34cc21fabd4a36d41d9e459c4cf44bd1eb25c4f9e51218b0541af651d2af1727

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28994693ade9db70de17977833dff062.exe
Size

361KB
MD5

28994693ade9db70de17977833dff062
SHA1

385c53253f7e3f2727964633b11181612ac8607d
SHA256

34cc21fabd4a36d41d9e459c4cf44bd1eb25c4f9e51218b0541af651d2af1727
SHA512

f8f1a6d6daadfdc0ee03bbc171ab362c891dd21ac391f66bf9e4b49bbb229c4eccada6a7294bd622fdab071c01059379074c89de21fe48c91fbfa30c575287f2
SSDEEP

6144:HflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:HflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4524	zwrpjhbztrmjebwu.exe
1912	CreateProcess.exe
2576	jhbzurmjwu.exe
808	CreateProcess.exe
3608	CreateProcess.exe
4976	i_jhbzurmjwu.exe
3056	CreateProcess.exe
4992	tomgeywqoj.exe
964	CreateProcess.exe
3040	CreateProcess.exe
3384	i_tomgeywqoj.exe
3512	CreateProcess.exe
2584	rlgdywqoig.exe
4280	CreateProcess.exe
4204	CreateProcess.exe
1192	i_rlgdywqoig.exe
2668	CreateProcess.exe
5080	igaysqkida.exe
4368	CreateProcess.exe
4504	CreateProcess.exe
3272	i_igaysqkida.exe
5088	CreateProcess.exe
808	nicavsnlfd.exe
2576	CreateProcess.exe
1008	CreateProcess.exe
100	i_nicavsnlfd.exe
1376	CreateProcess.exe
384	icausmkfcx.exe
1692	CreateProcess.exe
3576	CreateProcess.exe
2316	i_icausmkfcx.exe
1920	CreateProcess.exe
3968	czusmkecxu.exe
4580	CreateProcess.exe
2264	CreateProcess.exe
4280	i_czusmkecxu.exe
1144	CreateProcess.exe
2696	zurmkecwuo.exe
1500	CreateProcess.exe
664	CreateProcess.exe
2244	i_zurmkecwuo.exe
2976	CreateProcess.exe
1148	bztrmjebzu.exe
4520	CreateProcess.exe
2372	CreateProcess.exe
4560	i_bztrmjebzu.exe
3484	CreateProcess.exe
1292	bwuomgeywr.exe
5036	CreateProcess.exe
912	CreateProcess.exe
3780	i_bwuomgeywr.exe
1164	CreateProcess.exe
2024	ytqljdbvto.exe
4372	CreateProcess.exe
8	CreateProcess.exe
964	i_ytqljdbvto.exe
2168	CreateProcess.exe
1084	vtnlgdyvqo.exe
2916	CreateProcess.exe
3576	CreateProcess.exe
4736	i_vtnlgdyvqo.exe
1552	CreateProcess.exe
2648	aysqkidavt.exe
3968	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4588	ipconfig.exe
3808	ipconfig.exe
4588	ipconfig.exe
744	ipconfig.exe
1912	ipconfig.exe
2236	ipconfig.exe
3888	ipconfig.exe
3888	ipconfig.exe
808	ipconfig.exe
948	ipconfig.exe
4964	ipconfig.exe
2244	ipconfig.exe
4308	ipconfig.exe
4976	ipconfig.exe
4888	ipconfig.exe
3444	ipconfig.exe
1912	ipconfig.exe
2244	ipconfig.exe
5008	ipconfig.exe
4680	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "864159935"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078367"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078367"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410348418"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "861191548"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "864159935"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d000fe33df37da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "861347344"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c0000000002000000000010660000000100002000000021e9d6dd1633f9bc9dc2bd33016d87456bf9022becfb699910039f504bdea681000000000e80000000020000200000008e45cae328