20c8d5a83222f546e0df56b8e69f05f9bbd7ea580ac2be7de266d3a9bb7adfc2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28979066887cafaec56a3659cc1429f8.exe
Size

361KB
MD5

28979066887cafaec56a3659cc1429f8
SHA1

87875375f1691f43878b2a4a36df48b58d1a908b
SHA256

20c8d5a83222f546e0df56b8e69f05f9bbd7ea580ac2be7de266d3a9bb7adfc2
SHA512

2a7646fe700db4832c713874c7290ca33ec1855d253d43e5934e8891383b0e1383a2c216f1ba55d1065d2176d175239bec44baa80e0967c68270daae9d7ec2fd
SSDEEP

6144:FflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:FflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2080	bwuomgeywrojhbzt.exe
3012	CreateProcess.exe
2760	jdbwtomgey.exe
1540	CreateProcess.exe
620	CreateProcess.exe
3920	i_jdbwtomgey.exe
4268	CreateProcess.exe
1448	tolgeywqoi.exe
1652	CreateProcess.exe
4868	CreateProcess.exe
3344	i_tolgeywqoi.exe
3656	CreateProcess.exe
4876	vtolgdywqo.exe
4336	CreateProcess.exe
2696	CreateProcess.exe
1444	i_vtolgdywqo.exe
3544	CreateProcess.exe
1648	qnigaysqki.exe
32	CreateProcess.exe
636	CreateProcess.exe
828	i_qnigaysqki.exe
3012	CreateProcess.exe
372	nlfdxvpnif.exe
400	CreateProcess.exe
2752	CreateProcess.exe
3740	i_nlfdxvpnif.exe
4960	CreateProcess.exe
2540	kfcxvpnhfz.exe
1936	CreateProcess.exe
3372	CreateProcess.exe
1580	i_kfcxvpnhfz.exe
1280	CreateProcess.exe
3932	nhfzxrpkhc.exe
4276	CreateProcess.exe
4144	CreateProcess.exe
3024	i_nhfzxrpkhc.exe
4436	CreateProcess.exe
380	hbzurmkecw.exe
2696	CreateProcess.exe
320	CreateProcess.exe
1648	i_hbzurmkecw.exe
2232	CreateProcess.exe
3408	ezwrojhbzt.exe
1408	CreateProcess.exe
3952	CreateProcess.exe
2588	i_ezwrojhbzt.exe
1264	CreateProcess.exe
4468	bwtomgeywq.exe
4324	CreateProcess.exe
4028	CreateProcess.exe
1036	i_bwtomgeywq.exe
1756	CreateProcess.exe
4452	gbytqljdbv.exe
4924	CreateProcess.exe
4416	CreateProcess.exe
960	i_gbytqljdbv.exe
4268	CreateProcess.exe
3488	dbvtnlgdyv.exe
2060	CreateProcess.exe
2416	CreateProcess.exe
4520	i_dbvtnlgdyv.exe
4444	CreateProcess.exe
220	aysqkicavs.exe
1804	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2872	ipconfig.exe
2444	ipconfig.exe
2116	ipconfig.exe
4468	ipconfig.exe
1556	ipconfig.exe
1128	ipconfig.exe
2132	ipconfig.exe
2588	ipconfig.exe
1484	ipconfig.exe
4656	ipconfig.exe
4356	ipconfig.exe
3340	ipconfig.exe
3224	ipconfig.exe
4276	ipconfig.exe
4608	ipconfig.exe
3920	ipconfig.exe
2908	ipconfig.exe
1972	ipconfig.exe
4648	ipconfig.exe
4296	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078367"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078367"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "789005364"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "789005364"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00d8f2fdf37da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078367"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000a28eb8a9f8566267e4344a73ad1b7679fd25e6c1fb2e47f49b8bd068ca1109f6000000000e800000000200002000000015840aa5408e77a38bfac4350cfd9a84dc9816133a357b7c3842f831231e505920000000cba7ff52c7e604204e6de2848dde833cf6a487db8465026ad085468ec95