e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389

Analysis

max time kernel
154s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
Size

361KB
MD5

e0a42a639f382f25a111362ad5220a05
SHA1

780cbf17a8d5f72549b0feba63f7514f740c16aa
SHA256

e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389
SHA512

9bb2f544c582e8ce2dc86fc8de08070a1b71f1769533d9b70153e7efd34f45d92bf5a946bd5ab14d992c76389cc2f6498c9806bbfa32ec9f3d4fcde709a143fa
SSDEEP

6144:YflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:YflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 932 created 3568	932	svchost.exe	87
PID 932 created 4576	932	svchost.exe	90
PID 932 created 2904	932	svchost.exe	95
PID 932 created 2660	932	svchost.exe	98
PID 932 created 2888	932	svchost.exe	101
PID 932 created 4996	932	svchost.exe	106
PID 932 created 4744	932	svchost.exe	111
PID 932 created 440	932	svchost.exe	113
PID 932 created 372	932	svchost.exe	118

Executes dropped EXE 16 IoCs

pid	Process
1424	gaytqljdbvtnlgdy.exe
3568	CreateProcess.exe
4840	fdxvqnigay.exe
4576	CreateProcess.exe
2904	CreateProcess.exe
3748	i_fdxvqnigay.exe
2660	CreateProcess.exe
796	qljdbvtolg.exe
2888	CreateProcess.exe
4996	CreateProcess.exe
4156	i_qljdbvtolg.exe
4744	CreateProcess.exe
4640	rmgezwrpjh.exe
440	CreateProcess.exe
372	CreateProcess.exe
3988	i_rmgezwrpjh.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1460	ipconfig.exe
2256	ipconfig.exe
2828	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2066563407"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2066563407"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb000000000200000000001066000000010000200000003cb2d0de0d52875f666f6b00aa5a3d1d2124962ef79c866f102801c27b8cde01000000000e8000000002000020000000918fcbb6d1b2e84031344adb186c88a523fcc33ec0958db61ccaaa009f0521e4200000001edba5e048f327d55bf033399d266549cac58474a0201620fbd532a2d818bb90400000004d9f76cd1514bbcfb2cf70f38ab1f5e34e099897fbc369ef57c30bfd4442d6b13b569f144898012e6c2db7f810da7b7e57f978baa4d0c3dcb123459b1d47989c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0113780d108d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c87988d108d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000785"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000785"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9C7204C8-74C4-11ED-BF5F-66300FA194E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb000000000200000000001066000000010000200000001e88f9f907106c1465f5afd747006af178eb65b836a15e212232b006181fa563000000000e800000000200002000000066b6c61327a5ac5b5ce26897e531a837756f5bfa8d48fde3343b8572cf741b56200000000991930e7dd11035825a8c04713fe7f5febe310b0fbbf695b8daeae20128637440000000eb2609bce0ebdf86b223492e1878c275c1def0901f92dba81fd028d7eed5c96d3e571a94931b333b1ce6969f51e86b0321b09b6a13c1b9c962e37753ae436a49	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376424233"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
1424	gaytqljdbvtnlgdy.exe
1424	gaytqljdbvtnlgdy.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTcbPrivilege	932	svchost.exe
Token: SeTcbPrivilege	932	svchost.exe
Token: SeDebugPrivilege	3748	i_fdxvqnigay.exe
Token: SeDebugPrivilege	4156	i_qljdbvtolg.exe
Token: SeDebugPrivilege	3988	i_rmgezwrpjh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1388	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1388	iexplore.exe
1388	iexplore.exe
4228	IEXPLORE.EXE
4228	IEXPLORE.EXE
4228	IEXPLORE.EXE
4228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1424	2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe	82
PID 2064 wrote to memory of 1424	2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe	82
PID 2064 wrote to memory of 1424	2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe	82
PID 2064 wrote to memory of 1388	2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe	83
PID 2064 wrote to memory of 1388	2064	e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe	83
PID 1388 wrote to memory of 4228	1388	iexplore.exe	86
PID 1388 wrote to memory of 4228	1388	iexplore.exe	86
PID 1388 wrote to memory of 4228	1388	iexplore.exe	86
PID 1424 wrote to memory of 3568	1424	gaytqljdbvtnlgdy.exe	87
PID 1424 wrote to memory of 3568	1424	gaytqljdbvtnlgdy.exe	87
PID 1424 wrote to memory of 3568	1424	gaytqljdbvtnlgdy.exe	87
PID 932 wrote to memory of 4840	932	svchost.exe	89
PID 932 wrote to memory of 4840	932	svchost.exe	89