ac0d74aa1019056ae6362c5b0a46b9e0728e87b9922e8c07b6837c200000008e5d9b66c4033fb3dcf77f64233121acf123d8fc71491958d9f13542b5d1cb30400000007e8488d127e1577a650c3cce1dd6adb785921d90da3bd2544c82d0dd88f7f2ede007401078965dfbee739e616d1fdcb7a153a2d438e2767eee17c4a1a710266c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078367"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078367"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000ef9ce8771a7a2d0a53cbd1b78bebf5b34d42509f75ada049a1ef5a9257549358000000000e80000000020000200000009251cb40ba5d6edcea98001e6f72e78cf0870935cf72392f4fbceeabce9a513a200000001c8b4a2634534613b6efa59a245f8edd92d74ed00071bcd116c1d9d881d8c01a4000000078d67ffe6606a875cccb0fe766dc97da7b63d90cffa780fed76e215a42b4300954218f20c1fafba26cfde04dc12ecb5dabe75bd395729a481da87d6be7e9d10c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01ef933df37da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EC9D204-A3D2-11EE-A0B6-DAD4CCDE76B8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe
832	28994693ade9db70de17977833dff062.exe
832	28994693ade9db70de17977833dff062.exe
4524	zwrpjhbztrmjebwu.exe
4524	zwrpjhbztrmjebwu.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	i_jhbzurmjwu.exe
Token: SeDebugPrivilege	3384	i_tomgeywqoj.exe
Token: SeDebugPrivilege	1192	i_rlgdywqoig.exe
Token: SeDebugPrivilege	3272	i_igaysqkida.exe
Token: SeDebugPrivilege	100	i_nicavsnlfd.exe
Token: SeDebugPrivilege	2316	i_icausmkfcx.exe
Token: SeDebugPrivilege	4280	i_czusmkecxu.exe
Token: SeDebugPrivilege	2244	i_zurmkecwuo.exe
Token: SeDebugPrivilege	4560	i_bztrmjebzu.exe
Token: SeDebugPrivilege	3780	i_bwuomgeywr.exe
Token: SeDebugPrivilege	964	i_ytqljdbvto.exe
Token: SeDebugPrivilege	4736	i_vtnlgdyvqo.exe
Token: SeDebugPrivilege	3432	i_aysqkidavt.exe
Token: SeDebugPrivilege	1924	i_aysqkidavs.exe
Token: SeDebugPrivilege	1544	i_xspkhcausm.exe
Token: SeDebugPrivilege	396	i_pkhcausmke.exe
Token: SeDebugPrivilege	3016	i_rpjhczusmk.exe
Token: SeDebugPrivilege	2024	i_rpjhbztrmj.exe
Token: SeDebugPrivilege	1528	i_omgeywqojg.exe
Token: SeDebugPrivilege	4160	i_oigbytrljd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2256	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2256	iexplore.exe
2256	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4524	832	28994693ade9db70de17977833dff062.exe	90
PID 832 wrote to memory of 4524	832	28994693ade9db70de17977833dff062.exe	90
PID 832 wrote to memory of 4524	832	28994693ade9db70de17977833dff062.exe	90
PID 832 wrote to memory of 2256	832	28994693ade9db70de17977833dff062.exe	91
PID 832 wrote to memory of 2256	832	28994693ade9db70de17977833dff062.exe	91
PID 2256 wrote to memory of 1520	2256	iexplore.exe	92
PID 2256 wrote to memory of 1520	2256	iexplore.exe	92
PID 2256 wrote to memory of 1520	2256	iexplore.exe	92
PID 4524 wrote to memory of 1912	4524	zwrpjhbztrmjebwu.exe	93
PID 4524 wrote to memory of 1912	4524	zwrpjhbztrmjebwu.exe	93
PID 4524 wrote to memory of 1912	4524	zwrpjhbztrmjebwu.exe	93
PID 2576 wrote to memory of 808	2576	jhbzurmjwu.exe	96
PID 2576 wrote to memory of 808	2576	jhbzurmjwu.exe	96
