7edf44694ea438f9f23a04f42f31adb7aadf2e887848a1f7e5c8b56bb04d3c7a

Analysis

max time kernel
3s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420c3fddb569a10e301d69dd05f1bd63.exe
Size

361KB
MD5

420c3fddb569a10e301d69dd05f1bd63
SHA1

39b84948f28695c2313822682e580c18803e2c9e
SHA256

7edf44694ea438f9f23a04f42f31adb7aadf2e887848a1f7e5c8b56bb04d3c7a
SHA512

0526f0dadaf16bf923d1d9ae38036537ccb0b5a7d79ae4942b255b0b2e8110ef436a5a1201673f9eb1e35bd733abd29cf1fe1924959f68442524634b6689b02d
SSDEEP

6144:CMflfAsiL4lIJjiJcbI03GBc3ucY5DCSjXJ:vflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2388	cxvpnhczusmhezwr.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	420c3fddb569a10e301d69dd05f1bd63.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2028	ipconfig.exe
2416	ipconfig.exe
1540	ipconfig.exe
2872	ipconfig.exe
2868	ipconfig.exe
1584	ipconfig.exe
2144	ipconfig.exe
1156	ipconfig.exe
2448	ipconfig.exe
1104	ipconfig.exe
2748	ipconfig.exe
2568	ipconfig.exe
2108	ipconfig.exe
2620	ipconfig.exe
2972	ipconfig.exe
2536	ipconfig.exe
384	ipconfig.exe
2024	ipconfig.exe
2424	ipconfig.exe
2380	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A858971-A444-11EE-BEA9-FE29290FA5F9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2172	420c3fddb569a10e301d69dd05f1bd63.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe
2388	cxvpnhczusmhezwr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2176	iexplore.exe
2176	iexplore.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2388	2172	420c3fddb569a10e301d69dd05f1bd63.exe	30
PID 2172 wrote to memory of 2388	2172	420c3fddb569a10e301d69dd05f1bd63.exe	30
PID 2172 wrote to memory of 2388	2172	420c3fddb569a10e301d69dd05f1bd63.exe	30
PID 2172 wrote to memory of 2388	2172	420c3fddb569a10e301d69dd05f1bd63.exe	30
PID 2172 wrote to memory of 2176	2172	420c3fddb569a10e301d69dd05f1bd63.exe	29
PID 2172 wrote to memory of 2176	2172	420c3fddb569a10e301d69dd05f1bd63.exe	29
PID 2172 wrote to memory of 2176	2172	420c3fddb569a10e301d69dd05f1bd63.exe	29
PID 2172 wrote to memory of 2176	2172	420c3fddb569a10e301d69dd05f1bd63.exe	29
PID 2176 wrote to memory of 2128	2176	iexplore.exe	28
PID 2176 wrote to memory of 2128	2176	iexplore.exe	28
PID 2176 wrote to memory of 2128	2176	iexplore.exe	28
PID 2176 wrote to memory of 2128	2176	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\420c3fddb569a10e301d69dd05f1bd63.exe
"C:\Users\Admin\AppData\Local\Temp\420c3fddb569a10e301d69dd05f1bd63.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176
- C:\Temp\cxvpnhczusmhezwr.exe
  C:\Temp\cxvpnhczusmhezwr.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jebwqoigbv.exe ups_run
    3⤵
    PID:2712
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jebwqoigbv.exe ups_ins
    3⤵
    PID:2564
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qoigavtnlf.exe ups_run
    3⤵
    PID:1760
  - - C:\Temp\uojgbztolg.exe
      C:\Temp\uojgbztolg.exe ups_run
      4⤵
      PID:2736
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qoigavtnlf.exe ups_ins
    3⤵
    PID:2116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idbvpnifau.exe ups_run
    3⤵
    PID:2616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idbvpnifau.exe ups_ins
    3⤵
    PID:2028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avtnhfaxsm.exe ups_run
    3⤵
    PID:2332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avtnhfaxsm.exe ups_ins
    3⤵
    PID:2792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avpnhfausm.exe ups_run
    3⤵
    PID:2244
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avpnhfausm.exe ups_ins
    3⤵
    PID:1884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfzxrpke.exe ups_run
    3⤵
    PID:240
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfzxrpke.exe ups_ins
    3⤵
    PID:2420
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecwupjhbz.exe ups_run
    3⤵
    PID:1184
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecwupjhbz.exe ups_ins
    3⤵
    PID:1828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecwrpjhbz.exe ups_run
    3⤵
    PID:968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecwrpjhbz.exe ups_ins
    3⤵
    PID:2360
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwuojhbzto.exe ups_run
    3⤵
    PID:3000
  - - C:\Temp\cwuojhbzto.exe
      C:\Temp\cwuojhbzto.exe ups_run
      4⤵
      PID:2032
    - - C:\Temp\jgbvtnlgay.exe
        
