8f7ff821afc24f86b37efe331d1181ff407817c3371c416968f7ebad8d91fa97

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2086a523c399a5660741cc125322bc93.exe
Size

361KB
MD5

2086a523c399a5660741cc125322bc93
SHA1

35fa4fade0016798289ac067c7cbcca9b1e8a017
SHA256

8f7ff821afc24f86b37efe331d1181ff407817c3371c416968f7ebad8d91fa97
SHA512

4f0fad3afab396704f8b48de4f22b05fad8811a057913dc5c78e221a9afb71ea6f8a3120f81b9fb0bfa6e4f39fdd61224f4f43f1fdf48db5877cf621988243ac
SSDEEP

6144:+flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:+flfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3292	ecwuojhbztrmjecw.exe
3308	CreateProcess.exe
4144	ljwtomgeyw.exe
3756	CreateProcess.exe
1740	CreateProcess.exe
1356	i_ljwtomgeyw.exe
4328	CreateProcess.exe
1988	ztrljdbwto.exe
1396	CreateProcess.exe
3652	CreateProcess.exe
952	i_ztrljdbwto.exe
3528	CreateProcess.exe
2080	wqoigbytql.exe
2788	CreateProcess.exe
2556	CreateProcess.exe
4216	i_wqoigbytql.exe
4040	CreateProcess.exe
1008	vtnlfdyvqo.exe
456	CreateProcess.exe
4320	CreateProcess.exe
3636	i_vtnlfdyvqo.exe
4016	CreateProcess.exe
3632	dxvqnigsqk.exe
2228	CreateProcess.exe
3160	CreateProcess.exe
3788	i_dxvqnigsqk.exe
2056	CreateProcess.exe
680	axsqkicaus.exe
1308	CreateProcess.exe
2240	CreateProcess.exe
3764	i_axsqkicaus.exe
3828	CreateProcess.exe
1848	zusmkecxup.exe
4512	CreateProcess.exe
1552	CreateProcess.exe
3008	i_zusmkecxup.exe
668	CreateProcess.exe
1164	zusmkecwup.exe
4500	CreateProcess.exe
4092	CreateProcess.exe
1152	i_zusmkecwup.exe
920	CreateProcess.exe
1124	bwuomhezxr.exe
4188	CreateProcess.exe
4604	CreateProcess.exe
2064	i_bwuomhezxr.exe
3304	CreateProcess.exe
1556	ytrljdbwto.exe
1032	CreateProcess.exe
3844	CreateProcess.exe
2440	i_ytrljdbwto.exe
3660	CreateProcess.exe
3664	wqoigbytrl.exe
928	CreateProcess.exe
1960	CreateProcess.exe
1988	i_wqoigbytrl.exe
5112	CreateProcess.exe
2636	tqljdbvtnl.exe
952	CreateProcess.exe
2080	CreateProcess.exe
4936	i_tqljdbvtnl.exe
2036	CreateProcess.exe
4268	xsqkidavtn.exe
3380	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3152	ipconfig.exe
2016	ipconfig.exe
1552	ipconfig.exe
932	ipconfig.exe
4320	ipconfig.exe
3612	ipconfig.exe
3488	ipconfig.exe
4992	ipconfig.exe
3212	ipconfig.exe
3308	ipconfig.exe
4704	ipconfig.exe
220	ipconfig.exe
3268	ipconfig.exe
3724	ipconfig.exe
452	ipconfig.exe
1980	ipconfig.exe
4428	ipconfig.exe
3340	ipconfig.exe
2556	ipconfig.exe
3756	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c0000000002000000000010660000000100002000000039150def5431585a4b1afe8cdb61396ceee9d00ae48b59ba2cb5f8114ce7ea37000000000e8000000002000020000000091a6b5b8314cfe5b0935e804b1da6d2fc4886a5835a3e082032122b2c2d2ba1200000009868ac13ddd8d2e061124ca756df9077c0d0c6c0350fb54319c4a5d31f78eaf4400000006d162fb775ad40be3c21a7dd5ef42548d4330726b51c16aa63aeb0cfdfb57a3d19f9876f7f82b9d469f54eafe0f292e5294c36faf86a24aa02ec6b4a91f9cbcc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3562296414"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904035d4bc37da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3562296414"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078332"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FF5E1EC9-A3AF-11EE-A0B6-667A6D636A0F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000f9abb01acec8e081b9e66045eb720e09cdac1a9236152bae35b15cc0bafaa336000000000e80000000020000200000007c7cab3a03268a3176c63d5676f73b549bf6c2d83d577bd7a3a29c201c65aeb820000000b70a0607f4958076f1d4234f93642a414d279df257276e043b8e2ae4f32e133a400000006314e25f75a8636768b7c262ceb00a749c967eeb03fadcea07a5ce51c791c3a6623b4b5e6a31d9273dd6c9c0b677e3bd81b880f7609fc705c8b4c58b0be22a2e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078332"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078332"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b137d4bc37da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3562609378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410333653"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078332"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3562609378"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
3292	ecwuojhbztrmjecw.exe
3292	ecwuojhbztrmjecw.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe
1540	2086a523c399a5660741cc125322bc93.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	i_ljwtomgeyw.exe
Token: SeDebugPrivilege	952	i_ztrljdbwto.exe
Token: SeDebugPrivilege	4216	i_wqoigbytql.exe
Token: SeDebugPrivilege	3636	i_vtnlfdyvqo.exe
Token: SeDebugPrivilege	3788	i_dxvqnigsqk.exe
Token: SeDebugPrivilege	3764	i_axsqkicaus.exe
Token: SeDebugPrivilege	3008	i_zusmkecxup.exe
Token: SeDebugPrivilege	1152	i_zusmkecwup.exe
Token: SeDebugPrivilege	2064	i_bwuomhezxr.exe