aa77740000000214d397b7cf7fff086509b9bc95f844aa5f30b81a4e25e4cf5580e3eae280d8cffc15736a222aaad14de2307c200ff8818a7b4e9d32a6f47a437076c22a2fbaf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "793224144"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e2872fdf37da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410348410"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5AA01B19-A3D2-11EE-A0B6-56EE10B1B424} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c0000000002000000000010660000000100002000000091314a66adf975ff81eef26f744fa07bdb2f92215c867f957cd20c0d658c833f000000000e8000000002000020000000cd4b056a8a2628b00ee362f27dea9ded5ace539d3ebfc9b134896d08e4092bab200000009f8726b84017f508ef2070a9c003dc85e27bfa168b3b5872e9739a9f372aaf3240000000002b99a97964af19308135ed8feb1a595a8cf3bd5a32111a113d2923b4a9df5d0168f29deb5ab6ee016050a5481a39749a7668f2f948f1c38a02880fba9182c8	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2080	bwuomgeywrojhbzt.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe
2292	28979066887cafaec56a3659cc1429f8.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	i_jdbwtomgey.exe
Token: SeDebugPrivilege	3344	i_tolgeywqoi.exe
Token: SeDebugPrivilege	1444	i_vtolgdywqo.exe
Token: SeDebugPrivilege	828	i_qnigaysqki.exe
Token: SeDebugPrivilege	3740	i_nlfdxvpnif.exe
Token: SeDebugPrivilege	1580	i_kfcxvpnhfz.exe
Token: SeDebugPrivilege	3024	i_nhfzxrpkhc.exe
Token: SeDebugPrivilege	1648	i_hbzurmkecw.exe
Token: SeDebugPrivilege	2588	i_ezwrojhbzt.exe
Token: SeDebugPrivilege	1036	i_bwtomgeywq.exe
Token: SeDebugPrivilege	960	i_gbytqljdbv.exe
Token: SeDebugPrivilege	4520	i_dbvtnlgdyv.exe
Token: SeDebugPrivilege	4340	i_aysqkicavs.exe
Token: SeDebugPrivilege	2696	i_usnkfdxvpn.exe
Token: SeDebugPrivilege	320	i_ausmkfcxvp.exe
Token: SeDebugPrivilege	1044	i_urmkecwurm.exe
Token: SeDebugPrivilege	4324	i_wrpjhbztrm.exe
Token: SeDebugPrivilege	3860	i_uomgeywroj.exe
Token: SeDebugPrivilege	1708	i_ytrljdbvto.exe
Token: SeDebugPrivilege	4612	i_tnlfdyvtnl.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2860	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2860	iexplore.exe
2860	iexplore.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2080	2292	28979066887cafaec56a3659cc1429f8.exe	90
PID 2292 wrote to memory of 2080	2292	28979066887cafaec56a3659cc1429f8.exe	90
PID 2292 wrote to memory of 2080	2292	28979066887cafaec56a3659cc1429f8.exe	90
PID 2292 wrote to memory of 2860	2292	28979066887cafaec56a3659cc1429f8.exe	91
PID 2292 wrote to memory of 2860	2292	28979066887cafaec56a3659cc1429f8.exe	91
PID 2860 wrote to memory of 768	2860	iexplore.exe	92
PID 2860 wrote to memory of 768	2860	iexplore.exe	92
PID 2860 wrote to memory of 768	2860	iexplore.exe	92
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	93
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	93
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	93
PID 2760 wrote to memory of 1540	2760	jdbwtomgey.exe	96
PID 2760 wrote to memory of 1540	2760	jdbwtomgey.exe	96
PID 2760 wrote to memory of 1540	2760	jdbwtomgey.exe	96