PID 932 wrote to memory of 4840	932	svchost.exe	89
PID 4840 wrote to memory of 4576	4840	fdxvqnigay.exe	90
PID 4840 wrote to memory of 4576	4840	fdxvqnigay.exe	90
PID 4840 wrote to memory of 4576	4840	fdxvqnigay.exe	90
PID 932 wrote to memory of 1460	932	svchost.exe	91
PID 932 wrote to memory of 1460	932	svchost.exe	91
PID 1424 wrote to memory of 2904	1424	gaytqljdbvtnlgdy.exe	95
PID 1424 wrote to memory of 2904	1424	gaytqljdbvtnlgdy.exe	95
PID 1424 wrote to memory of 2904	1424	gaytqljdbvtnlgdy.exe	95
PID 932 wrote to memory of 3748	932	svchost.exe	97
PID 932 wrote to memory of 3748	932	svchost.exe	97
PID 932 wrote to memory of 3748	932	svchost.exe	97
PID 1424 wrote to memory of 2660	1424	gaytqljdbvtnlgdy.exe	98
PID 1424 wrote to memory of 2660	1424	gaytqljdbvtnlgdy.exe	98
PID 1424 wrote to memory of 2660	1424	gaytqljdbvtnlgdy.exe	98
PID 932 wrote to memory of 796	932	svchost.exe	99
PID 932 wrote to memory of 796	932	svchost.exe	99
PID 932 wrote to memory of 796	932	svchost.exe	99
PID 796 wrote to memory of 2888	796	qljdbvtolg.exe	101
PID 796 wrote to memory of 2888	796	qljdbvtolg.exe	101
PID 796 wrote to memory of 2888	796	qljdbvtolg.exe	101
PID 932 wrote to memory of 2256	932	svchost.exe	100
PID 932 wrote to memory of 2256	932	svchost.exe	100
PID 1424 wrote to memory of 4996	1424	gaytqljdbvtnlgdy.exe	106
PID 1424 wrote to memory of 4996	1424	gaytqljdbvtnlgdy.exe	106
PID 1424 wrote to memory of 4996	1424	gaytqljdbvtnlgdy.exe	106
PID 932 wrote to memory of 4156	932	svchost.exe	107
PID 932 wrote to memory of 4156	932	svchost.exe	107
PID 932 wrote to memory of 4156	932	svchost.exe	107
PID 1424 wrote to memory of 4744	1424	gaytqljdbvtnlgdy.exe	111
PID 1424 wrote to memory of 4744	1424	gaytqljdbvtnlgdy.exe	111
PID 1424 wrote to memory of 4744	1424	gaytqljdbvtnlgdy.exe	111
PID 932 wrote to memory of 4640	932	svchost.exe	112
PID 932 wrote to memory of 4640	932	svchost.exe	112
PID 932 wrote to memory of 4640	932	svchost.exe	112
PID 4640 wrote to memory of 440	4640	rmgezwrpjh.exe	113
PID 4640 wrote to memory of 440	4640	rmgezwrpjh.exe	113
PID 4640 wrote to memory of 440	4640	rmgezwrpjh.exe	113
PID 932 wrote to memory of 2828	932	svchost.exe	116
PID 932 wrote to memory of 2828	932	svchost.exe	116
PID 1424 wrote to memory of 372	1424	gaytqljdbvtnlgdy.exe	118
PID 1424 wrote to memory of 372	1424	gaytqljdbvtnlgdy.exe	118
PID 1424 wrote to memory of 372	1424	gaytqljdbvtnlgdy.exe	118
PID 932 wrote to memory of 3988	932	svchost.exe	119
PID 932 wrote to memory of 3988	932	svchost.exe	119
PID 932 wrote to memory of 3988	932	svchost.exe	119

C:\Users\Admin\AppData\Local\Temp\e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe
"C:\Users\Admin\AppData\Local\Temp\e8160af3c2faa583779e09e81690811233ee6f9541a691d563f2efd2d8f8b389.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Temp\gaytqljdbvtnlgdy.exe
  C:\Temp\gaytqljdbvtnlgdy.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fdxvqnigay.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3568
  - - C:\Temp\fdxvqnigay.exe
      C:\Temp\fdxvqnigay.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4576
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1460
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fdxvqnigay.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2904
  - - C:\Temp\i_fdxvqnigay.exe
      C:\Temp\i_fdxvqnigay.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3748
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qljdbvtolg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2660
  - - C:\Temp\qljdbvtolg.exe
      C:\Temp\qljdbvtolg.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2888
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qljdbvtolg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4996
  - - C:\Temp\i_qljdbvtolg.exe
      C:\Temp\i_qljdbvtolg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmgezwrpjh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4744
  - - C:\Temp\rmgezwrpjh.exe
      C:\Temp\rmgezwrpjh.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:440
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmgezwrpjh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:372
  - - C:\Temp\i_rmgezwrpjh.exe
      C:\Temp\i_rmgezwrpjh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3988
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit
C:\Temp\fdxvqnigay.exe