Token: SeDebugPrivilege	2440	i_ytrljdbwto.exe
Token: SeDebugPrivilege	1988	i_wqoigbytrl.exe
Token: SeDebugPrivilege	4936	i_tqljdbvtnl.exe
Token: SeDebugPrivilege	640	i_xsqkidavtn.exe
Token: SeDebugPrivilege	3600	i_vpnifaxsqk.exe
Token: SeDebugPrivilege	3716	i_smkfcxvpnh.exe
Token: SeDebugPrivilege	808	i_pkhcausmke.exe
Token: SeDebugPrivilege	3304	i_xrpjhczusm.exe
Token: SeDebugPrivilege	412	i_trmjecwuom.exe
Token: SeDebugPrivilege	5020	i_toigbytrlj.exe
Token: SeDebugPrivilege	3156	i_qoigbytrlj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1764	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1764	iexplore.exe
1764	iexplore.exe
4564	IEXPLORE.EXE
4564	IEXPLORE.EXE
4564	IEXPLORE.EXE
4564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3292	1540	2086a523c399a5660741cc125322bc93.exe	93
PID 1540 wrote to memory of 3292	1540	2086a523c399a5660741cc125322bc93.exe	93
PID 1540 wrote to memory of 3292	1540	2086a523c399a5660741cc125322bc93.exe	93
PID 1540 wrote to memory of 1764	1540	2086a523c399a5660741cc125322bc93.exe	91
PID 1540 wrote to memory of 1764	1540	2086a523c399a5660741cc125322bc93.exe	91
PID 1764 wrote to memory of 4564	1764	iexplore.exe	92
PID 1764 wrote to memory of 4564	1764	iexplore.exe	92
PID 1764 wrote to memory of 4564	1764	iexplore.exe	92
PID 3292 wrote to memory of 3308	3292	ecwuojhbztrmjecw.exe	101
PID 3292 wrote to memory of 3308	3292	ecwuojhbztrmjecw.exe	101
PID 3292 wrote to memory of 3308	3292	ecwuojhbztrmjecw.exe	101
PID 4144 wrote to memory of 3756	4144	ljwtomgeyw.exe	98
PID 4144 wrote to memory of 3756	4144	ljwtomgeyw.exe	98
PID 4144 wrote to memory of 3756	4144	ljwtomgeyw.exe	98
PID 3292 wrote to memory of 1740	3292	ecwuojhbztrmjecw.exe	103
PID 3292 wrote to memory of 1740	3292	ecwuojhbztrmjecw.exe	103
PID 3292 wrote to memory of 1740	3292	ecwuojhbztrmjecw.exe	103
PID 3292 wrote to memory of 4328	3292	ecwuojhbztrmjecw.exe	108
PID 3292 wrote to memory of 4328	3292	ecwuojhbztrmjecw.exe	108
PID 3292 wrote to memory of 4328	3292	ecwuojhbztrmjecw.exe	108
PID 1988 wrote to memory of 1396	1988	ztrljdbwto.exe	106
PID 1988 wrote to memory of 1396	1988	ztrljdbwto.exe	106
PID 1988 wrote to memory of 1396	1988	ztrljdbwto.exe	106
PID 3292 wrote to memory of 3652	3292	ecwuojhbztrmjecw.exe	110
PID 3292 wrote to memory of 3652	3292	ecwuojhbztrmjecw.exe	110
PID 3292 wrote to memory of 3652	3292	ecwuojhbztrmjecw.exe	110
PID 3292 wrote to memory of 3528	3292	ecwuojhbztrmjecw.exe	115
PID 3292 wrote to memory of 3528	3292	ecwuojhbztrmjecw.exe	115
PID 3292 wrote to memory of 3528	3292	ecwuojhbztrmjecw.exe	115
PID 2080 wrote to memory of 2788	2080	wqoigbytql.exe	113
PID 2080 wrote to memory of 2788	2080	wqoigbytql.exe	113
PID 2080 wrote to memory of 2788	2080	wqoigbytql.exe	113
PID 3292 wrote to memory of 2556	3292	ecwuojhbztrmjecw.exe	117
PID 3292 wrote to memory of 2556	3292	ecwuojhbztrmjecw.exe	117
PID 3292 wrote to memory of 2556	3292	ecwuojhbztrmjecw.exe	117
PID 3292 wrote to memory of 4040	3292	ecwuojhbztrmjecw.exe	122
PID 3292 wrote to memory of 4040	3292	ecwuojhbztrmjecw.exe	122
PID 3292 wrote to memory of 4040	3292	ecwuojhbztrmjecw.exe	122
PID 1008 wrote to memory of 456	1008	vtnlfdyvqo.exe	120
PID 1008 wrote to memory of 456	1008	vtnlfdyvqo.exe	120
PID 1008 wrote to memory of 456	1008	vtnlfdyvqo.exe	120
PID 3292 wrote to memory of 4320	3292	ecwuojhbztrmjecw.exe	126
PID 3292 wrote to memory of 4320	3292	ecwuojhbztrmjecw.exe	126
PID 3292 wrote to memory of 4320	3292	ecwuojhbztrmjecw.exe	126
PID 3292 wrote to memory of 4016	3292	ecwuojhbztrmjecw.exe	128
PID 3292 wrote to memory of 4016	3292	ecwuojhbztrmjecw.exe	128
PID 3292 wrote to memory of 4016	3292	ecwuojhbztrmjecw.exe	128
PID 3632 wrote to memory of 2228	3632	dxvqnigsqk.exe	132
PID 3632 wrote to memory of 2228	3632	dxvqnigsqk.exe	132
PID 3632 wrote to memory of 2228	3632	dxvqnigsqk.exe	132
PID 3292 wrote to memory of 3160	3292	ecwuojhbztrmjecw.exe	134
PID 3292 wrote to memory of 3160	3292	ecwuojhbztrmjecw.exe	134
PID 3292 wrote to memory of 3160	3292	ecwuojhbztrmjecw.exe	134
PID 3292 wrote to memory of 2056	3292	ecwuojhbztrmjecw.exe	139
PID 3292 wrote to memory of 2056	3292	ecwuojhbztrmjecw.exe	139
PID 3292 wrote to memory of 2056	3292	ecwuojhbztrmjecw.exe	139
PID 680 wrote to memory of 1308	680	axsqkicaus.exe	137
PID 680 wrote to memory of 1308	680	axsqkicaus.exe	137
PID 680 wrote to memory of 1308	680	axsqkicaus.exe	137
PID 3292 wrote to memory of 2240	3292	ecwuojhbztrmjecw.exe	141
PID 3292 wrote to memory of 2240	3292	ecwuojhbztrmjecw.exe	141
PID 3292 wrote to memory of 2240	3292	ecwuojhbztrmjecw.exe	141
PID 3292 wrote to memory of 3828	3292	ecwuojhbztrmjecw.exe	146
PID 3292 wrote to memory of 3828	3292	ecwuojhbztrmjecw.exe	146