        C:\Temp\jgbvtnlgay.exe ups_run
        5⤵
        
        PID:2884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwuojhbzto.exe ups_ins
    3⤵
    PID:2016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uojgbztolg.exe ups_run
    3⤵
    PID:1760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uojgbztolg.exe ups_ins
    3⤵
    PID:776
  - - C:\Temp\i_uojgbztolg.exe
      C:\Temp\i_uojgbztolg.exe ups_ins
      4⤵
      PID:2344
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbytnlgdy.exe ups_run
    3⤵
    PID:2484
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbytnlgdy.exe ups_ins
    3⤵
    PID:2112
  - - C:\Temp\i_jgbytnlgdy.exe
      C:\Temp\i_jgbytnlgdy.exe ups_ins
      4⤵
      PID:2232
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbvtnlgay.exe ups_run
    3⤵
    PID:2032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbvtnlgay.exe ups_ins
    3⤵
    PID:2468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eysqlidxvq.exe ups_run
    3⤵
    PID:2516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eysqlidxvq.exe ups_ins
    3⤵
    PID:1192
  - - C:\Temp\i_eysqlidxvq.exe
      C:\Temp\i_eysqlidxvq.exe ups_ins
      4⤵
      PID:2508
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnicavsnh.exe ups_run
    3⤵
    PID:2700
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnicavsnh.exe ups_ins
    3⤵
    PID:320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nicausnhfz.exe ups_run
    3⤵
    PID:2668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nicausnhfz.exe ups_ins
    3⤵
    PID:2368
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfausmkfz.exe ups_run
    3⤵
    PID:2716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfausmkfz.exe ups_ins
    3⤵
    PID:852
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\causmhfzxr.exe ups_run
    3⤵
    PID:1640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_causmhfzxr.exe ups_ins
    3⤵
    PID:1284
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrmkecwrpj.exe ups_run
    3⤵
    PID:1928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrmkecwrpj.exe ups_ins
    3⤵
    PID:1820
  - - C:\Temp\i_xrmkecwrpj.exe
      C:\Temp\i_xrmkecwrpj.exe ups_ins
      4⤵
      PID:1828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjecwuojg.exe ups_run
    3⤵
    PID:2860
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjecwuojg.exe ups_ins
    3⤵
    PID:3012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbztomgey.exe ups_run
    3⤵
    PID:564
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbztomgey.exe ups_ins
    3⤵
    PID:2228
  - - C:\Temp\i_jhbztomgey.exe
      C:\Temp\i_jhbztomgey.exe ups_ins
      4⤵
      PID:2772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
1⤵
PID:2128

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2448

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2556

C:\Temp\jebwqoigbv.exe
C:\Temp\jebwqoigbv.exe ups_run
1⤵
PID:2688

C:\Temp\i_jebwqoigbv.exe
C:\Temp\i_jebwqoigbv.exe ups_ins
1⤵
PID:2368
- C:\Temp\i_nicausnhfz.exe
  C:\Temp\i_nicausnhfz.exe ups_ins
  2⤵
  PID:2672

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2024

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1932

C:\Temp\qoigavtnlf.exe
C:\Temp\qoigavtnlf.exe ups_run
1⤵
PID:2328

C:\Temp\i_qoigavtnlf.exe
C:\Temp\i_qoigavtnlf.exe ups_ins
1⤵
PID:604

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2972

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2608

C:\Temp\idbvpnifau.exe
C:\Temp\idbvpnifau.exe ups_run
1⤵
PID:2472

C:\Temp\i_idbvpnifau.exe
C:\Temp\i_idbvpnifau.exe ups_ins
1⤵
PID:2732

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2536

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1264

C:\Temp\avtnhfaxsm.exe
C:\Temp\avtnhfaxsm.exe ups_run
1⤵
PID:812

C:\Temp\i_avtnhfaxsm.exe
C:\Temp\i_avtnhfaxsm.exe ups_ins
1⤵
PID:1584

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1104

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2900

C:\Temp\avpnhfausm.exe
C:\Temp\avpnhfausm.exe ups_run
1⤵
PID:1752

C:\Temp\i_avpnhfausm.exe
C:\Temp\i_avpnhfausm.exe ups_ins
1⤵
PID:1136

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2424

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:860

C:\Temp\snkfzxrpke.exe
C:\Temp\snkfzxrpke.exe ups_run
1⤵
PID:1484

C:\Temp\i_snkfzxrpke.exe
C:\Temp\i_snkfzxrpke.exe ups_ins
1⤵
PID:696

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1616
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:384

C:\Temp\kecwupjhbz.exe
C:\Temp\kecwupjhbz.exe ups_run
1⤵
PID:992
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:808

C:\Temp\i_kecwupjhbz.exe
C:\Temp\i_kecwupjhbz.exe ups_ins
1⤵
PID:1080

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2872

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1636
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:2348

C:\Temp\kecwrpjhbz.exe
C:\Temp\kecwrpjhbz.exe ups_run
1⤵
PID:2380

C:\Temp\i_kecwrpjhbz.exe
C:\Temp\i_kecwrpjhbz.exe ups_ins
1⤵
PID:572

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2868

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1608

C:\Temp\i_cwuojhbzto.exe
C:\Temp\i_cwuojhbzto.exe ups_ins
1⤵
PID:1712

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2748

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:964

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1584

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1620

C:\Temp\jgbytnlgdy.exe
C:\Temp\jgbytnlgdy.exe ups_run
1⤵
PID:1740

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2144

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2772

C:\Temp\i_jgbvtnlgay.exe
C:\Temp\i_jgbvtnlgay.exe ups_ins
1⤵
PID:1956

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2028

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2148

C:\Temp\eysqlidxvq.exe
C:\Temp\eysqlidxvq.exe ups_run
1⤵
PID:1664

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2568

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:960

C:\Temp\vqnicavsnh.exe
C:\Temp\vqnicavsnh.exe ups_run
1⤵
PID:948

C:\Temp\i_vqnicavsnh.exe
C:\Temp\i_vqnicavsnh.exe ups_ins
1⤵
PID:1628

C:\Temp\nicausnhfz.exe
C:\Temp\nicausnhfz.exe ups_run
1⤵
PID:2652
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:2220

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2108

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:540
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:2620

C:\Temp\nhfausmkfz.exe
C:\Temp\nhfausmkfz.exe ups_run
1⤵
PID:1524

C:\Temp\i_nhfausmkfz.exe
C:\Temp\i_nhfausmkfz.exe ups_ins
1⤵
PID:860

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2416

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1860

C:\Temp\causmhfzxr.exe
C:\Temp\causmhfzxr.exe ups_run
1⤵
PID:828

C:\Temp\i_causmhfzxr.exe
C:\Temp\i_causmhfzxr.exe ups_ins
1⤵
PID:1552

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1156

C:\Temp\xrmkecwrpj.exe
C:\Temp\xrmkecwrpj.exe ups_run
1⤵
PID:992

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2380

C:\Temp\rpjecwuojg.exe
C:\Temp\rpjecwuojg.exe ups_run
1⤵
PID:1636

C:\Temp\i_rpjecwuojg.exe
C:\Temp\i_rpjecwuojg.exe ups_ins
1⤵
PID:2136

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1540

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1592

C:\Temp\jhbztomgey.exe
C:\Temp\jhbztomgey.exe ups_run
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
d6004b9d841abf3f10cf9e86c5230ca4

SHA1
732272f91ccd0e40d857c284f1dfb801825bea14

SHA256
636bff60ef02f8ebdf44d1c95b9489e81b68cb15e54d95258a753f437bd76765

SHA512
6fe5eef4e05d18ff8742fd8492cce83cb8aba050cee46de7e0d90701e731013a73df1e959f7188e89c0242e8f9899bb25273ea7700a8bd690f0de1003888af00

Download Submit
C:\Temp\avpnhfausm.exe

Filesize
92KB

MD5
e8ce6ef8f50b0791241b7827b6278c5a

SHA1
9f00251dcecd6e8fa363067d124d3faba456c9ed

SHA256
f109d45b8ae988366d67cccbce2392a8b9070d8cdcc6a9849f554acd233f3fb5

SHA512
3abe422c021417e53101f2987f3234ae9955e8dfb43d2fcd87203dc367aebf81f12e151b234ca92dea0b0dd741f0cf59eef776a03980a72db8028a9ec2ad8605

Download Submit
C:\Temp\cxvpnhczusmhezwr.exe

Filesize
361KB

MD5
3f037275ab8f2e08169a61d3e2b44d92

SHA1
e8ecfda05d34d8832d41a731071156c14b1ca3ab

SHA256
576edf4ce01e320a431b7aef3ff7e842ea48804cb20e0829cc526caeb278271d

SHA512
96972771afe6bbcba477170bc52217e0dcafd22b2e3fe6b19ac1ff9dab1c9ea727f7bd8a6fa18127ec7d6bd5046381562af9abf6bf1b51f83feb6991ae4c8721

Download Submit
C:\Temp\i_avpnhfausm.exe

Filesize
93KB

MD5
794f4a3ab5a091d6a84c2a8c05d4a57c

SHA1
b9740bbd8e98663c7d1648a4e3dc4f8c5d77f8fc

SHA256
ce7fba258d067774d847b8456d505fa75f9a14edc0a4d1f118e3529d9b0d2512

SHA512
236773dbabd72b2734c36b2299afe5bb8a89a7391bca4c5565da8a004ee76a77812a686b80f323ddeaca7b3ebf1f64c9f3f7bbbcfb13a668c456ccfc88309809

Download Submit
C:\Temp\i_avtnhfaxsm.exe

Filesize
361KB

MD5
5395a3bc5fe1b25c925479ce4c5ec5af

SHA1
b78c33cb2dc921db8fd982d534aa41c32fda1f54

SHA256
2c40ba66414d5443fc695da65db0ee802663f80581412f447756faf8bc22ff48

SHA512
e12578d2fadaa35cbf7f144c9fe8aaff08141ba718f583699404a01555655752c632839d73967b0e36a2e3065196ff2331b8fd1bf8540d4492351e49f9401172

Download Submit
C:\Temp\i_idbvpnifau.exe

Filesize
361KB

MD5
5abeea14b944fe519f4145c053f1e13e

SHA1
73f3a4a1a29640742fe883f1dfa6b07cff406337

SHA256
2c9be0d741d953c8f91d911efa10cc93e69b9d5bce0fa5984a4117d0fb59509f

SHA512
7ad5757cd1215c9755b608835a0813e7d38ed5ba12175fa3cc6ded0ba81e7dc8e0e5f8bfdc5faa661ea6c69e954ba87b3674b0cde65ff4039716a6bb8c709623

Download Submit
C:\Temp\i_snkfzxrpke.exe

Filesize
361KB

MD5
58a191bd31de07375e6adc15ba4322ef

SHA1
559024880f27a751c1045cf757af619b0ee153da

SHA256
681dee63476c6b4c5699316b4f0b975a4c04d11139402bbae029edd9a5368d58

SHA512
0c905a4e87ccf3fcce56eb69ad29f508fd1389e63d097c2b25d5fdd0491d81d7e59421b5fba9cc3fbbb8f308c7939d57ecf0727b0ceb549e350f539ccdf7eb9b

Download Submit
C:\Temp\idbvpnifau.exe

Filesize
92KB

MD5
e712f7d06041ad1de52d5efd1ab2ce54

SHA1
4408fa10f072c5fb88628538f1fbe0f52adec40b

SHA256
ce0046a875f2d55de227b62179293c12b860e0e8bbb436d30b918e4a2f821062

SHA512
a4d4312c207be0bce3b24314111cbc6f60c564e3ac13d18dcd30bf0a9393b600f359a2af77499b376061d34841b2313b59c9ca03180f1446c450ce85380777ca

Download Submit
C:\Temp\kecwrpjhbz.exe

Filesize
361KB

MD5
9213e42d265ad3309d87d5300614824c

SHA1
69118132c20353b09ff0ad70cde4dac2bd8ba582

SHA256
cc26bffcab0404a036cb395f47ca359c26a1f8a2bc52e28cb4fa092cd549ea83

SHA512
e82495e14380706c6e45a87de549793b62cd0b192c28d8c496cde6a0084ecc41855d2345b20d6bce432d3a3c6e75e9714caa96d6f48c2ced4e694fb4e1279092

Download Submit
C:\Temp\kecwupjhbz.exe

Filesize
109KB

MD5
f271fbfa841ffe23ae27e96f7c2c1705

SHA1
5cc9c25f45737a49e30997825f7344d3976a16db

SHA256
2f133ff5888bd5f721a561b40545e579106c963dee5493aab6d6a0d2bcfcf639

SHA512
28a5910de2219177fce13c18ab909a315fe0301e5b188380546d6d8baf6f8790c996f4247badba32d1f8ad38b2d3d8b1974bf26fef1507617cb22d7b1e4f2835

Download Submit