PID 2576 wrote to memory of 808	2576	jhbzurmjwu.exe	96
PID 4524 wrote to memory of 3608	4524	zwrpjhbztrmjebwu.exe	99
PID 4524 wrote to memory of 3608	4524	zwrpjhbztrmjebwu.exe	99
PID 4524 wrote to memory of 3608	4524	zwrpjhbztrmjebwu.exe	99
PID 4524 wrote to memory of 3056	4524	zwrpjhbztrmjebwu.exe	103
PID 4524 wrote to memory of 3056	4524	zwrpjhbztrmjebwu.exe	103
PID 4524 wrote to memory of 3056	4524	zwrpjhbztrmjebwu.exe	103
PID 4992 wrote to memory of 964	4992	tomgeywqoj.exe	105
PID 4992 wrote to memory of 964	4992	tomgeywqoj.exe	105
PID 4992 wrote to memory of 964	4992	tomgeywqoj.exe	105
PID 4524 wrote to memory of 3040	4524	zwrpjhbztrmjebwu.exe	108
PID 4524 wrote to memory of 3040	4524	zwrpjhbztrmjebwu.exe	108
PID 4524 wrote to memory of 3040	4524	zwrpjhbztrmjebwu.exe	108
PID 4524 wrote to memory of 3512	4524	zwrpjhbztrmjebwu.exe	110
PID 4524 wrote to memory of 3512	4524	zwrpjhbztrmjebwu.exe	110
PID 4524 wrote to memory of 3512	4524	zwrpjhbztrmjebwu.exe	110
PID 2584 wrote to memory of 4280	2584	rlgdywqoig.exe	112
PID 2584 wrote to memory of 4280	2584	rlgdywqoig.exe	112
PID 2584 wrote to memory of 4280	2584	rlgdywqoig.exe	112
PID 4524 wrote to memory of 4204	4524	zwrpjhbztrmjebwu.exe	115
PID 4524 wrote to memory of 4204	4524	zwrpjhbztrmjebwu.exe	115
PID 4524 wrote to memory of 4204	4524	zwrpjhbztrmjebwu.exe	115
PID 4524 wrote to memory of 2668	4524	zwrpjhbztrmjebwu.exe	117
PID 4524 wrote to memory of 2668	4524	zwrpjhbztrmjebwu.exe	117
PID 4524 wrote to memory of 2668	4524	zwrpjhbztrmjebwu.exe	117
PID 5080 wrote to memory of 4368	5080	igaysqkida.exe	119
PID 5080 wrote to memory of 4368	5080	igaysqkida.exe	119
PID 5080 wrote to memory of 4368	5080	igaysqkida.exe	119
PID 4524 wrote to memory of 4504	4524	zwrpjhbztrmjebwu.exe	124
PID 4524 wrote to memory of 4504	4524	zwrpjhbztrmjebwu.exe	124
PID 4524 wrote to memory of 4504	4524	zwrpjhbztrmjebwu.exe	124
PID 4524 wrote to memory of 5088	4524	zwrpjhbztrmjebwu.exe	126
PID 4524 wrote to memory of 5088	4524	zwrpjhbztrmjebwu.exe	126
PID 4524 wrote to memory of 5088	4524	zwrpjhbztrmjebwu.exe	126
PID 808 wrote to memory of 2576	808	nicavsnlfd.exe	128
PID 808 wrote to memory of 2576	808	nicavsnlfd.exe	128
PID 808 wrote to memory of 2576	808	nicavsnlfd.exe	128
PID 4524 wrote to memory of 1008	4524	zwrpjhbztrmjebwu.exe	131
PID 4524 wrote to memory of 1008	4524	zwrpjhbztrmjebwu.exe	131
PID 4524 wrote to memory of 1008	4524	zwrpjhbztrmjebwu.exe	131
PID 4524 wrote to memory of 1376	4524	zwrpjhbztrmjebwu.exe	134
PID 4524 wrote to memory of 1376	4524	zwrpjhbztrmjebwu.exe	134
PID 4524 wrote to memory of 1376	4524	zwrpjhbztrmjebwu.exe	134
PID 384 wrote to memory of 1692	384	icausmkfcx.exe	136
PID 384 wrote to memory of 1692	384	icausmkfcx.exe	136
PID 384 wrote to memory of 1692	384	icausmkfcx.exe	136
PID 4524 wrote to memory of 3576	4524	zwrpjhbztrmjebwu.exe	139
PID 4524 wrote to memory of 3576	4524	zwrpjhbztrmjebwu.exe	139
PID 4524 wrote to memory of 3576	4524	zwrpjhbztrmjebwu.exe	139
PID 4524 wrote to memory of 1920	4524	zwrpjhbztrmjebwu.exe	141
PID 4524 wrote to memory of 1920	4524	zwrpjhbztrmjebwu.exe	141