C:\Users\Admin\AppData\Local\Temp\2086a523c399a5660741cc125322bc93.exe
"C:\Users\Admin\AppData\Local\Temp\2086a523c399a5660741cc125322bc93.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4564
- C:\Temp\ecwuojhbztrmjecw.exe
  C:\Temp\ecwuojhbztrmjecw.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljwtomgeyw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljwtomgeyw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrljdbwto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4328
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrljdbwto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3652
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqoigbytql.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqoigbytql.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfdyvqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdyvqo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvqnigsqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4016
  - - C:\Temp\dxvqnigsqk.exe
      C:\Temp\dxvqnigsqk.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvqnigsqk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3160
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\axsqkicaus.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_axsqkicaus.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2240
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zusmkecxup.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zusmkecxup.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zusmkecwup.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:668
  - - C:\Temp\zusmkecwup.exe
      C:\Temp\zusmkecwup.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1164
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4500
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zusmkecwup.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4092
  - - C:\Temp\i_zusmkecwup.exe
      C:\Temp\i_zusmkecwup.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwuomhezxr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:920
  - - C:\Temp\bwuomhezxr.exe
      C:\Temp\bwuomhezxr.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1124
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4188
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwuomhezxr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\Temp\i_bwuomhezxr.exe
      C:\Temp\i_bwuomhezxr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytrljdbwto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3304
  - - C:\Temp\ytrljdbwto.exe
      C:\Temp\ytrljdbwto.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1556
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1032
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytrljdbwto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqoigbytrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3660
  - - C:\Temp\wqoigbytrl.exe
      C:\Temp\wqoigbytrl.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3664
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:928
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4704
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqoigbytrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tqljdbvtnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Temp\tqljdbvtnl.exe
      C:\Temp\tqljdbvtnl.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2636
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:952
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tqljdbvtnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2080
  - - C:\Temp\i_tqljdbvtnl.exe
      C:\Temp\i_tqljdbvtnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsqkidavtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2036
  - - C:\Temp\xsqkidavtn.exe
      C:\Temp\xsqkidavtn.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4268
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3380
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3340
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsqkidavtn.exe ups_ins
    3⤵
    PID:4600
  - - C:\Temp\i_xsqkidavtn.exe
      C:\Temp\i_xsqkidavtn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifaxsqk.exe ups_run
    3⤵
    PID:3588
  - - C:\Temp\vpnifaxsqk.exe
      C:\Temp\vpnifaxsqk.exe ups_run
      4⤵
      PID:4500
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4972
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifaxsqk.exe ups_ins
    3⤵
    PID:3452
  - - C:\Temp\i_vpnifaxsqk.exe
      C:\Temp\i_vpnifaxsqk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3600
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkfcxvpnh.exe ups_run
    3⤵
    PID:532
  - - C:\Temp\smkfcxvpnh.exe
      C:\Temp\smkfcxvpnh.exe ups_run
      4⤵
      PID:4448
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1296
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3488
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkfcxvpnh.exe ups_ins
    3⤵
    PID:1688
  - - C:\Temp\i_smkfcxvpnh.exe
      C:\Temp\i_smkfcxvpnh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkhcausmke.exe ups_run
    3⤵
    PID:4496
  - - C:\Temp\pkhcausmke.exe
      C:\Temp\pkhcausmke.exe ups_run
      4⤵
      PID:4188
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1684
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:220
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkhcausmke.exe ups_ins
    3⤵
    PID:368
  - - C:\Temp\i_pkhcausmke.exe
      C:\Temp\i_pkhcausmke.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:808
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjhczusm.exe ups_run
    3⤵
    PID:4272
  - - C:\Temp\xrpjhczusm.exe
      C:\Temp\xrpjhczusm.exe ups_run
      4⤵
      PID:1984
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczusm.exe ups_ins
    3⤵
    PID:1556
  - - C:\Temp\i_xrpjhczusm.exe
      C:\Temp\i_xrpjhczusm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3304
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trmjecwuom.exe ups_run
    3⤵
    PID:436
  - - C:\Temp\trmjecwuom.exe
      C:\Temp\trmjecwuom.exe ups_run
      4⤵
      PID:320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5044
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trmjecwuom.exe ups_ins
    3⤵
    PID:2408
  - - C:\Temp\i_trmjecwuom.exe
      C:\Temp\i_trmjecwuom.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\toigbytrlj.exe ups_run
    3⤵
    PID:3280
  - - C:\Temp\toigbytrlj.exe
      C:\Temp\toigbytrlj.exe ups_run
      4⤵
      PID:3180
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2536
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3268
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_toigbytrlj.exe ups_ins
    3⤵
    PID:3576
  - - C:\Temp\i_toigbytrlj.exe
      C:\Temp\i_toigbytrlj.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qoigbytrlj.exe ups_run
    3⤵
    PID:4864
  - - C:\Temp\qoigbytrlj.exe
      C:\Temp\qoigbytrlj.exe ups_run
      4⤵
      PID:8
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2776
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3724
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qoigbytrlj.exe ups_ins
    3⤵
    PID:752
  - - C:\Temp\i_qoigbytrlj.exe
      C:\Temp\i_qoigbytrlj.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3156