PID 2080 wrote to memory of 620	2080	bwuomgeywrojhbzt.exe	99
PID 2080 wrote to memory of 620	2080	bwuomgeywrojhbzt.exe	99
PID 2080 wrote to memory of 620	2080	bwuomgeywrojhbzt.exe	99
PID 2080 wrote to memory of 4268	2080	bwuomgeywrojhbzt.exe	101
PID 2080 wrote to memory of 4268	2080	bwuomgeywrojhbzt.exe	101
PID 2080 wrote to memory of 4268	2080	bwuomgeywrojhbzt.exe	101
PID 1448 wrote to memory of 1652	1448	tolgeywqoi.exe	103
PID 1448 wrote to memory of 1652	1448	tolgeywqoi.exe	103
PID 1448 wrote to memory of 1652	1448	tolgeywqoi.exe	103
PID 2080 wrote to memory of 4868	2080	bwuomgeywrojhbzt.exe	106
PID 2080 wrote to memory of 4868	2080	bwuomgeywrojhbzt.exe	106
PID 2080 wrote to memory of 4868	2080	bwuomgeywrojhbzt.exe	106
PID 2080 wrote to memory of 3656	2080	bwuomgeywrojhbzt.exe	110
PID 2080 wrote to memory of 3656	2080	bwuomgeywrojhbzt.exe	110
PID 2080 wrote to memory of 3656	2080	bwuomgeywrojhbzt.exe	110
PID 4876 wrote to memory of 4336	4876	vtolgdywqo.exe	112
PID 4876 wrote to memory of 4336	4876	vtolgdywqo.exe	112
PID 4876 wrote to memory of 4336	4876	vtolgdywqo.exe	112
PID 2080 wrote to memory of 2696	2080	bwuomgeywrojhbzt.exe	115
PID 2080 wrote to memory of 2696	2080	bwuomgeywrojhbzt.exe	115
PID 2080 wrote to memory of 2696	2080	bwuomgeywrojhbzt.exe	115
PID 2080 wrote to memory of 3544	2080	bwuomgeywrojhbzt.exe	117
PID 2080 wrote to memory of 3544	2080	bwuomgeywrojhbzt.exe	117
PID 2080 wrote to memory of 3544	2080	bwuomgeywrojhbzt.exe	117
PID 1648 wrote to memory of 32	1648	qnigaysqki.exe	119
PID 1648 wrote to memory of 32	1648	qnigaysqki.exe	119
PID 1648 wrote to memory of 32	1648	qnigaysqki.exe	119
PID 2080 wrote to memory of 636	2080	bwuomgeywrojhbzt.exe	124
PID 2080 wrote to memory of 636	2080	bwuomgeywrojhbzt.exe	124
PID 2080 wrote to memory of 636	2080	bwuomgeywrojhbzt.exe	124
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	126
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	126
PID 2080 wrote to memory of 3012	2080	bwuomgeywrojhbzt.exe	126
PID 372 wrote to memory of 400	372	nlfdxvpnif.exe	128
PID 372 wrote to memory of 400	372	nlfdxvpnif.exe	128
PID 372 wrote to memory of 400	372	nlfdxvpnif.exe	128
PID 2080 wrote to memory of 2752	2080	bwuomgeywrojhbzt.exe	131
PID 2080 wrote to memory of 2752	2080	bwuomgeywrojhbzt.exe	131
PID 2080 wrote to memory of 2752	2080	bwuomgeywrojhbzt.exe	131
PID 2080 wrote to memory of 4960	2080	bwuomgeywrojhbzt.exe	133
PID 2080 wrote to memory of 4960	2080	bwuomgeywrojhbzt.exe	133
PID 2080 wrote to memory of 4960	2080	bwuomgeywrojhbzt.exe	133
PID 2540 wrote to memory of 1936	2540	kfcxvpnhfz.exe	135
PID 2540 wrote to memory of 1936	2540	kfcxvpnhfz.exe	135
PID 2540 wrote to memory of 1936	2540	kfcxvpnhfz.exe	135
PID 2080 wrote to memory of 3372	2080	bwuomgeywrojhbzt.exe	138
PID 2080 wrote to memory of 3372	2080	bwuomgeywrojhbzt.exe	138
PID 2080 wrote to memory of 3372	2080	bwuomgeywrojhbzt.exe	138
PID 2080 wrote to memory of 1280	2080	bwuomgeywrojhbzt.exe	141
PID 2080 wrote to memory of 1280	2080	bwuomgeywrojhbzt.exe	141