C:\Users\Admin\AppData\Local\Temp\28994693ade9db70de17977833dff062.exe
"C:\Users\Admin\AppData\Local\Temp\28994693ade9db70de17977833dff062.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832
- C:\Temp\zwrpjhbztrmjebwu.exe
  C:\Temp\zwrpjhbztrmjebwu.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbzurmjwu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1912
  - - C:\Temp\jhbzurmjwu.exe
      C:\Temp\jhbzurmjwu.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:808
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4964
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbzurmjwu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3608
  - - C:\Temp\i_jhbzurmjwu.exe
      C:\Temp\i_jhbzurmjwu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tomgeywqoj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3056
  - - C:\Temp\tomgeywqoj.exe
      C:\Temp\tomgeywqoj.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4680
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tomgeywqoj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3040
  - - C:\Temp\i_tomgeywqoj.exe
      C:\Temp\i_tomgeywqoj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3384
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rlgdywqoig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3512
  - - C:\Temp\rlgdywqoig.exe
      C:\Temp\rlgdywqoig.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4280
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rlgdywqoig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4204
  - - C:\Temp\i_rlgdywqoig.exe
      C:\Temp\i_rlgdywqoig.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igaysqkida.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2668
  - - C:\Temp\igaysqkida.exe
      C:\Temp\igaysqkida.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4368
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2244
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igaysqkida.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4504
  - - C:\Temp\i_igaysqkida.exe
      C:\Temp\i_igaysqkida.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3272
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nicavsnlfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5088
  - - C:\Temp\nicavsnlfd.exe
      C:\Temp\nicavsnlfd.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:808
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2576
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nicavsnlfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1008
  - - C:\Temp\i_nicavsnlfd.exe
      C:\Temp\i_nicavsnlfd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:100
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icausmkfcx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1376
  - - C:\Temp\icausmkfcx.exe
      C:\Temp\icausmkfcx.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2236
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icausmkfcx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3576
  - - C:\Temp\i_icausmkfcx.exe
      C:\Temp\i_icausmkfcx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\czusmkecxu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1920
  - - C:\Temp\czusmkecxu.exe
      C:\Temp\czusmkecxu.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3968
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4580
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3888
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_czusmkecxu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2264
  - - C:\Temp\i_czusmkecxu.exe
      C:\Temp\i_czusmkecxu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zurmkecwuo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1144
  - - C:\Temp\zurmkecwuo.exe
      C:\Temp\zurmkecwuo.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2696
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1500
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zurmkecwuo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:664
  - - C:\Temp\i_zurmkecwuo.exe
      C:\Temp\i_zurmkecwuo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2244
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bztrmjebzu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2976
  - - C:\Temp\bztrmjebzu.exe
      C:\Temp\bztrmjebzu.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1148
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4520
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bztrmjebzu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2372
  - - C:\Temp\i_bztrmjebzu.exe
      C:\Temp\i_bztrmjebzu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwuomgeywr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3484