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:452

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:3756

C:\Temp\ljwtomgeyw.exe
C:\Temp\ljwtomgeyw.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144

C:\Temp\i_ljwtomgeyw.exe
C:\Temp\i_ljwtomgeyw.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2016

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1396

C:\Temp\ztrljdbwto.exe
C:\Temp\ztrljdbwto.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Temp\i_ztrljdbwto.exe
C:\Temp\i_ztrljdbwto.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1552
- C:\Temp\i_zusmkecxup.exe
  C:\Temp\i_zusmkecxup.exe ups_ins
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3008

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2788

C:\Temp\wqoigbytql.exe
C:\Temp\wqoigbytql.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080

C:\Temp\i_wqoigbytql.exe
C:\Temp\i_wqoigbytql.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3212

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:456

C:\Temp\vtnlfdyvqo.exe
C:\Temp\vtnlfdyvqo.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Temp\i_vtnlfdyvqo.exe
C:\Temp\i_vtnlfdyvqo.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1980

C:\Temp\i_dxvqnigsqk.exe
C:\Temp\i_dxvqnigsqk.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3152

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1308

C:\Temp\axsqkicaus.exe
C:\Temp\axsqkicaus.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680

C:\Temp\i_axsqkicaus.exe
C:\Temp\i_axsqkicaus.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:932

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:4512

C:\Temp\zusmkecxup.exe
C:\Temp\zusmkecxup.exe ups_run
1⤵
- Executes dropped EXE
PID:1848

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4428

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4320

C:\Temp\i_ytrljdbwto.exe
C:\Temp\i_ytrljdbwto.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Temp\i_wqoigbytrl.exe
C:\Temp\i_wqoigbytrl.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\axsqkicaus.exe

Filesize
201KB

MD5
6d0ba0eaa4f8fa0160b12a966cab43f9

SHA1
508879053ede29a022084e68c0682d59054f9645

SHA256
93a4cf0d2921046c707b5beec413b01550a22b183bb31ddef8a3574036da24f0

SHA512
7e09e38be50dcddbaee485268e1290c10c2e2f47ea39ec00b2c5990d8688463e6f4feae856c6280a6a127964aac61404e837c4016bf71860b72c059100e8909d