C:\Users\Admin\AppData\Local\Temp\28979066887cafaec56a3659cc1429f8.exe
"C:\Users\Admin\AppData\Local\Temp\28979066887cafaec56a3659cc1429f8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Temp\bwuomgeywrojhbzt.exe
  C:\Temp\bwuomgeywrojhbzt.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdbwtomgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3012
  - - C:\Temp\jdbwtomgey.exe
      C:\Temp\jdbwtomgey.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1540
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdbwtomgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:620
  - - C:\Temp\i_jdbwtomgey.exe
      C:\Temp\i_jdbwtomgey.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tolgeywqoi.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4268
  - - C:\Temp\tolgeywqoi.exe
      C:\Temp\tolgeywqoi.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1652
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tolgeywqoi.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4868
  - - C:\Temp\i_tolgeywqoi.exe
      C:\Temp\i_tolgeywqoi.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtolgdywqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3656
  - - C:\Temp\vtolgdywqo.exe
      C:\Temp\vtolgdywqo.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4336
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4648
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtolgdywqo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2696
  - - C:\Temp\i_vtolgdywqo.exe
      C:\Temp\i_vtolgdywqo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qnigaysqki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3544
  - - C:\Temp\qnigaysqki.exe
      C:\Temp\qnigaysqki.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:32
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qnigaysqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:636
  - - C:\Temp\i_qnigaysqki.exe
      C:\Temp\i_qnigaysqki.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdxvpnif.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3012
  - - C:\Temp\nlfdxvpnif.exe
      C:\Temp\nlfdxvpnif.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:400
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdxvpnif.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2752
  - - C:\Temp\i_nlfdxvpnif.exe
      C:\Temp\i_nlfdxvpnif.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfcxvpnhfz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4960
  - - C:\Temp\kfcxvpnhfz.exe
      C:\Temp\kfcxvpnhfz.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1936
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfcxvpnhfz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3372
  - - C:\Temp\i_kfcxvpnhfz.exe
      C:\Temp\i_kfcxvpnhfz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxrpkhc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1280
  - - C:\Temp\nhfzxrpkhc.exe
      C:\Temp\nhfzxrpkhc.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3932
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4276
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxrpkhc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4144
  - - C:\Temp\i_nhfzxrpkhc.exe
      C:\Temp\i_nhfzxrpkhc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hbzurmkecw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4436
  - - C:\Temp\hbzurmkecw.exe
      C:\Temp\hbzurmkecw.exe ups_run
      4⤵
      Executes dropped EXE
      PID:380
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4356
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hbzurmkecw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:320
  - - C:\Temp\i_hbzurmkecw.exe
      C:\Temp\i_hbzurmkecw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1648
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ezwrojhbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2232
  - - C:\Temp\ezwrojhbzt.exe
      C:\Temp\ezwrojhbzt.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3408
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1408
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ezwrojhbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3952
  - - C:\Temp\i_ezwrojhbzt.exe
      C:\Temp\i_ezwrojhbzt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwtomgeywq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1264
  - - C:\Temp\bwtomgeywq.exe
      C:\Temp\bwtomgeywq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4468
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4324