Filesize
361KB

MD5
d1c995f29551a8d580d245e50e63b6a6

SHA1
86b029026085f500e7d804c1638c8aade2e3620c

SHA256
bf7c899c2d43e8cdef1b4bbb073505e5068850a1043bd1e819cec22377746644

SHA512
a58544535f0dfcb04fc13920062650b3928fe6e3226aaf94eb4d0fcb8f4404f7962ada35351595d9a352230cc41aab2cc0fffcec6e4699a61b215d06a9806400

Download Submit
C:\Temp\fdxvqnigay.exe

Filesize
361KB

MD5
d1c995f29551a8d580d245e50e63b6a6

SHA1
86b029026085f500e7d804c1638c8aade2e3620c

SHA256
bf7c899c2d43e8cdef1b4bbb073505e5068850a1043bd1e819cec22377746644

SHA512
a58544535f0dfcb04fc13920062650b3928fe6e3226aaf94eb4d0fcb8f4404f7962ada35351595d9a352230cc41aab2cc0fffcec6e4699a61b215d06a9806400

Download Submit
C:\Temp\gaytqljdbvtnlgdy.exe

Filesize
361KB

MD5
cf95930dc7088ec186d422a4ef995d7f

SHA1
d3b4de8e63e9730b6e28d3c96be58bad3e179631

SHA256
1b0a0046343dcb70efd227c08f875829abd2d9f1b96d4ea8c0ed32f5f28654de

SHA512
ffcd5390184e18a811f30ed724b607f990b66dbc8c560f9f1b9e9c6a8d5aae743d1cb7bb13bbca09f5f5906e441f2dc91419ade77f003faa255cf74f7cdb349d

Download Submit
C:\Temp\gaytqljdbvtnlgdy.exe

Filesize
361KB

MD5
cf95930dc7088ec186d422a4ef995d7f

SHA1
d3b4de8e63e9730b6e28d3c96be58bad3e179631

SHA256
1b0a0046343dcb70efd227c08f875829abd2d9f1b96d4ea8c0ed32f5f28654de

SHA512
ffcd5390184e18a811f30ed724b607f990b66dbc8c560f9f1b9e9c6a8d5aae743d1cb7bb13bbca09f5f5906e441f2dc91419ade77f003faa255cf74f7cdb349d

Download Submit
C:\Temp\i_fdxvqnigay.exe

Filesize
361KB

MD5
81388015a05714f45f15bf42ee3adf99

SHA1
fb3697d906ed820b5bbe8c9302bb09c00bd137ce

SHA256
77b2999338a6ddd7bf811ab6df5dae1a90c3f2da9b7eafb2029c4e603547c436

SHA512
a28eacf606bc7fc7f9296e5d951796879318db415d5f55a8872faafab72229439328e5d79ceb1a4ff1c852d9cc1e516a4984ecff911b482aa8356f2f525a309a

Download Submit
C:\Temp\i_fdxvqnigay.exe

Filesize
361KB

MD5
81388015a05714f45f15bf42ee3adf99

SHA1
fb3697d906ed820b5bbe8c9302bb09c00bd137ce

SHA256
77b2999338a6ddd7bf811ab6df5dae1a90c3f2da9b7eafb2029c4e603547c436

SHA512
a28eacf606bc7fc7f9296e5d951796879318db415d5f55a8872faafab72229439328e5d79ceb1a4ff1c852d9cc1e516a4984ecff911b482aa8356f2f525a309a

Download Submit
C:\Temp\i_qljdbvtolg.exe

Filesize
361KB

MD5
e21b9dff2a628cd0261697c03718672a

SHA1
00782649ba1d5e95b025dfd6eda09aeaec1b585a

SHA256
b2fc5521bb1c01df2903615c0a70f877da3d36bb522c056f2afaa25372df7f44

SHA512
0256d317c6e98543e5f9a983fd2e647ec1743b720bb1e9e82248cf743d9e1e389236a842f0325605e8cb38ca39b6445e6137dcc119a87186504464d02313b678

Download Submit
C:\Temp\i_qljdbvtolg.exe

Filesize
361KB

MD5
e21b9dff2a628cd0261697c03718672a

SHA1
00782649ba1d5e95b025dfd6eda09aeaec1b585a

SHA256
b2fc5521bb1c01df2903615c0a70f877da3d36bb522c056f2afaa25372df7f44

SHA512
0256d317c6e98543e5f9a983fd2e647ec1743b720bb1e9e82248cf743d9e1e389236a842f0325605e8cb38ca39b6445e6137dcc119a87186504464d02313b678

Download Submit
C:\Temp\i_rmgezwrpjh.exe

Filesize
361KB

MD5
8aaf25329114be118998cc33bd1d1fe8

SHA1
ae8e6100c1cd37dd47aa6b93a1cf632d4fb0b171

SHA256
fbfa999e62e047f64f24b165f03a60d1d1f794f51ffa2070617544c571145e28

SHA512
c5df44a0362380cee67ff31e41495f0ec5154f68e2c7c74a98d230f946dbeb94f5f99ddb0221396e73d3011d2253beba6acbb2e1fc1997f3f116d94f3bb614a4

Download Submit
C:\Temp\i_rmgezwrpjh.exe

Filesize
361KB

MD5
8aaf25329114be118998cc33bd1d1fe8

SHA1
ae8e6100c1cd37dd47aa6b93a1cf632d4fb0b171

SHA256
fbfa999e62e047f64f24b165f03a60d1d1f794f51ffa2070617544c571145e28

SHA512
c5df44a0362380cee67ff31e41495f0ec5154f68e2c7c74a98d230f946dbeb94f5f99ddb0221396e73d3011d2253beba6acbb2e1fc1997f3f116d94f3bb614a4

Download Submit
C:\Temp\qljdbvtolg.exe

Filesize
361KB

MD5
f0fc7c489fe4acaa8d1839cfb7eccddc

SHA1
7028e0300364a13f3b4db6e9bdeb06848371d965

SHA256
60cc09127767218e013de9c2cf81144dc460e25474f5859bb16251ef1527bea8

SHA512
100b91a81209e445009e0f5a9af1972fd0a9553b3191a7d292d142ea547f472eeddf84e2cd6ecbd75829f3ee6c3cfc8850089cd733bd02a7f0514978c626b405

Download Submit
C:\Temp\qljdbvtolg.exe

Filesize
361KB

MD5
f0fc7c489fe4acaa8d1839cfb7eccddc

SHA1
7028e0300364a13f3b4db6e9bdeb06848371d965

SHA256
60cc09127767218e013de9c2cf81144dc460e25474f5859bb16251ef1527bea8

SHA512
100b91a81209e445009e0f5a9af1972fd0a9553b3191a7d292d142ea547f472eeddf84e2cd6ecbd75829f3ee6c3cfc8850089cd733bd02a7f0514978c626b405

Download Submit
C:\Temp\rmgezwrpjh.exe

Filesize
361KB

MD5
427545d0dfb42cde0af593f0a7e7b136

SHA1
9a7067fc9a94d76a2fb55500324fd308cf709870

SHA256
2807d0221cb434bf0a1feb784e11b89ba38aaf801bf1a4bceb7104216dc38e6f

SHA512
c03c0a3654f40601e73dd1d46bfac3a5cb985a27f5536eddc8e620722058e7bfbf21c30abccbe5e7bc202247c5c5e40618384619adf9dfe09eb9509815af0315

Download Submit
C:\Temp\rmgezwrpjh.exe

Filesize
361KB

MD5
427545d0dfb42cde0af593f0a7e7b136

SHA1
9a7067fc9a94d76a2fb55500324fd308cf709870

SHA256
2807d0221cb434bf0a1feb784e11b89ba38aaf801bf1a4bceb7104216dc38e6f

SHA512
c03c0a3654f40601e73dd1d46bfac3a5cb985a27f5536eddc8e620722058e7bfbf21c30abccbe5e7bc202247c5c5e40618384619adf9dfe09eb9509815af0315

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
f536b626edb3c6c554fe19e16a69a244

SHA1
f94de467113a39fa150308cab822d51916bd5d89

SHA256
36917c2b70c38b81876c90a1996af83220ae23b940cdfe50099c9898f4af57f4

SHA512
8ecc5736a14650d3c57a97ee542e09caa12ac2a5bca3a2f6f67c1041f859b6cdd8e8b64eab4f04c2b625c0481aa1f09ac253170cbd38157d976d73c60efca965

Download Submit