Download Submit
C:\Temp\axsqkicaus.exe

Filesize
217KB

MD5
16731396d531113f8abf9cb2f7cdaeab

SHA1
a4f2af8c4753cf00aa8081c79b193630f59e2d0d

SHA256
e1f4c2ff786dcf2e8e55050dcd927ffe0f9a21f51270b0aaf36740bd20051471

SHA512
dc681c1dff5dc3e12305ecabb4b1321ba5912a6cf9af794d53fb0a8fea85109dd83d07c087ea4af367fb050c178e8524419f6102fad2492d9378b5fe894ab025

Download Submit
C:\Temp\bwuomhezxr.exe

Filesize
57KB

MD5
60213cffd946e80f1e295fec52bf7437

SHA1
bce6d4078d403215c8213860c55d19247565c337

SHA256
4530eebe32682343d767db0618084a8ec5db60e95cf86cea4f60780261703c53

SHA512
73259cc3976100fb585fb02f33cd8c6821dfb60cb573c6ac3adca880ee71ea94776b1751f3a1fc38bd090f19c3ec7c3c0b6174fc59f2f23baa9ce971a4b04d5b

Download Submit
C:\Temp\bwuomhezxr.exe

Filesize
68KB

MD5
2d32a108bfe0e4ec8d9f1a7acb5825bd

SHA1
f937c585df0eddbdcb984e026608f925c3979326

SHA256
c1f1d8cb819e9056c2b963aadf203c081c69a595a4b69f8f1ec1b35d1da41d9c

SHA512
a6e0c474649012c93a7ff7501553f5aa0740482a359fb8fde915fd4958e01a0734d4f8b57ae62b34ca5c9bf839dd8c00e3f9e6a7db0bf1de34124b0241842c76

Download Submit
C:\Temp\dxvqnigsqk.exe

Filesize
361KB

MD5
9b1f5998240fbdf2ac71189fa3667205

SHA1
a8b2a2adee88a26eacf457279225fb34ce99319f

SHA256
ca4b9619f4a77183b1f985b4e8aa55b0fdfa34323d7604ef3d82622cbf1a273f

SHA512
5dbe9cc7bc8e2dfc53d10476c3402a5600db1994d78b6579a6ff693229c656f63274ce4b758c6f5882e254ff1ff538dc365b996ff52807571618a6bb612240ec

Download Submit
C:\Temp\dxvqnigsqk.exe

Filesize
270KB

MD5
93dee564cfee01594818a91b873fc9d1

SHA1
b844f615b4652b74c7531fb64865008b4e58f30b

SHA256
efcff513952add928190f7e81f1ecb158ae3e0f938352a35b9484c1ad590e2f6

SHA512
0c1ef132adde3d16c5a323e7517b466dae74e2c9ab6147cc876da9b144cba6db4b791190984869bbb0a5373464e3dcf5d26fd688343ef6a93619a9d9fa1d8e0e

Download Submit
C:\Temp\ecwuojhbztrmjecw.exe

Filesize
33KB

MD5
3e60c6775df16d76c5d1dfb687493d83

SHA1
05fe6cd94f4a35bd8bc891b0da90b6982825d5a8

SHA256
ddb567941b0bdd5608236db4214734b87e8057d058743b6c1dcaa2cbca063cbb

SHA512
84a86d7033ea0ca5abd40f29bdcdeaa38903425e407dc6dc7a1701ce31cd25013b016000fc17bae588155d2c96c9c00f4c2e067141280270166859a5fb25551a

Download Submit
C:\Temp\ecwuojhbztrmjecw.exe

Filesize
227KB

MD5
62197e836da17ac9145023590bb4d05a

SHA1
7d283d45b50d0a8c9d42b9267d2a78bd926c9498

SHA256
d348b094fd207c5bf9a70e56b5b5010e8fdf297e40aee88c67d0c536343d9962

SHA512
9111827e9c80a6c9920019b0692d0b648f6652fa7893d1ab0e81aed9b013c4ecd454d9eaaa6abef155748c2075ca1ad938a1dc7167f600a5e7f00ff20e3fe035

Download Submit
C:\Temp\i_axsqkicaus.exe

Filesize
105KB

MD5
ac95185176cb04798c6f4e9ff1a7b76b

SHA1
ef239cf7ae73dfa0ddb9ffb8a2516c49727de4bb

SHA256
34b9ebaaaae8c443387959a218bedd1ab39c5681b97b276208f089085650f5fd

SHA512
ebd3c61428e61c92c4e76b8e4bf80b3b7ce907eb625eeba5fe8935f22bbb8d5b658b586159eac2131c717691d4236a5dc29146291b3e76c480527cdac3d76025

Download Submit
C:\Temp\i_axsqkicaus.exe

Filesize
108KB

MD5
554dbbeca2ba8e448cde67d585bb0178

SHA1
15dc280d218d7fd3590c360b6f192f9db0cdc289

SHA256
9463fbae501f45332e68a978a048300508d795ed83aff199728baa4f3bcfe1ae

SHA512
1e154da7bbcabc6a3251c129bbfd0e6807b7c5a1333b70634ac27ca4023c2e053617513a64e0ade48d63e307881e474768a409494b25c49bec9060f9df554ea0