  - - C:\Temp\bwuomgeywr.exe
      C:\Temp\bwuomgeywr.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1292
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5036
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwuomgeywr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:912
  - - C:\Temp\i_bwuomgeywr.exe
      C:\Temp\i_bwuomgeywr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytqljdbvto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1164
  - - C:\Temp\ytqljdbvto.exe
      C:\Temp\ytqljdbvto.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4372
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytqljdbvto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:8
  - - C:\Temp\i_ytqljdbvto.exe
      C:\Temp\i_ytqljdbvto.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:964
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlgdyvqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2168
  - - C:\Temp\vtnlgdyvqo.exe
      C:\Temp\vtnlgdyvqo.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1084
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2916
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3808
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlgdyvqo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3576
  - - C:\Temp\i_vtnlgdyvqo.exe
      C:\Temp\i_vtnlgdyvqo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkidavt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1552
  - - C:\Temp\aysqkidavt.exe
      C:\Temp\aysqkidavt.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2648
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3968
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3888
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkidavt.exe ups_ins
    3⤵
    PID:4812
  - - C:\Temp\i_aysqkidavt.exe
      C:\Temp\i_aysqkidavt.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkidavs.exe ups_run
    3⤵
    PID:3936
  - - C:\Temp\aysqkidavs.exe
      C:\Temp\aysqkidavs.exe ups_run
      4⤵
      PID:1168
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4204
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkidavs.exe ups_ins
    3⤵
    PID:4468
  - - C:\Temp\i_aysqkidavs.exe
      C:\Temp\i_aysqkidavs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkhcausm.exe ups_run
    3⤵
    PID:2844
  - - C:\Temp\xspkhcausm.exe
      C:\Temp\xspkhcausm.exe ups_run
      4⤵
      PID:2504
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4356
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2244
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkhcausm.exe ups_ins
    3⤵
    PID:1392
  - - C:\Temp\i_xspkhcausm.exe
      C:\Temp\i_xspkhcausm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkhcausmke.exe ups_run
    3⤵
    PID:3228
  - - C:\Temp\pkhcausmke.exe
      C:\Temp\pkhcausmke.exe ups_run
      4⤵
      PID:4820
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3580
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4888
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkhcausmke.exe ups_ins
    3⤵
    PID:4516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhczusmk.exe ups_run
    3⤵
    PID:1052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhczusmk.exe ups_ins
    3⤵
    PID:4896
  - - C:\Temp\i_rpjhczusmk.exe
      C:\Temp\i_rpjhczusmk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhbztrmj.exe ups_run
    3⤵
    PID:100
  - - C:\Temp\rpjhbztrmj.exe
      C:\Temp\rpjhbztrmj.exe ups_run
      4⤵
      PID:3780
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:912
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhbztrmj.exe ups_ins
    3⤵
    PID:4372
  - - C:\Temp\i_rpjhbztrmj.exe
      C:\Temp\i_rpjhbztrmj.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\omgeywqojg.exe ups_run
    3⤵
    PID:1308
  - - C:\Temp\omgeywqojg.exe
      C:\Temp\omgeywqojg.exe ups_run
      4⤵
      PID:1824
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:32
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:948
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_omgeywqojg.exe ups_ins
    3⤵
    PID:3052
  - - C:\Temp\i_omgeywqojg.exe
      C:\Temp\i_omgeywqojg.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbytrljd.exe ups_run
    3⤵
    PID:2712
  - - C:\Temp\oigbytrljd.exe
      C:\Temp\oigbytrljd.exe ups_run
      4⤵
      PID:4056
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3428
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:744
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbytrljd.exe ups_ins
    3⤵
    PID:2168
  - - C:\Temp\i_oigbytrljd.exe
      C:\Temp\i_oigbytrljd.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1520