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwtomgeywq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4028
  - - C:\Temp\i_bwtomgeywq.exe
      C:\Temp\i_bwtomgeywq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1036
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbytqljdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1756
  - - C:\Temp\gbytqljdbv.exe
      C:\Temp\gbytqljdbv.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4452
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4924
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3224
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbytqljdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4416
  - - C:\Temp\i_gbytqljdbv.exe
      C:\Temp\i_gbytqljdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvtnlgdyv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4268
  - - C:\Temp\dbvtnlgdyv.exe
      C:\Temp\dbvtnlgdyv.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2060
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvtnlgdyv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2416
  - - C:\Temp\i_dbvtnlgdyv.exe
      C:\Temp\i_dbvtnlgdyv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4520
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkicavs.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4444
  - - C:\Temp\aysqkicavs.exe
      C:\Temp\aysqkicavs.exe ups_run
      4⤵
      Executes dropped EXE
      PID:220
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1804
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4276
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkicavs.exe ups_ins
    3⤵
    PID:4448
  - - C:\Temp\i_aysqkicavs.exe
      C:\Temp\i_aysqkicavs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usnkfdxvpn.exe ups_run
    3⤵
    PID:4024
  - - C:\Temp\usnkfdxvpn.exe
      C:\Temp\usnkfdxvpn.exe ups_run
      4⤵
      PID:4568
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3672
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3340
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usnkfdxvpn.exe ups_ins
    3⤵
    PID:4372
  - - C:\Temp\i_usnkfdxvpn.exe
      C:\Temp\i_usnkfdxvpn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2696
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausmkfcxvp.exe ups_run
    3⤵
    PID:1948
  - - C:\Temp\ausmkfcxvp.exe
      C:\Temp\ausmkfcxvp.exe ups_run
      4⤵
      PID:3864
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4308
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausmkfcxvp.exe ups_ins
    3⤵
    PID:1648
  - - C:\Temp\i_ausmkfcxvp.exe
      C:\Temp\i_ausmkfcxvp.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\urmkecwurm.exe ups_run
    3⤵
    PID:4844
  - - C:\Temp\urmkecwurm.exe
      C:\Temp\urmkecwurm.exe ups_run
      4⤵
      PID:4224
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3084
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2132
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_urmkecwurm.exe ups_ins
    3⤵
    PID:4332
  - - C:\Temp\i_urmkecwurm.exe
      C:\Temp\i_urmkecwurm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrpjhbztrm.exe ups_run
    3⤵
    PID:1488
  - - C:\Temp\wrpjhbztrm.exe
      C:\Temp\wrpjhbztrm.exe ups_run
      4⤵
      PID:1692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrpjhbztrm.exe ups_ins
    3⤵
    PID:2244
  - - C:\Temp\i_wrpjhbztrm.exe
      C:\Temp\i_wrpjhbztrm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomgeywroj.exe ups_run
    3⤵
    PID:2616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomgeywroj.exe ups_ins
    3⤵
    PID:1368
  - - C:\Temp\i_uomgeywroj.exe
      C:\Temp\i_uomgeywroj.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytrljdbvto.exe ups_run
    3⤵
    PID:2220
  - - C:\Temp\ytrljdbvto.exe
      C:\Temp\ytrljdbvto.exe ups_run
      4⤵
      PID:1988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1348
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytrljdbvto.exe ups_ins
    3⤵
    PID:4068
  - - C:\Temp\i_ytrljdbvto.exe
      C:\Temp\i_ytrljdbvto.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdyvtnl.exe ups_run
    3⤵
    PID:4840
  - - C:\Temp\tnlfdyvtnl.exe
      C:\Temp\tnlfdyvtnl.exe ups_run
      4⤵
      PID:3256
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1592
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdyvtnl.exe ups_ins
    3⤵
    PID:2208
  - - C:\Temp\i_tnlfdyvtnl.exe
      C:\Temp\i_tnlfdyvtnl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:768

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2588

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:4380

C:\Temp\uomgeywroj.exe
C:\Temp\uomgeywroj.exe ups_run
1⤵
PID:2364
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:2100

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
32060347fb6bc919e455b43dd9b733c0

SHA1
641d653b74191ea31941fe815afd1d613dc7dba9

SHA256
07fefb6d157b67a260974c9191dcd8dfad5492011389f819fcba564dab8fd301

SHA512
a565ff1c348cdc0e52bc8b0e21d43c586fef93e91bed9611762372b25914353a5e9a9cf427633fa9a4bc9ca72672ac8d7f2c875dee0c82b94e9bbaaf663bb7b8

Download Submit
C:\Temp\bwuomgeywrojhbzt.exe

Filesize
361KB

MD5
9e47e02ae610a953f54ae636d673ac6f

SHA1
017f292ef97fed3665c40f81a0a90fdce6a37c00

SHA256
568320c715b5a79381ebbd958fafad696d54740336388b468f0e8bc844dd20c1

SHA512
25814cb5b824cea03dc4ebd72bc9f0225ee77d4c7a22c05d45093de1c71a6e9e4a5d6e076b38302b21a64a771846bbd99eb02ab58d7ea96ced1ea6faf200b0f4

Download Submit
C:\Temp\ezwrojhbzt.exe

Filesize
361KB

MD5
2809c8e3a30371dc637c6a43db2485a4

SHA1
85e30816e7ca8cf2079ca44879dfbc70fc378fac

SHA256
c7ae45548cdf8e5d7f057e1cd28fbf79d928b0effcc2ef4cbb84b3191de66b82

SHA512
6e9f19dc62353f6589753722e0011b80de90487e4268d5839e5c0e773a60609151d0c67320232e2301a407fb9eb3898ddf27c56346bd1414a1efe88b1f12eb5c

Download Submit
C:\Temp\hbzurmkecw.exe

Filesize
278KB

MD5
a25a48512639b2a5448204aa26e71324

SHA1
88760d0ff4cfbca9b3651717abbf03d67e3b20e5

SHA256
0525b62d4e5681c1965997d2c4eb600b72fcdf6b4a2d86d7e0e1c2c653a602ba

SHA512
4525bfdd94c85928d86936d73cb6f1431322482aef0f5887b07b069cf082a45a5a1287dfe7e1c4bc07bffd6f74b565fdb420f4278248ce6dbcdc4f448f41ab0a

Download Submit
C:\Temp\hbzurmkecw.exe

Filesize
361KB

MD5
9485836cf19c0dab0e2c5c47ad32e1db

SHA1
9a29aa7f8097d1c1d718c0e7f9ee66f6b248ace3

SHA256
93ad6d55418dca1625a809dcf8e5a9eb681672fedf0e685aed4fc49b1281e8bc

SHA512
dd76d5fa8060710a02ecf7f3508e5ba16531f27f71028e94846bb2eb67564999379742ab295424ffe61d395ecc9ae642346ae8718834fc3a77bc60db9f25a97e

Download Submit
C:\Temp\i_hbzurmkecw.exe

Filesize
361KB

MD5
e45ef1df5cbfabc59a60ea47233306f5

SHA1
5b667ba35ce732be585499c47a7faf44d6024740

SHA256
39d4f184c9e609c837dfd356707e97d9eae6f1828c3f4748ef3cf7e50455883e

SHA512
1fec56b0256defae99baaebc24bee151b6a6ef38f511e737ce19eae85eab655153853b24d679c20377b093a255ecb8f042e42a31c3d3dfd1d18356796772de14

Download Submit
C:\Temp\i_jdbwtomgey.exe

Filesize
361KB

MD5
014ea6f4b4ded0a8ce9989c986433428

SHA1
8c282a9de053718521b20ba585c2463605ad4623

SHA256
b99ba82738a5158118e0f9585df40e0696ddaf3c6c265bdb5c7b5faa6948a232

SHA512
7cd0bebb639e6c9f887d46343338a9b4505fb4e6518fae09f9a6831819386da38d88d7bfb1d73c772b5204c76002539d20e401fc6dab563dcdeb2a66c411fa54

Download Submit
C:\Temp\i_kfcxvpnhfz.exe

Filesize
361KB

MD5
b73f3151d8cce608aaf5c4ae8f047162

SHA1
fef4ad5b70a4637c187d3b5eb2801b1fa0e607df

SHA256
b53d2dc09aa898265e171dc6492bce50d3b7d8d9607c9204f9642d0b13550f40

SHA512
7e07b3a3919a613fa2d1c2a0fd5a58b1ad89f2d723b92ff2f251e17ab8a83677a2f15acbf0a57085dda540989156bbe6fecd2fc7d3b6ed2726c9c84cf58cde8a

Download Submit
C:\Temp\i_nhfzxrpkhc.exe

Filesize
361KB

MD5
e55ed1ffb5d96aeefad3d37be91b6f6c

SHA1
fdc47c18198ab6ad60e112d63b411a2a4a76cbe9

SHA256
4e631cfff7901d6f366f66aaa67bf3875bfa53eded5cade2e9c41e035fc03f3d

SHA512
6a592ff461ce21c084ea64feb30467ac1630b59270ea0e99643889fec5e312109ce6c0cc9a12b92c13bb5cbc91c04a10ee02509dd3ebfc2ad914b6e031736f7e

Download Submit
C:\Temp\i_nlfdxvpnif.exe

Filesize
361KB

MD5
10724c82d5e145d9aecaee2af940283e

SHA1
c26d402a8cc069cf6c5dcb9dfd1364da59bca836

SHA256
d8141dda061609e9f91bf812be23e676fed50177b251cc1e8fe301ffc98830c9

SHA512
af3812746709490c091176111a6eeb7d585109aae800b5f4497e1f3c5304ffabd5018c00f1c89840af98371b377f366f1de73a1a91a4f22191821decb892320a

Download Submit
C:\Temp\i_qnigaysqki.exe

Filesize
361KB

MD5
38b34c1d0345aaccceb97907a5575ec9

SHA1
cfe8c89df23aef954b0ccfec156302cacd50047b

SHA256
3e69b905383119fb30aa1cb04829889327604617da23dfd05e79cca398e72005

SHA512
d20dd94d852c8a39f0898799656478240ef12d4a823d45503f4d16c1f8fbe5e91104e6db52bc6f81fbf8a02e69a3b472fa03e9b19a00d79ae7fe9f3d79a84688

Download Submit
C:\Temp\i_tolgeywqoi.exe

Filesize
361KB

MD5
da0f1f4797a8ecad777f23a47ef7c12d

SHA1
866bcca5878125d0692baec33944ee5a5b8d634c

SHA256
697502782010f9cb2fd0a36e1af9511208844fc9a25786f36a938943f63b611f

SHA512
4e39fcbe9ad5af8ac3f63e9ab50405387b7f46b219cae613fbfd675ad472ff8761f4c0782f710833288c140023ebd446ed61670ac93815bb9c2a6da8ac2c992e

Download Submit
C:\Temp\i_tolgeywqoi.exe

Filesize
287KB

MD5
d03a34d58dd29f1e2530a9d346e55b3f

SHA1
997ffa5ce03ea22b609ad213927e2ce583dd9c50

SHA256
a26812ece93f130e24b71b2961e9aea316c8961393f04d4d5d783dc2348a8784

SHA512
84a656c492b245ae2d21a0171ef99ce5edb676b9c838833218ec44e93489fa85a36da1424235fa78b8056fa7651b6aa538772133b97f86d4bf0f58f7d4441399

Download Submit
C:\Temp\i_vtolgdywqo.exe

Filesize
361KB

MD5
1d8d1178dc9eb1149ea68a0f38e6b8fa

SHA1
55d132809d5bbdabd258f6c775033696e8d19e93

SHA256
bd0152017e908b80933eecc4eb42d31d05942caf15c0f301f9d6042417dd712d

SHA512
a81b54151f62774294c664a8f0f91770420d829cdd6b009d9a113741b107c66ceb1d89a2cea50e903939cca24de8e927a9c438771048e36b6439a3926ffa29cf

Download Submit
C:\Temp\jdbwtomgey.exe

Filesize
361KB

MD5
9ba2d306e236e0132b7012208b6085a2

SHA1
dc59d61d6a0a2416346f9af1d99dd1c7e95292a3

SHA256
c606b0e9ea1c98265471c772a7d92d4c48f45af2acd3e7798051fa7eee1e64a2

SHA512
fdcf66b4d92fc01e10f9884e7d12c027255278c44527e522c7bca8233887514e6e7b35fe7cd8ce2743b1f2ba329e2f9fec5e18d0fbcb1b5b913862b25007e8f8

Download Submit
C:\Temp\kfcxvpnhfz.exe

Filesize
361KB

MD5
416d8ab564e8fbb68488b8775a2816fe

SHA1
5e4400225329efc69a31692dcd008d90abdc2af3

SHA256
9b01c614943456096f2f32da679686568429568afda76bd660a78d098fd6ba05

SHA512
8ae6a4f2272f6f565c65aa1db664c7fc8811a734996ab5f1163d4dac94bef66c73621821d205c863b82ed7815d4080d55af6d8e5a5d8e1e40ae10b66888af0b1

Download Submit
C:\Temp\nhfzxrpkhc.exe

Filesize
361KB

MD5
a0c17860b788f0d8ff1e762f7e91c649

SHA1
6a0c1c1e6fbfe7b05babbe34c2abc7b2bcde0915

SHA256
41a6c0be3bce1c8d62f4cb2470736d27e2e4f65f878d17cf7162c8bc393ebcf5

SHA512
0109625c2bbf086699a86c423518d9541ffe1323d10e57c08353d7d21515e57b188b654b33411737d6b77c51653990ac121aa4afc26f8c486080d672983c7d5c

Download Submit
C:\Temp\nlfdxvpnif.exe

Filesize
361KB

MD5
17298866647e1a329981fc9fde309238

SHA1
401f873772b3b78d4a3718f859c35b46c4ff4c57

SHA256
ef25a3e195379ceb246d0a21d525b25df7684f58fedc03fba99837c3a148581d

SHA512
fcb5d77f738a04746f963b3317d301224d2908c821e62883e7240c9a0eb2f3b9b99021b3df0f157b270175498d0746e3a96faae27332782987e8fd2329a718ff

Download Submit
C:\Temp\qnigaysqki.exe

Filesize
361KB

MD5
f16b32b902994be6b2c4c45cfdb4f09a

SHA1
e70df3bbdddfb9662d90d571e100b9d008a0fd67

SHA256
cd43c50f620a35e0798c2c32dc754572930e89262e0a1cf5acceee9af4e5db45

SHA512
8cee737843ffad9771cd6b08fe24e7564822e286218e98760b7c671f58fa36cf26866ca291e66976a78f3fd6846a91f502a5daac0da51da96d01435ef53fc29f

Download Submit
C:\Temp\tolgeywqoi.exe

Filesize
361KB

MD5
c47b131d3f3ce7247d98e01bf0823d84

SHA1
acb23ce9534da7a2bc8634f9b9a301fd96fc58e1

SHA256
755acca56bc7d8ad208c5524d1facf2f860a1335b3010c06518c620bd56bbd96

SHA512
7a6a86f484aa0aed4949fee410afec686b9eea0a5124e5892d4377f16735b6e85787cd45b6836621d99f6cf20360438bb1913eaa9b5f500ce8600301e3ca429a

Download Submit
C:\Temp\vtolgdywqo.exe

Filesize
361KB

MD5
409a642494e8ff1f569fc5f7fa5009d5

SHA1
f4979ec1586cbe25c174a627a31212b99001efa0

SHA256
42596914865382afb8b9679b25639cb858f77e12550eef35f1120ab384e746b4

SHA512
23d102a29178f4a115c60ad2f6fc6bf6728763cb9339e7e8426ba7dba8cfbdd28d3af17bc290133c8efa98350dfea70dd24a729b9aa700fb4a2e0c0a7d6618d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit