Temp\jwuomgezwrojhbzt.exe
  C:\Temp\jwuomgezwrojhbzt.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicausnkfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4644
  - - C:\Temp\kicausnkfd.exe
      C:\Temp\kicausnkfd.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:896
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicausnkfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2240
  - - C:\Temp\i_kicausnkfd.exe
      C:\Temp\i_kicausnkfd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpnifaysq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5024
  - - C:\Temp\xvpnifaysq.exe
      C:\Temp\xvpnifaysq.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1172
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpnifaysq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4440
  - - C:\Temp\i_xvpnifaysq.exe
      C:\Temp\i_xvpnifaysq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tomgeywqoj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1144
  - - C:\Temp\tomgeywqoj.exe
      C:\Temp\tomgeywqoj.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3808
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4592 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit
C:\Temp\i_kicausnkfd.exe

Filesize
361KB

MD5
d2d3728691e0b29f528e8c35fadcf80a

SHA1
d6d54c0611ceaa2f5732860cf95ff810169351e9

SHA256
a5c109be7c6b5c0c061f235718140aba6a860bc3a03c99069dcd2ede596ac95b

SHA512
83b5ec08953462013d31678937c51b093fdaf2eb26ec34cad2aed175e5a8eb7a5e5f321422b1bf1ac594404ca0bd893ca79aa2ea26e9ebd992bbfb9fb2b9edd1

Download Submit
C:\Temp\i_kicausnkfd.exe

Filesize
361KB

MD5
d2d3728691e0b29f528e8c35fadcf80a

SHA1
d6d54c0611ceaa2f5732860cf95ff810169351e9

SHA256
a5c109be7c6b5c0c061f235718140aba6a860bc3a03c99069dcd2ede596ac95b

SHA512
83b5ec08953462013d31678937c51b093fdaf2eb26ec34cad2aed175e5a8eb7a5e5f321422b1bf1ac594404ca0bd893ca79aa2ea26e9ebd992bbfb9fb2b9edd1

Download Submit
C:\Temp\i_xvpnifaysq.exe

Filesize
361KB

MD5
8d7095afbf00d372b0f29d96599147a4

SHA1
efb845ab82f3eb38f042f917de10e3d20fe6216b

SHA256
4bd1b92721a04c71527b116f89696944b578b0ec2268c12133c79454bd8dcc21

SHA512
d817c74f4aa5869ebefdb989295f40678b68ad4e168e6c5d1b02667a4b8c82fd6f6e5df87b730f1e587d7d50d4d7c4de8d7609c78958465b0b3257f883351cb2

Download Submit
C:\Temp\i_xvpnifaysq.exe

Filesize
361KB

MD5
8d7095afbf00d372b0f29d96599147a4

SHA1
efb845ab82f3eb38f042f917de10e3d20fe6216b

SHA256
4bd1b92721a04c71527b116f89696944b578b0ec2268c12133c79454bd8dcc21

SHA512
d817c74f4aa5869ebefdb989295f40678b68ad4e168e6c5d1b02667a4b8c82fd6f6e5df87b730f1e587d7d50d4d7c4de8d7609c78958465b0b3257f883351cb2

Download Submit
C:\Temp\jwuomgezwrojhbzt.exe

Filesize
361KB

MD5
6063419339abf70fdb5d184c1d529081

SHA1
32d5478629949b6e37386c193ae3de03d6b5284a

SHA256
b7135b870b7000b2a6f3706d11b3a07ec43e73750784ea3a2893e54d0187aa55

SHA512
e7ccc616aa71963c6698016bfa940accd17b9bb8b327f386432a6849746b6f018627cd09ce7e5928ff34b166381be413822296a4cd50ea58101651e6e039904f

Download Submit
C:\Temp\jwuomgezwrojhbzt.exe

Filesize
361KB

MD5
6063419339abf70fdb5d184c1d529081

SHA1
32d5478629949b6e37386c193ae3de03d6b5284a

SHA256
b7135b870b7000b2a6f3706d11b3a07ec43e73750784ea3a2893e54d0187aa55

SHA512
e7ccc616aa71963c6698016bfa940accd17b9bb8b327f386432a6849746b6f018627cd09ce7e5928ff34b166381be413822296a4cd50ea58101651e6e039904f

Download Submit
C:\Temp\kicausnkfd.exe

Filesize
361KB

MD5
f6c61a4883fcd8e8fce0d643f4185f92

SHA1
ace9e4fe5d5922c3b76b18ba58ebafb804f31049

SHA256
51130f6b44dd1ce0e7d551787ae17872a30e69a2df8c0c35259e4d77c94ac546

SHA512
8b6b7597f452c38e84eed293d61867df1ed18e71982a0c7341929b424183cde701650297f0c2218297c06523c80e73aa3f56c017ef2e539caab2ef06a15a0259

Download Submit
C:\Temp\kicausnkfd.exe

Filesize
361KB

MD5
f6c61a4883fcd8e8fce0d643f4185f92

SHA1
ace9e4fe5d5922c3b76b18ba58ebafb804f31049

SHA256
51130f6b44dd1ce0e7d551787ae17872a30e69a2df8c0c35259e4d77c94ac546

SHA512
8b6b7597f452c38e84eed293d61867df1ed18e71982a0c7341929b424183cde701650297f0c2218297c06523c80e73aa3f56c017ef2e539caab2ef06a15a0259

Download Submit
C:\Temp\tomgeywqoj.exe

Filesize
361KB

MD5
1cc8ccf4a1f72ff143f011952a902c42

SHA1
89cd8f1a7ac24e6513c35481aaf63b2efd2525db

SHA256
7fa1fa90139e7b9c25fbb28309285e63a7260d903b12f9ff3f9192f2b1b391fc

SHA512
1a8968965363c9cdbca85601b430b44883c4b94b3ee54d2f0a1526865392a62e76511831f55397ae5e554ff451c0c4f6dc376173c5ee6fb44c5289270c7a0c82

Download Submit
C:\Temp\tomgeywqoj.exe

Filesize
361KB

MD5
1cc8ccf4a1f72ff143f011952a902c42

SHA1
89cd8f1a7ac24e6513c35481aaf63b2efd2525db

SHA256
7fa1fa90139e7b9c25fbb28309285e63a7260d903b12f9ff3f9192f2b1b391fc

SHA512
1a8968965363c9cdbca85601b430b44883c4b94b3ee54d2f0a1526865392a62e76511831f55397ae5e554ff451c0c4f6dc376173c5ee6fb44c5289270c7a0c82

Download Submit
C:\Temp\xvpnifaysq.exe

Filesize
361KB

MD5
2fe305b5270ced28bdf82177b12d3a14

SHA1
caeae1d01937950b433471de38d3fa8cc6d8c341

SHA256
3fa9590f92d8566234f73f9a5b5d578ea68526988f7359ab9985ea726b40d8c6

SHA512
de9dea35285d95fd504a439a884c6eae69f6dfbaef3e5e5c6d015531f3582ea51b0431dde7b969020867d6d7584af11833cfa3b75d3aea036dc3af4ca181b993

Download Submit
C:\Temp\xvpnifaysq.exe

Filesize
361KB

MD5
2fe305b5270ced28bdf82177b12d3a14

SHA1
caeae1d01937950b433471de38d3fa8cc6d8c341

SHA256
3fa9590f92d8566234f73f9a5b5d578ea68526988f7359ab9985ea726b40d8c6

SHA512
de9dea35285d95fd504a439a884c6eae69f6dfbaef3e5e5c6d015531f3582ea51b0431dde7b969020867d6d7584af11833cfa3b75d3aea036dc3af4ca181b993

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
a1e1e43dda8a15466b3f30be270611f0

SHA1
ad567474c98a871952bc4b1b213ac610c1c177cf

SHA256
3d605116699a91e38ae665a75a884ef4a493c0bf5e59f57ee0655a9e9d9a4b29

SHA512
4d8346eecb7976b843639b82f515885982b0b5d0b8aa0358b253f53333fcf5235d759fed0e5aff8af9221f9f3e08c27e99791204c30c544357829735217cebc4

Download Submit