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1912

C:\Temp\i_pkhcausmke.exe
C:\Temp\i_pkhcausmke.exe ups_ins
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Temp\rpjhczusmk.exe
C:\Temp\rpjhczusmk.exe ups_run
1⤵
PID:1732
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:1812

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
33185cd69709a7cefb3a8556bacbb818

SHA1
055f7a66713cd8888c5930c4c9d1eac74f42aa47

SHA256
91a5ecac33a789babec8d5d393e4e0e9ae0632d5cd7a195dd5cea8962abaa6f3

SHA512
db85161003114571d871e4f87761416b347677ecbe436db7b37cf4e027fa9a57b854006b3a0cafe478f4f1bd991ac398e6794e87968802606447b8c8f37f2fc8

Download Submit
C:\Temp\bztrmjebzu.exe

Filesize
361KB

MD5
c16527fe62f02dc0b480fdb63188c621

SHA1
ede91aa70fb7b140fd538c62b9c9b19aad8bc8f7

SHA256
c86b0b7252a90fc7f8f65766e74ddea7f9f566fd7e1b2896ecedf499e1cf48f9

SHA512
55044fac42b97e1abc4f717cfacefc848b4d2264ee37968684df7cccf9de42ffa5d5ab5f6873b6ba013d09e8001cd374d393c3d0ddce975b81a251e57ca199ee

Download Submit
C:\Temp\czusmkecxu.exe

Filesize
361KB

MD5
b0f879020c55b36043f2797b264fffa3

SHA1
5a390ba13763f6e8af40d476b504ea808150ba19

SHA256
e55ad31b40b51cc0c0ff28f7ad90150948aaf6c19c846c9b40c3a571025e5e32

SHA512
fed8c07088f4c04352197c8aa152fdb6e168ffdae4d0758557b63901643695ebab50a2ef4b2136bdc13e2c6636c323b36e0172b5f67fcca16f03d569cec085bd

Download Submit
C:\Temp\i_czusmkecxu.exe

Filesize
361KB

MD5
e52b54f7158f4cd3459fa71d3fbd40fe

SHA1
89639260ef98672712f309db3326bb6240e86355

SHA256
a4792b32e48c8ecf6807b490c7a00db153d3216b9d0b5d022826473d32df0785

SHA512
5aed705bfe636f639f75d6eee017082d9e190a8967d4f7403bb906ef69d9d4ed1a7fde6d11775afec88361968b47a1a2230d3a4cb44c4d852da58ef9b2a46641

Download Submit
C:\Temp\i_icausmkfcx.exe

Filesize
361KB

MD5
a56f27e002531e1b3763ed5f6d429613

SHA1
9f05dcac0fd9ed1f9cabec31ba057e36a129f94b

SHA256
702ec6c2b8cc21bdd19efcf63161451c8b33d116317f6090fbf54572477c21bb

SHA512
c3676e74d6e50a522eff3cfa657fe29818b892b3b6943dd2d0e993c6c4030ffcc66d7145e5968c3d45dd663e9e832d0fd33a73d54e0a3453e3a9f95730e002a1

Download Submit
C:\Temp\i_igaysqkida.exe

Filesize
361KB

MD5
ce053f80666a89f72d748442c25f1206

SHA1
391ad6e18489b6e2d1bc2e6ad53b83b77c10c35c

SHA256
cfab27f566bc4881f33df2919d6f5f53e5c6e809ae2d07febf5b4bd3b97df060

SHA512
9240429ce10c163df00990182ca70f33a3ab2e0c89381bbb6ccda5b695561afd7593c8464c9bc1c7fdbb23597af1bf3df9726e87b24c3f8ca9a2e48bc7e5d2c3

Download Submit
C:\Temp\i_jhbzurmjwu.exe

Filesize
361KB

MD5
2941ef6e58faab458648c1f952016d78

SHA1
c2ca1f1400b374123bc26baddaa0dbdee88dee64

SHA256
a08d78653d26c8513ce06ba2302e267b8e9b5c235b364c0e31d2d6fbb591da04

SHA512
e800437c838335e075fd70c40bd0d8f91bf9edc5f498d9c1c1a2d674df92682d7cd7c2eed71300a0183a87c4e5de58c3f9f944ee5bfdba1e4d4fbb45236ba7d5

Download Submit
C:\Temp\i_nicavsnlfd.exe

Filesize
361KB

MD5
db899d51f4895a6d060941d7aafbb8cc

SHA1
e632f61edf042972104e4a940bf31075374c7723

SHA256
50b49346574fdbb62445384abfc1807a19449fe50c1851ed7c13316137251544

SHA512
81ca454aaac08806cd2e454354c797638188b36ad5b7884010157a5662fa90489db5345e081b2fc0695c45bc8e2a36f53aa6a29a8899f62e1c01118d39eb6ca1

Download Submit
C:\Temp\i_rlgdywqoig.exe

Filesize
361KB

MD5
d47266d60a50f57d373d88d1d82630f4

SHA1
358555f50e1b66b384ed9387017616b3ee839272

SHA256
9fc416c0481d02d63dfea9cf25ef8dd73f270efc88a783b5961245ce7aacca7e

SHA512
b1dc059ee5cf650a04c9dda7bc229dbb6fede391113b8c0b05846411de4e2f12513cfee166c03909b662ca522c8c8a145a972663a9d74a42478094712cbf1ed0

Download Submit
C:\Temp\i_tomgeywqoj.exe

Filesize
361KB

MD5
425ca7de15d1044e1c748161ba8da78e

SHA1
80547a15ff93d57dcf63e2f37614657ae0368f3b

SHA256
67017609ec79d94f51d05e1eb321aa6da2d2a28966d4b01c4dcdd8029cb76af1

SHA512
c6abdb613a4980baa7ead0c6e0df4ebc046a86dc9abd20e7765badea9e0e9d88823b2fa47032c8d73fe9e4dedb808682aaeb536d44a0b9a2770777cbdb68bdd7

Download Submit
C:\Temp\i_zurmkecwuo.exe

Filesize
361KB

MD5
915266765a8694a7a6cd0ed1dfc8153c

SHA1
23207ecdda264a1edb7dde351cda43417894cf28

SHA256
4e666bd1b7689801401c896307c6175c38a07ac3c8ed583f6aa48544a5fc716a

SHA512
f211bf6a32ba53c51f0666f12ebeac444cc27cf2715a2ef719fe03dea3954a24ca9bd5f87d0e9041af46d6a6d465b0a98c0d67cb0cc6fc4dc4bbc0f862d33ccb

Download Submit
C:\Temp\icausmkfcx.exe

Filesize
361KB

MD5
4f9bcf2c459c23432dcd6ece475a721e

SHA1
05ef399593bbf0b401d4da77ee38b73935147348

SHA256
f8b9c4a45343a91ab0ece6ba19fde49af6e6aad953832b1093fdb8d79ccfc789

SHA512
6c57cdeea83c2f430b42d50fb96ddc791839b196d7c834a5f365706bd2b4d242468d002a5221c6dcda178094ea62e0636582728ae7f5edc76f7dcb49b3f5b549

Download Submit
C:\Temp\igaysqkida.exe

Filesize
361KB

MD5
971fef7a8e9bfb66131ccf203b397eae

SHA1
ee45f9b7019825d8614804b78be05b6d69791a43

SHA256
161b0d0647184058fbccee34d8392fe178168bcb336aa294bf0d07943d1ee133

SHA512
7877933263f625aeda53a17cbb67d1fb12fd5592de1343d68df33086d0f46a86be5d9e49a6e68fe28aa95000fb9e7287a43b1783c7b33b5c2cacfce3cc8dc785