Download Submit
C:\Temp\i_dxvqnigsqk.exe

Filesize
361KB

MD5
b15012fa335070862fad18a3b0c7b7c4

SHA1
844b5b13fce985404a7ce872eea60dfac2d926da

SHA256
ceea0d69c209b859bbad454074e2c9c9c840fd26eb4ef0ee623d1771b57a4949

SHA512
549e08bf3a4c380177a799199e812b7ac32540bb1a977cc4a4e8bdbf3bc9ccef35ed71120180b1ee39bd42a455c72d48c46e401f66ad3380ce06bb971a33f34a

Download Submit
C:\Temp\i_dxvqnigsqk.exe

Filesize
296KB

MD5
52b2ca4589186c1ed4d9c0c976c1e730

SHA1
1d320dfac2cee2b89e012b8cdba60a6bc9f16fdc

SHA256
35f730ceee3e7de88113b76e37762ee6e5161c9c7bb570f6ca252c4ce006f7fc

SHA512
e21aec54989bf04001d46f4788d219fb0e96f2737ec92c81aa75a379e373a50d37535c39a30eea2290f4622d4c6d90da7e7e73b5d1755e47825a7bd8ca2fc58b

Download Submit
C:\Temp\i_ljwtomgeyw.exe

Filesize
217KB

MD5
e0fb804496b86b9c848484bf4e67a7ab

SHA1
4953142b7f1813e3ddce45432748bb7f62d28279

SHA256
1c3a4f5cab856eaf373ca799f075957a083e9704b88ec1398812572701f97186

SHA512
083b1260604ded1f993cbb437323887c2976438554b512996defe9d35481048c9f65884f7ce4c49c79855045ef23f53c6caa6ae7026ae088ad3cca7e837c693b

Download Submit
C:\Temp\i_ljwtomgeyw.exe

Filesize
191KB

MD5
487994fbb34a7db5aac269483f8b96a6

SHA1
bd34554a429531374039004b53827c028d378cf3

SHA256
859c9a24b658d509eb9ebafb95f3bcab3c6c309306fbf9a142567a2130b29152

SHA512
1f3c144329152eea93454f9bd10b24dac587991a59cd7572a162f9cfeb56bcf8aaa28a91ebe08f0c1a19a5b16e2c39cea068a92ab03927ef1d23eb85c0c5343b

Download Submit
C:\Temp\i_vtnlfdyvqo.exe

Filesize
38KB

MD5
76d718392b1a787ad8f3658ab3f81415

SHA1
8745bea13fe4a3e1d947b1f594baab6254d5ef10

SHA256
7146cb0af16981372042342ba3e3a52e0be8fdf9e94f743bd0bafca6e73c2841

SHA512
68aa621650627dd753fb75de41cd32c046b93c31b94ec4d55419d3cf1728abe6038f302dfda4f11ac8708f63c776915765fb476720e7f34bd6cafe6cc497d021

Download Submit
C:\Temp\i_vtnlfdyvqo.exe

Filesize
52KB

MD5
75b0caad47546f976986cd9141ff6ffc

SHA1
a5baa91b0e76718ed8c188965ec18b7960efe476

SHA256
b58d52279d236d36bc8eaead46e8b46d2b41d050d05dbdd7ad0c79316c7ad26f

SHA512
6cb17a4af16307c86dab104ad0022091e5e2d927e6819f2b6d2a7c308d353c72c9d3dd3dd041db4bf9915d29fd3b6df3d30224fab286a031caa79d790900ec84

Download Submit
C:\Temp\i_wqoigbytql.exe

Filesize
57KB

MD5
e6e57e8d72d635ed5b74b4d4412760a6

SHA1
f140f65bfe3d81a5689cbccb6c60712a3bab299a

SHA256
d6b3fb8df665b5283cf9b0f06ade0659904cf4cc84d809154b0560d785ac9430

SHA512
49215f974e15522c76b799331840013929b27dd5dc33b9d747c0631db13bb3c4744c2e3db6d70f8573e42d589dff53d215ce9351c3b8c207b1fcf704a3d65d73

Download Submit
C:\Temp\i_wqoigbytql.exe

Filesize
12KB

MD5
8b9900db671572f41f1b22eba77464bf

SHA1
12e0c3ddf04b156cd41a5a83ce88c3954bcddbe6

SHA256
2dd59b33ca195f41395146979905a1a9aa86e128d9ecd854fef3d00b19da20b3

SHA512
c6afe4d3d49aaada83da94268d7d5d7c83f96ef99a9c7bde868cce39d9494396e2e2c03c719edea22c057cdb934a07e203a419841a6a0d7974e4399c24391229

Download Submit
C:\Temp\i_ztrljdbwto.exe

Filesize
1KB

MD5
d08c6398cca22c62dea296212323dba2

SHA1
7ebbca3d6f255c6bc0a30a82d7394fa12feb3525

SHA256
7aee0a29eee28915251864915a9d46f422187a7353c4fa6c304aa19c176382fe

SHA512
8845d1f9b787ae6829d90f7d23e1f8f04a10251f97f2edd9b58ff11c5fb9789ed60f418888088c04966363c5510337d0e02facdc737ba2e604cbbfa91fd2db3d

Download Submit
C:\Temp\i_ztrljdbwto.exe

Filesize
39KB

MD5
da85657f96a19d4678578cff9ae80ebe

SHA1
f920fa18d3b3cb1ddb4077ae79179bef46a9a6b9

SHA256
5c831e9c10763252ba398fc33544fcfb0ef404bf63abcc7c888c1092eec95af7

SHA512
e237853f78428f8607e62782a49ec922f2b6ba700bec29bc8d7f279fd4b9d67f6e85ee80580b451110725104a922326a25a88b5a7f7680556f416cefbc27eb74

Download Submit
C:\Temp\i_zusmkecwup.exe

Filesize
361KB

MD5
384bb4b79414fbbe474a5e13e43741f5

SHA1
5bc15e385c325911845864f18152f1907c69b693

SHA256
29dd18160ee4d98dc1ad9be881f3625e692c4f3660627fd3017a40f9eeb07dba

SHA512
a8c3072dfc767337fe19b70591193755be04f9c4d8b48023331a2840855948e3d3c81d7ac9b38f9e5e61d4d268e805ab432afbc450b64668526be902bc94a2b4

Download Submit
C:\Temp\i_zusmkecxup.exe

Filesize
189KB

MD5
b575f4d380438164103aa6be25e5361d

SHA1
cd282f3694fcfb4e9dcb3af2366010844a622481

SHA256
6c5162fab4679f34e1192218f16cbb9429e5d02a07aa6b059dcc5431d47c01fe

SHA512
3ba28a4564aef4c14c5a11eb6c9cdd9bc56772813d5412d078d15aa2f78d90cf60e5d59e569b5d52e71ce9ff2d40af103ce69b157c5798dd652f4f4d3ab874cf

Download Submit
C:\Temp\i_zusmkecxup.exe

Filesize
133KB

MD5
9a57b217dbe27461d296580920026861

SHA1
e5a45238c5bc8033bb3047e2e9c4c9529cf5603c

SHA256
de9fba4f370975ee96ba3b3cba81456887ec9fde8f114e8b4b46b65e63e73e9e

SHA512
1ffb0247337e786928cdd9e5bd33d919d2c8e23b69a05da4c0c4b2b2d336ae490e26716b4a63f50e75f7e35adc57e8555e181fb846d8f0266624ed7c2a62f7ea

Download Submit
C:\Temp\ljwtomgeyw.exe

Filesize
74KB

MD5
7ca4f4d344016a1c84f13699cbc91d16

SHA1
a5642e79539201beed3ec7dec85936344abd8300

SHA256
a4b1c602c59501806ff4a8e52a04282130cddc3d52b4a2bb4f380c17461318dc

SHA512
90884b6bdacfcbe921837539c95ca8d9a2730805527ee63a0812af449d57c848f5425036c27ab09beebf8cb8f33107c64ccd93b8f46e223decd17a36776865da

Download Submit
C:\Temp\ljwtomgeyw.exe

Filesize
85KB

MD5
cbffead3b56b3ec74e2bcc86cb9ffecf

SHA1
a9d5b6fa85785d6dd1626f461fd7b68a9968a17a

SHA256
959f65851f230efe3262a18f429bc6c9f1a5d22c7266118a3a71a2cc393f7912

SHA512
578f18e808c8b94c50802cf2dd675f3bc1d5494b7cf2a684a1105c2cefa082d1aa39b07976bb1acbbbe2bb03cd1e54908365ef9573696661ba866709353837f5

Download Submit
C:\Temp\vtnlfdyvqo.exe

Filesize
361KB

MD5
c4746b4ddf0a7c72ee047d8fe0e456e1

SHA1
a0ae1c10d24308570bc3106710ef84b8820d3f71

SHA256
041bd983ff0cdff66039a0341986e5aac4e48e4cc420392ebfd02daa555e1fed

SHA512
e3f1ffd811dac363bb03a58585d994b0286850f55b0e11196b662fbb9a02950017928d559abce604f74fc9be27d5c8d63b50f0810759837e9f35420d6df97ba3

Download Submit
C:\Temp\vtnlfdyvqo.exe

Filesize
319KB

MD5
14b05fac3951ca6327e80906fca5280a

SHA1
307c71b8b49da0c2c6f3f01f8f2e95f5e4d28070

SHA256
c2926e25b1fc0521d766566c9c0b26260237cebbb9ce92fc3089480b66283846

SHA512
62334b4611854f7d71c7c15802e4eed554f103e314404380d1f3349bbbabcd99d8b62ce84db5cda07f3d13252faec31f16dbb2a6a88abb5561387a6a7b6e8c68

Download Submit
C:\Temp\wqoigbytql.exe

Filesize
361KB

MD5
5d828a1a3c6bbac255ea16c60873b3e9

SHA1
7a3896a45194ec5ea6d2b525e527bcd1c6490e05

SHA256
accdf542f5bc334dee99c8c0f13fa08a795773a89b67e7c94246ca3659bff51c

SHA512
93c264dcc2c3394b935da8de49dcb7e07f0b2cb91ae83a8a6826d5e744ad9c3b28bfafdf4184d6ecf0f2b7f144c5b6eec382c6401977b9b5180e435f2decd0b3

Download Submit
C:\Temp\wqoigbytql.exe

Filesize
24KB

MD5
b223d7189a0d764421d0bceb07d30b40

SHA1
254d56f19f3a1a72d8ee2eeb7b59b29fe27ac127

SHA256
eae6cb314750d945a12364dca6d68abb6851482850f7c4d426da66e7f6650638

SHA512
a34ded0bf3ce42b25c742b9aa26afd594e5debb8a49011fe089893daa3a8c40237f7bce989743558a976096d73761b94866991a77ea857539f3df5b9426b0eba

Download Submit
C:\Temp\ztrljdbwto.exe

Filesize
95KB

MD5
3e1b052ccb17b237ca8cb2e9189a8bb2

SHA1
047b34b39ce53e5a99ef80b0bdfd4caeaaee2265

SHA256
14be072c8e80a91cce82f1ebda13dbd448b7c520eac69a02847ba256753fbdf9

SHA512
a48c73a092797609e4a8984976f95cdc72a3fabd72c13264d71599905ad1a086cd7665808d0db5ecf7e25d3f317f0fb6e55ecf375cf42c267572bcec077d16b0

Download Submit
C:\Temp\ztrljdbwto.exe

Filesize
99KB

MD5
bc7cfbe52131f568145ed6ae0de5af95

SHA1
76df7e834b6c4f009c9d23730816462c765f442f

SHA256
ab9031882b45baf0db16de62ff7add65152b7e105df63781accdbd345ab2fa68

SHA512
5cab1b5f7fa385ce0e37b7f497ded13ba39278aa00386bf351f799efbd76514b7fd179cd65d359474ca521d2def5e27254d4275ab37dc41383094acc78b37f6b

Download Submit
C:\Temp\zusmkecwup.exe

Filesize
348KB

MD5
99a6b202e3ccca496d6af952fbf894e5

SHA1
7492083d014b01d64b72a1f0d5db9242f3753cdd

SHA256
22023afbba3c1978c93d8fe6cf3bd623c14b6a4054e986faa842fd6950b2d681

SHA512
2b9c630482ef21f9a43c8eede0985e796f921a58606308e809871186c8185bb710d17c6b5097e2cdf8114b64e80a53caf8aed5786fefb669205dbbcc779fdb84

Download Submit
C:\Temp\zusmkecwup.exe

Filesize
328KB

MD5
4e500787965bf00d5c4ac638a7c37df8

SHA1
9f0c932104ab08bbd6db3f0cd6833d4eec95a6ab

SHA256
cc71f8aa41c95f8eaef659f1910e5d330d416f0a7b389fcdd4e5eda4d0169cf8

SHA512
127195d1d7791beb36b18b4a72037743fb4cc4432cae4ebeeec7b8b54e12add59a411e090b1adb4f9a84af23b7cd977fccb83196fa8c0431e46dbf0fd53b3693

Download Submit
C:\Temp\zusmkecxup.exe

Filesize
361KB

MD5
7ce71e0d5268131e00263e3a72c07ae9

SHA1
646a8d18e10d8e8515ef8aaedef9bb4ad132943a

SHA256
49418ceb99cd4c14f51b49ef8119c45c79eb5cdc28363d4bc3b64df8bf3033c8

SHA512
e5015f6e913b95d7082a420293dc59c5f45ad40ff96a88b9cf845d6d03bdc16f708cea8665ee4207cf946770d90e145a441ee5c21c9a41ad15571dbaa6e9add1

Download Submit
C:\Temp\zusmkecxup.exe

Filesize
77KB

MD5
6ea7dc9b37f80f9b6a8a4948241d8aa8

SHA1
2591445a271de27dba3737259f0b973e7b32f010

SHA256
3e4581bac462d0f7fc0f4f51ec9dad44feab6078062973248502bf5a7697c4d1

SHA512
ddba72e5ad42c54f44190b19f49fc66bf5064279aa650448114d13046f8df9d83c42e9cc923ca2c3307df8877c230e17727b86a1dce8e855b76990445baa1b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCCA6.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
773be52ced5589c4db140e227b9e6c75

SHA1
0127a7ab044bbc3a247b2545c9b4e55cd5ac3e6a

SHA256
d6cfe654c49f2dc1168cd08630eb9a6a73e347eb75efb10c37df65ac853b7a6d

SHA512
08b7430c713c4f13be458e4efad46089b2b8a56473f7f0f617e5dd70f70521e03d498fa3c93b804b32023a58d41aec15269c3b2c07a6769bb96ef49009dbc6fe

Download Submit