f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61

Analysis

max time kernel
182s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
Size

361KB
MD5

f51c73b5142d14038b8afd72aa7dd241
SHA1

f2634e64b23cc79ef22abfdc3a152a64dd5e680f
SHA256

f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61
SHA512

b44bab7bdff09d93543265cad31e0459ffc8f33d137f1525edd296f0d6f7dd98b40f03eb1546d4ec3739f71373afefc3f87cb183ecaa7591e7ac0cf96564ef85
SSDEEP

6144:gflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:gflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2060 created 1812	2060	svchost.exe	89
PID 2060 created 8	2060	svchost.exe	92
PID 2060 created 1232	2060	svchost.exe	96
PID 2060 created 660	2060	svchost.exe	103
PID 2060 created 4304	2060	svchost.exe	106
PID 2060 created 3456	2060	svchost.exe	110

Executes dropped EXE 11 IoCs

pid	Process
4568	gbztrljebolgeywq.exe
1812	CreateProcess.exe
4388	pjhczusmke.exe
8	CreateProcess.exe
1232	CreateProcess.exe
1948	i_pjhczusmke.exe
660	CreateProcess.exe
1916	cavsnkfdxv.exe
4304	CreateProcess.exe
3456	CreateProcess.exe
2196	i_cavsnkfdxv.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3748	ipconfig.exe
4028	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1221125347"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000785"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1221125347"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000785"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000723305aa7b6c337e14af9ca1e875afa86fa85cfc8cb44b2538c39d382ccef219000000000e80000000020000200000002c08ef59484a7c690ef141985a881d041f34f2bd75a2877cc0f108ce8a2b4f8b20000000d450b312c8a5d341122dbc830df7c601df822f5c702052dd28a77e44b89ab0194000000045bd87510bf09c6cbe886591420c77c191cb66cff859e360503f561b3ed34bcd2cf59884145d123f985424b871938788050aaf54228471c96d0269eca9ded6b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8632AE4A-74C4-11ED-919F-C2D7A23AFBD4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50153862d108d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40db906cd108d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000de50a1b59b50bb6226aab21a917403adacb5419ad84e37544c51dd2be9ae22df000000000e800000000200002000000047b18bd82ab448bda0f65f20cd4664dea3bc37250d0c60fcc6ab03a642b2e5e6200000003d56133943aa9af8db5cf2c6ba3583945fb12ccebc65d75920e82bfab5786a1c40000000bc2aada220b748561f8601d93b6b9c626678d9672d280361519f4b36c7a46875285376cc408cb6740510753df123df6ecb285d574388ac9278aa413891813208	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4568	gbztrljebolgeywq.exe
4568	gbztrljebolgeywq.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	2060	svchost.exe
Token: SeTcbPrivilege	2060	svchost.exe
Token: SeDebugPrivilege	1948	i_pjhczusmke.exe
Token: SeDebugPrivilege	2196	i_cavsnkfdxv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
112	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
112	iexplore.exe
112	iexplore.exe
4260	IEXPLORE.EXE
4260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4568	4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe	83
PID 4224 wrote to memory of 4568	4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe	83
PID 4224 wrote to memory of 4568	4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe	83
PID 4224 wrote to memory of 112	4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe	84
PID 4224 wrote to memory of 112	4224	f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe	84
PID 112 wrote to memory of 4260	112	iexplore.exe	85
PID 112 wrote to memory of 4260	112	iexplore.exe	85
PID 112 wrote to memory of 4260	112	iexplore.exe	85
PID 4568 wrote to memory of 1812	4568	gbztrljebolgeywq.exe	89
PID 4568 wrote to memory of 1812	4568	gbztrljebolgeywq.exe	89
PID 4568 wrote to memory of 1812	4568	gbztrljebolgeywq.exe	89
PID 2060 wrote to memory of 4388	2060	svchost.exe	91
PID 2060 wrote to memory of 4388	2060	svchost.exe	91
PID 2060 wrote to memory of 4388	2060	svchost.exe	91
PID 4388 wrote to memory of 8	4388	pjhczusmke.exe	92
PID 4388 wrote to memory of 8	4388	pjhczusmke.exe	92
PID 4388 wrote to memory of 8	4388	pjhczusmke.exe	92
PID 2060 wrote to memory of 3748	2060	svchost.exe	93
PID 2060 wrote to memory of 3748	2060	svchost.exe	93
PID 4568 wrote to memory of 1232	4568	gbztrljebolgeywq.exe	96
PID 4568 wrote to memory of 1232	4568	gbztrljebolgeywq.exe	96
PID 4568 wrote to memory of 1232	4568	gbztrljebolgeywq.exe	96
PID 2060 wrote to memory of 1948	2060	svchost.exe	97
PID 2060 wrote to memory of 1948	2060	svchost.exe	97
PID 2060 wrote to memory of 1948	2060	svchost.exe	97
PID 4568 wrote to memory of 660	4568	gbztrljebolgeywq.exe	103
PID 4568 wrote to memory of 660	4568	gbztrljebolgeywq.exe	103
PID 4568 wrote to memory of 660	4568	gbztrljebolgeywq.exe	103
PID 2060 wrote to memory of 1916	2060	svchost.exe	105
PID 2060 wrote to memory of 1916	2060	svchost.exe	105
PID 2060 wrote to memory of 1916	2060	svchost.exe	105
PID 1916 wrote to memory of 4304	1916	cavsnkfdxv.exe	106
PID 1916 wrote to memory of 4304	1916	cavsnkfdxv.exe	106
PID 1916 wrote to memory of 4304	1916	cavsnkfdxv.exe	106
PID 2060 wrote to memory of 4028	2060	svchost.exe	107
PID 2060 wrote to memory of 4028	2060	svchost.exe	107
PID 4568 wrote to memory of 3456	4568	gbztrljebolgeywq.exe	110
PID 4568 wrote to memory of 3456	4568	gbztrljebolgeywq.exe	110
PID 4568 wrote to memory of 3456	4568	gbztrljebolgeywq.exe	110
PID 2060 wrote to memory of 2196	2060	svchost.exe	111
PID 2060 wrote to memory of 2196	2060	svchost.exe	111
PID 2060 wrote to memory of 2196	2060	svchost.exe	111

C:\Users\Admin\AppData\Local\Temp\f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe
"C:\Users\Admin\AppData\Local\Temp\f67dc0395bc980b228f0de7cb6d81198abff2be3ae9ac0b8ec10ab3e26596a61.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Temp\gbztrljebolgeywq.exe
  C:\Temp\gbztrljebolgeywq.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhczusmke.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1812
  - - C:\Temp\pjhczusmke.exe
      C:\Temp\pjhczusmke.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:8
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3748
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhczusmke.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1232
  - - C:\Temp\i_pjhczusmke.exe
      C:\Temp\i_pjhczusmke.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cavsnkfdxv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:660
  - - C:\Temp\cavsnkfdxv.exe
      C:\Temp\cavsnkfdxv.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cavsnkfdxv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3456
  - - C:\Temp\i_cavsnkfdxv.exe
      C:\Temp\i_cavsnkfdxv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2196
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit
C:\Temp\cavsnkfdxv.exe

Filesize
361KB

MD5
216eb4c2fd0931a26a71a28ed4d103e5

SHA1
d8a14c8fa70c9a25b5e5d59799bef7a811c8cde9

SHA256
9d82bc2edd74bfae3c885f1e0ea00bf5656cd128fd0116062a2871e7c969d73b

SHA512
15ebf69c32a6c904ed88d4e9a00f7a56644a0d9205349be181c3f6dfb2abee2362ef5149d035b06954879fedd080268fd7f76024eb00ddbe0b07e4aa15dd9bfe

Download Submit
C:\Temp\cavsnkfdxv.exe

Filesize
361KB

MD5
216eb4c2fd0931a26a71a28ed4d103e5

SHA1
d8a14c8fa70c9a25b5e5d59799bef7a811c8cde9

SHA256
9d82bc2edd74bfae3c885f1e0ea00bf5656cd128fd0116062a2871e7c969d73b

SHA512
15ebf69c32a6c904ed88d4e9a00f7a56644a0d9205349be181c3f6dfb2abee2362ef5149d035b06954879fedd080268fd7f76024eb00ddbe0b07e4aa15dd9bfe

Download Submit
C:\Temp\gbztrljebolgeywq.exe

Filesize
361KB

MD5
c61d548a3da5e79c6c93f1027a6730df

SHA1
a664c5b5a3030c09848e8a9f832f5fd727bd4154

SHA256
6025565a45672e6b0c22f2f921e43dcc70379dcf78c1b2b32a16f5229c6bfd52

SHA512
b3ab57c0183b9ab3f36dbae109ce9cec861edc9fa5f3fa22eeb3b2d6440856b5fd0c6abfe766903ccfc83e6b1bc5c56ddc360b1720acc9eb53e37b493503b1c1

Download Submit
C:\Temp\gbztrljebolgeywq.exe

Filesize
361KB

MD5
c61d548a3da5e79c6c93f1027a6730df

SHA1
a664c5b5a3030c09848e8a9f832f5fd727bd4154

SHA256
6025565a45672e6b0c22f2f921e43dcc70379dcf78c1b2b32a16f5229c6bfd52

SHA512
b3ab57c0183b9ab3f36dbae109ce9cec861edc9fa5f3fa22eeb3b2d6440856b5fd0c6abfe766903ccfc83e6b1bc5c56ddc360b1720acc9eb53e37b493503b1c1

Download Submit
C:\Temp\i_cavsnkfdxv.exe

Filesize
361KB

MD5
b35f5e1d35fde0f91529d892a189855f

SHA1
08f5b63a643c0c34a02c028d1a3ff41151db2ed9

SHA256
4aa378e07e021c2e2a056d7d6b31f0f973cb6c81332cb51429dd707ef73f7d96

SHA512
9a99df4fd8f904de96c9fc678cbdda5198203a64e53bb6233a253ad96993841553a8293ac20c5c36e75b5d1844b536256f10488d5fcf85dc41e2ff120fbd79fb

Download Submit
C:\Temp\i_cavsnkfdxv.exe

Filesize
361KB

MD5
b35f5e1d35fde0f91529d892a189855f

SHA1
08f5b63a643c0c34a02c028d1a3ff41151db2ed9

SHA256
4aa378e07e021c2e2a056d7d6b31f0f973cb6c81332cb51429dd707ef73f7d96

SHA512
9a99df4fd8f904de96c9fc678cbdda5198203a64e53bb6233a253ad96993841553a8293ac20c5c36e75b5d1844b536256f10488d5fcf85dc41e2ff120fbd79fb

Download Submit
C:\Temp\i_pjhczusmke.exe

Filesize
361KB

MD5
5e00673ede391a307f83c2afc7e4170e

SHA1
a3af3fd9932f6cb4439247ccd3bb65a9164fdea3

SHA256
ec665528fb33174b06c0c1d7ed55eecad2f9f9f7eb11244f99a3833466f249c5

SHA512
23dee335c5721bdc9a72ae81d870fd59bcda729c6bf477e3807c138c1ba7079fddd02e156511c0db86c4c04fed007187f7033ed6c406dc306552d7193108c057

Download Submit
C:\Temp\i_pjhczusmke.exe

Filesize
361KB

MD5
5e00673ede391a307f83c2afc7e4170e

SHA1
a3af3fd9932f6cb4439247ccd3bb65a9164fdea3

SHA256
ec665528fb33174b06c0c1d7ed55eecad2f9f9f7eb11244f99a3833466f249c5

SHA512
23dee335c5721bdc9a72ae81d870fd59bcda729c6bf477e3807c138c1ba7079fddd02e156511c0db86c4c04fed007187f7033ed6c406dc306552d7193108c057

Download Submit
C:\Temp\pjhczusmke.exe

Filesize
361KB

MD5
fc5e1147e3ddcd50c713988cecf646c3

SHA1
cf4980c7f4d618d7a57acf5ef7c0e2b7d2b5597a

SHA256
9dfb37e532fbcb4f274c94b602e682a3f6d727710057fc065ff27ad945ad8e84

SHA512
fa15d0458fa51004539a16fd2f6211b0d026ef69e4699070a1de186c427aaf880cea923e596666d1f24dbc8efd9779ebd25b94b2db2b79cbbeb0ec4d9c25984d

Download Submit
C:\Temp\pjhczusmke.exe

Filesize
361KB

MD5
fc5e1147e3ddcd50c713988cecf646c3

SHA1
cf4980c7f4d618d7a57acf5ef7c0e2b7d2b5597a

SHA256
9dfb37e532fbcb4f274c94b602e682a3f6d727710057fc065ff27ad945ad8e84

SHA512
fa15d0458fa51004539a16fd2f6211b0d026ef69e4699070a1de186c427aaf880cea923e596666d1f24dbc8efd9779ebd25b94b2db2b79cbbeb0ec4d9c25984d

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
5a7a5932c379849033dc5b929cb382fb

SHA1
1a460c3c51993d0fc3cf34741ce41a99f88e3766

SHA256
777127be08ba427a48c9b66a1d118f4e9f77533a726330495c4f2f07d90e268c

SHA512
b0d7d3c239b6d4871615712138eb71c35f9a0ea3ca5d5f5986330d9b94f4eff2806d3dfd010e128f26aeb951995c07f5ce7f7d0bb1627e88833a596a8365b7cd

Download Submit