Download Submit
C:\Temp\jhbzurmjwu.exe

Filesize
361KB

MD5
4a9d6dcf94152a0e3d94b9c43f9bc3cf

SHA1
3da4b7da09baa12635e5bc9dde3c00724ade20a0

SHA256
22bbdf688240658201f63975af273bb43f44f54140e844c20047c3c8c388ffbe

SHA512
e35efd92048b1363deef8fc727fe26fa290826d0d4535ce35552d80964e3ccba53f4da14a7e9cdc9c1ffbf785c0648f8cfdc8c01ba24fa792630f8a2d90bd374

Download Submit
C:\Temp\nicavsnlfd.exe

Filesize
361KB

MD5
6064335fb2bf7927db7de9a190ba3a0a

SHA1
15a8effec4cb54885c668fa80bf0208a533fee1f

SHA256
3a844a2ce874e417c718fce6f6dc59202ec5decdce21853d155c2acb635a59f8

SHA512
c2199301be50bd8bd68b44aa93eff0c629242ed664c72fcd8c30bd38589e1bf0a9e0c8f197e96f9c749151138c791ddf34f5b0ce40e6a556e2ece6213e3da913

Download Submit
C:\Temp\rlgdywqoig.exe

Filesize
361KB

MD5
b33ce436ffd0addbea0dd5968749fef4

SHA1
1e8d6a22c2f228eb5647b5d9d3850b2e0e6a8173

SHA256
f62fbef3c44d317dd427a3879336f2b862a3168b0ab23579b30ff170b02df90c

SHA512
9dad79bccbb6adeee86b4d2c12f8fe50efb726a666019948756904aef78fa1b37a1f2282924e8e94e6ccebe2834e49975729c8b3938faa433d1a4ee509e6f25e

Download Submit
C:\Temp\tomgeywqoj.exe

Filesize
361KB

MD5
572a4bbb52a3e433d81f17609e0223cd

SHA1
c98a4d3585d861f0b1aec1761d4f21034ac20671

SHA256
371e4a59c142faae2e4020a24cf3edd0f70f0f762353b142aef38c0e5b3898b2

SHA512
9b64da02aeaad10f7926a0e348ded0596b0fb96cc3f6cd56c7c36fcf185d97d0aaf6b10c849636e499d3b97382df90346877ff3c2f19ec626330a5b9fb355637

Download Submit
C:\Temp\zurmkecwuo.exe

Filesize
361KB

MD5
3771bb7d6f9f381be6632738fa9dabeb

SHA1
a01928f08a740570e22160fcfa9b2efb9a332c8e

SHA256
d97dbd140bc74ffecb782bbb82ffe248c56ade30e079741dbcf486bc1dfcd4e6

SHA512
53d82b3de841fdeb115bd1a9b6da0d77d49402560b65360ec9cb988af27185b0513a73c78d4aaf483a3da0e1cb5de35ab253a970e30bcaaeaf27417fbfceef67

Download Submit
C:\Temp\zwrpjhbztrmjebwu.exe

Filesize
216KB

MD5
adf0e11ddd154bea5223acab695c94a9

SHA1
2e894c83b8bb8185781f7e110829c07cbcbe633c

SHA256
7b3269990b4c8703aeb50b90acc7c114a0cd062c699c4262e32a92466103547e

SHA512
7616e0b08b41e8a67c2eb168a630acfe0bdc39402d0c68e14554daa4e489635912de7547f43ae1e16c6c2b9b2c2fb277fb351df9250ed57de153580ac4ad784f

Download Submit
C:\Temp\zwrpjhbztrmjebwu.exe

Filesize
267KB

MD5
ad8451009bbf64aa7c87d6a85b60d650

SHA1
dc1b0b97aec640bfa79e1b85c5af0083758536c2

SHA256
8c67f0a2df69de548656f6137b304bbe6246b472ab547755673369d7ea3df84b

SHA512
48193911ed10c047f4f9c42f527a6f9c521fa5881b7ccad191f6aa9cf2617581a83bcc70814a6075adf92010d0e3e31f9fbf14f4eb3f9ef2e58a0b82531260dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC96A.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit