59b2da199ec5291d95059fa13898c45a727ba353afe2f842204b1b1ee7dbe1c9

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d5813a52ed7f1abea030cfd59971ed8.exe
Size

361KB
MD5

2d5813a52ed7f1abea030cfd59971ed8
SHA1

7e9122adf50eed53b79da254f0a66eaaa3273d0c
SHA256

59b2da199ec5291d95059fa13898c45a727ba353afe2f842204b1b1ee7dbe1c9
SHA512

4dee1f7fbe5a312862982866d22b6d3f9e701b153e107ccd42f89533cc28b684b2393821bf6c0574262f53715539427949d15d4a8e9568906d51b7e141997313
SSDEEP

6144:QflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:QflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
468	tolgdywqoigaytql.exe
2956	CreateProcess.exe
4936	pkicausnkf.exe
2696	CreateProcess.exe
3824	CreateProcess.exe
4436	i_pkicausnkf.exe
4756	CreateProcess.exe
2232	jgbztrljeb.exe
3204	CreateProcess.exe
1612	CreateProcess.exe
5032	i_jgbztrljeb.exe
3644	CreateProcess.exe
840	aysqkicavs.exe
1456	CreateProcess.exe
3244	CreateProcess.exe
2572	i_aysqkicavs.exe
2316	CreateProcess.exe
2428	kfcxvpnhfz.exe
4804	CreateProcess.exe
5088	CreateProcess.exe
1716	i_kfcxvpnhfz.exe
440	CreateProcess.exe
4072	hfzxrpjhcz.exe
3640	CreateProcess.exe
2080	CreateProcess.exe
4692	i_hfzxrpjhcz.exe
3644	CreateProcess.exe
4776	gbytrljdbv.exe
4884	CreateProcess.exe
2108	CreateProcess.exe
4172	i_gbytrljdbv.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3876	ipconfig.exe
1212	ipconfig.exe
2224	ipconfig.exe
4092	ipconfig.exe
4192	ipconfig.exe
3688	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1047863765"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203caa58e039da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc000000000200000000001066000000010000200000009af1d68c6edd3b788de2c891a6e3652d68554bade388de583ccb452ee1f61104000000000e800000000200002000000089fe87940eef7058acf6fcd11e4989f1d90ebad4991d5e6ecdcd4e0318b61be020000000f63519e8619ad94e1be161803cef9d9223c170dc6b88d84b938de739efdedd154000000020d9fe0f42486da7d448db98ff67e2d63e1d83ae52a5eff70cd06421d1f51e26710a257957d8afebe4a649b2ec6994c644202cd1b185ab5d792efbfdd554edea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410568798"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1047863765"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc00000000020000000000106600000001000020000000f2998e5b38952508c9bd97c8514062871212d4f0e6fe20e0025ddbbad3c83c47000000000e800000000200002000000054cb0bf943b8387e0f6da0741bcc279821dfb27c0ad57d0f2d0cae2708cbcca2200000008202ba37c8f64ffa42b14de7adb14f95626141066bb442c762c6ec48b4d09df4400000002a9fc21c3d727b357135482481781784c0335490f939926c53bec01f48967eb6801d47abcf5b3a5c3d80afd495bbbca6df8301a8b00033d9d970e68de12f18bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ea2153e039da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078880"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078880"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1489114700"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78253CE0-A5D3-11EE-BCD9-EA184F49D407} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
468	tolgdywqoigaytql.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
468	tolgdywqoigaytql.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe
3880	2d5813a52ed7f1abea030cfd59971ed8.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	i_pkicausnkf.exe
Token: SeDebugPrivilege	5032	i_jgbztrljeb.exe
Token: SeDebugPrivilege	2572	i_aysqkicavs.exe
Token: SeDebugPrivilege	1716	i_kfcxvpnhfz.exe
Token: SeDebugPrivilege	4692	i_hfzxrpjhcz.exe
Token: SeDebugPrivilege	4172	i_gbytrljdbv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5048	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5048	iexplore.exe
5048	iexplore.exe
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 468	3880	2d5813a52ed7f1abea030cfd59971ed8.exe	91
PID 3880 wrote to memory of 468	3880	2d5813a52ed7f1abea030cfd59971ed8.exe	91
PID 3880 wrote to memory of 468	3880	2d5813a52ed7f1abea030cfd59971ed8.exe	91
PID 3880 wrote to memory of 5048	3880	2d5813a52ed7f1abea030cfd59971ed8.exe	92
PID 3880 wrote to memory of 5048	3880	2d5813a52ed7f1abea030cfd59971ed8.exe	92
PID 468 wrote to memory of 2956	468	tolgdywqoigaytql.exe	96
PID 468 wrote to memory of 2956	468	tolgdywqoigaytql.exe	96
PID 468 wrote to memory of 2956	468	tolgdywqoigaytql.exe	96
PID 5048 wrote to memory of 1032	5048	iexplore.exe	102
PID 5048 wrote to memory of 1032	5048	iexplore.exe	102
PID 5048 wrote to memory of 1032	5048	iexplore.exe	102
PID 4936 wrote to memory of 2696	4936	pkicausnkf.exe	103
PID 4936 wrote to memory of 2696	4936	pkicausnkf.exe	103
PID 4936 wrote to memory of 2696	4936	pkicausnkf.exe	103
PID 468 wrote to memory of 3824	468	tolgdywqoigaytql.exe	108
PID 468 wrote to memory of 3824	468	tolgdywqoigaytql.exe	108
PID 468 wrote to memory of 3824	468	tolgdywqoigaytql.exe	108
PID 468 wrote to memory of 4756	468	tolgdywqoigaytql.exe	114
PID 468 wrote to memory of 4756	468	tolgdywqoigaytql.exe	114
PID 468 wrote to memory of 4756	468	tolgdywqoigaytql.exe	114
PID 2232 wrote to memory of 3204	2232	jgbztrljeb.exe	116
PID 2232 wrote to memory of 3204	2232	jgbztrljeb.exe	116
PID 2232 wrote to memory of 3204	2232	jgbztrljeb.exe	116
PID 468 wrote to memory of 1612	468	tolgdywqoigaytql.exe	120
PID 468 wrote to memory of 1612	468	tolgdywqoigaytql.exe	120
PID 468 wrote to memory of 1612	468	tolgdywqoigaytql.exe	120
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	122
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	122
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	122
PID 840 wrote to memory of 1456	840	aysqkicavs.exe	124
PID 840 wrote to memory of 1456	840	aysqkicavs.exe	124
PID 840 wrote to memory of 1456	840	aysqkicavs.exe	124
PID 468 wrote to memory of 3244	468	tolgdywqoigaytql.exe	128
PID 468 wrote to memory of 3244	468	tolgdywqoigaytql.exe	128
PID 468 wrote to memory of 3244	468	tolgdywqoigaytql.exe	128
PID 468 wrote to memory of 2316	468	tolgdywqoigaytql.exe	130
PID 468 wrote to memory of 2316	468	tolgdywqoigaytql.exe	130
PID 468 wrote to memory of 2316	468	tolgdywqoigaytql.exe	130
PID 2428 wrote to memory of 4804	2428	kfcxvpnhfz.exe	132
PID 2428 wrote to memory of 4804	2428	kfcxvpnhfz.exe	132
PID 2428 wrote to memory of 4804	2428	kfcxvpnhfz.exe	132
PID 468 wrote to memory of 5088	468	tolgdywqoigaytql.exe	135
PID 468 wrote to memory of 5088	468	tolgdywqoigaytql.exe	135
PID 468 wrote to memory of 5088	468	tolgdywqoigaytql.exe	135
PID 468 wrote to memory of 440	468	tolgdywqoigaytql.exe	137
PID 468 wrote to memory of 440	468	tolgdywqoigaytql.exe	137
PID 468 wrote to memory of 440	468	tolgdywqoigaytql.exe	137
PID 4072 wrote to memory of 3640	4072	hfzxrpjhcz.exe	139
PID 4072 wrote to memory of 3640	4072	hfzxrpjhcz.exe	139
PID 4072 wrote to memory of 3640	4072	hfzxrpjhcz.exe	139
PID 468 wrote to memory of 2080	468	tolgdywqoigaytql.exe	142
PID 468 wrote to memory of 2080	468	tolgdywqoigaytql.exe	142
PID 468 wrote to memory of 2080	468	tolgdywqoigaytql.exe	142
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	144
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	144
PID 468 wrote to memory of 3644	468	tolgdywqoigaytql.exe	144
PID 4776 wrote to memory of 4884	4776	gbytrljdbv.exe	146
PID 4776 wrote to memory of 4884	4776	gbytrljdbv.exe	146
PID 4776 wrote to memory of 4884	4776	gbytrljdbv.exe	146
PID 468 wrote to memory of 2108	468	tolgdywqoigaytql.exe	149
PID 468 wrote to memory of 2108	468	tolgdywqoigaytql.exe	149
PID 468 wrote to memory of 2108	468	tolgdywqoigaytql.exe	149

C:\Users\Admin\AppData\Local\Temp\2d5813a52ed7f1abea030cfd59971ed8.exe
"C:\Users\Admin\AppData\Local\Temp\2d5813a52ed7f1abea030cfd59971ed8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Temp\tolgdywqoigaytql.exe
  C:\Temp\tolgdywqoigaytql.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkicausnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2956
  - - C:\Temp\pkicausnkf.exe
      C:\Temp\pkicausnkf.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkicausnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3824
  - - C:\Temp\i_pkicausnkf.exe
      C:\Temp\i_pkicausnkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4436
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbztrljeb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4756
  - - C:\Temp\jgbztrljeb.exe
      C:\Temp\jgbztrljeb.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3204
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2224
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbztrljeb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1612
  - - C:\Temp\i_jgbztrljeb.exe
      C:\Temp\i_jgbztrljeb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkicavs.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3644
  - - C:\Temp\aysqkicavs.exe
      C:\Temp\aysqkicavs.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1456
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4092
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkicavs.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3244
  - - C:\Temp\i_aysqkicavs.exe
      C:\Temp\i_aysqkicavs.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfcxvpnhfz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2316
  - - C:\Temp\kfcxvpnhfz.exe
      C:\Temp\kfcxvpnhfz.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4804
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfcxvpnhfz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5088
  - - C:\Temp\i_kfcxvpnhfz.exe
      C:\Temp\i_kfcxvpnhfz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzxrpjhcz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:440
  - - C:\Temp\hfzxrpjhcz.exe
      C:\Temp\hfzxrpjhcz.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3640
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3688
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzxrpjhcz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2080
  - - C:\Temp\i_hfzxrpjhcz.exe
      C:\Temp\i_hfzxrpjhcz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbytrljdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3644
  - - C:\Temp\gbytrljdbv.exe
      C:\Temp\gbytrljdbv.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4884
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3876
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbytrljdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2108
  - - C:\Temp\i_gbytrljdbv.exe
      C:\Temp\i_gbytrljdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4172
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
e109c91aa9d769f85ef3a3eb8fc7bab2

SHA1
12bebd8b40c20dc403d5cc9d728d0889a8966f23

SHA256
f5b140fabe342cc279dcc9833efb7ff12de880cdf6d93a55c7f131274f76e829

SHA512
9c6b628c6db80814b8855852a7e5b6be55720f2affd08efbe3a9ee92a4beea7141bcb55f828aea9ee983e7b5b006360770c06f8facf7d8fc12d27c8217679a92

Download Submit
C:\Temp\aysqkicavs.exe

Filesize
361KB

MD5
4670a086c8c369df0cfd34916602cf9f

SHA1
50ed50b9061ded32e9388e856cbb09ee7af5f084

SHA256
81e3084940292d216822a1c402251f4b8fc27194427bbb4f4fd0a1ac48a12304

SHA512
3a5b209318ad6f6538a8465e06b6f160b329ba065bda9dbee95816b27b82f91d5c143de3429a47068c30b62937c44f338e48c780e50fae526c5de99f89b26543

Download Submit
C:\Temp\gbytrljdbv.exe

Filesize
361KB

MD5
3d2372232135e0ea96578443c5b53719

SHA1
78c16d5f1f0d04c32e65015ce560aa6df7dbc024

SHA256
ae7b3ae8af1f06f86812aa8af263ef4e4d13108e573b39c230cf3d109674ae7e

SHA512
dfdd9e94e84e8a324f66d5618ef756615dc77b7e33ba8065439d3fe12eed9f904ad6af45ef3fd6019ceb7919685e9e5034dca39a455a37764f06c3f1fb2071b5

Download Submit
C:\Temp\hfzxrpjhcz.exe

Filesize
361KB

MD5
b6143983ba494e3ad5febd54eb26c0c9

SHA1
85c186cf7f8fe447dd9499ae88c1dd4a10e51d3e

SHA256
fc9bef8f7dca7120e8e4825089e22045230215586cd21f645ee72ff7cc942c09

SHA512
799dfde754436ebbd3c5b4cd493c24e84879dcc16bcd9aaf2c17584ed4ad416b034803c4783ece8f2e6999c0e04d6b7187e31cf73db93ace49c7540658cd44f5

Download Submit
C:\Temp\i_aysqkicavs.exe

Filesize
361KB

MD5
8590e0f402c534c034cba958538921f9

SHA1
5ae9b5b89be2290d6a94177b20eca334804feeb6

SHA256
3d713f1b70e00fbb2b5adbf58e4abe7e4ddb0c55a4b469e2b3b75f12460b8512

SHA512
d6cb3ac088de81daef9b9e3c568bb449bc3a06a27b5b2508b852b6f05a4f990ed6ac69d83b06e004bd46a42f847f1e08b8c8c9f6c97bf18e7f3da4ac41cba959

Download Submit
C:\Temp\i_gbytrljdbv.exe

Filesize
361KB

MD5
73de8e4dfd81c5133e22396aa3353693

SHA1
cbd0975e63e0416dbcc8b3a1cb97fff5c8284058

SHA256
9229b08100191e1ba55534e1489c7839aeeb194d846cef71cf3049627bdcd00b

SHA512
7411f37394ba19fbd436f7a5a2da4ab17d93fd8a911fdbd3481dedc9d96878070b7c400e518b69ea1e16bb82a3de26e72200a2fdcf7aa7717ce3497f6feecce5

Download Submit
C:\Temp\i_hfzxrpjhcz.exe

Filesize
361KB

MD5
902c9f72862dbb71665b2acca4e64d3b

SHA1
fa99c7345ca9df0b62a0f3fbef89f890dd547522

SHA256
fdf2ea60ee3ed5bdcffd665e41a99aaf7d22a94282c811b7d2956abec0481707

SHA512
d9820f39f2cef19f74f8493b922c055d514611afb62734c0617f0fd236ad8975bc30bd28516ada7b8fc4fa39c0c8f22767a3b5a42a1614a8ce4fbef46c66fe51

Download Submit
C:\Temp\i_jgbztrljeb.exe

Filesize
361KB

MD5
d746c824dd17442ad34984360d1702a9

SHA1
75770f1dee72762cade712748d600d41456aca42

SHA256
5b088e47ef38ea9f8d18dbf92ef967ebe9fa5e4a46ba7046c124a22f558f6181

SHA512
b295ebf70fd9464dc749c4bdd1d1aa063eeb0cf74c7d0434fcf6aed6a568429ec26fcc4ae9e0785f902b332dcfb8e1fe9fdc3aa29838a83161f1c5bee9c56e8d

Download Submit
C:\Temp\i_kfcxvpnhfz.exe

Filesize
361KB

MD5
8235641bd87b2aa12e3b3e4896cda6d4

SHA1
c55a0c8ca9f03541ea79eb6bd6aeb3f767974dde

SHA256
e5bfa23d50bfa3c038eb45f4cb7c98d9fe3617dd19d0d1dfb3c9ecae7bd767ed

SHA512
7d5b277005c94fbc064a5ab2c93515cb99036e0d1dff31dcdd7f0f7eec445a445c28756068965a688e0238744194bc201dd9d5514848ad055199e9911affcf3c

Download Submit
C:\Temp\i_pkicausnkf.exe

Filesize
361KB

MD5
2865df2d075f3c7d732d1086d12d98eb

SHA1
b1236a4832b1a7357293d0e03c43987babe71a55

SHA256
93ed13f7a771385f32cc5268e64fbf60bcff556b4962458ec0fa67cb3d85b7b3

SHA512
601686f84296aa7092f1c763ba10e681b8cd6db5590b488c67f2b7292d066daed92ab51942c1c8ab1e83f2795dcae5ee2d9c6f8220f812454d593a7d74112978

Download Submit
C:\Temp\jgbztrljeb.exe

Filesize
361KB

MD5
d8a3c0ca563e151b1370e0a6f9be4b9e

SHA1
e47e427545e1cf713a93a1dd1246f461a9e52e43

SHA256
2b0a38b965cdeddb9e0d9424946be31a3792af768ac1a0fa636525ac2c870a0b

SHA512
dfbd9532bd05268cfec8611cfc32e912a763fe2f1c16495ac219ce0bd12d83b88c538bee3c6d172e413683b2ba1235773341abb53a3f663e6be2949a6e9054ff

Download Submit
C:\Temp\kfcxvpnhfz.exe

Filesize
361KB

MD5
416d8ab564e8fbb68488b8775a2816fe

SHA1
5e4400225329efc69a31692dcd008d90abdc2af3

SHA256
9b01c614943456096f2f32da679686568429568afda76bd660a78d098fd6ba05

SHA512
8ae6a4f2272f6f565c65aa1db664c7fc8811a734996ab5f1163d4dac94bef66c73621821d205c863b82ed7815d4080d55af6d8e5a5d8e1e40ae10b66888af0b1

Download Submit
C:\Temp\pkicausnkf.exe

Filesize
17KB

MD5
88776784b04018aeda2c49672fcd8de9

SHA1
8345e58d6b3ed0c005bcdf5092b76731401d8afd

SHA256
b7868a9440cb08253e4761d0106a975ec918ba39893844f61448621a15e6937d

SHA512
03fcf4a674a68442a9839456bee7e8daefac4870e978cdb139ecff3418ccdfd293acea79dc0263a1c7a73567305091d02187089e1567087d49abd1769e61b2bd

Download Submit
C:\Temp\pkicausnkf.exe

Filesize
361KB

MD5
47614edfbc6cdda36d83bf607e7e4242

SHA1
493333c0cee5f778f2764cbcbb52f45dc0c83e72

SHA256
c2ac64996f4991699354c25cd25f6d488fb6c19b2542d18c102390a18e21ae09

SHA512
afd486506ead29589ba33f30d4c0310b2cbea1c9b18fe9ac3d559c3d61dcc92c6722c58eaae607f94f2cb3bf0d7ea6a6574116db371f3aa5c59f19327b248c00

Download Submit
C:\Temp\tolgdywqoigaytql.exe

Filesize
361KB

MD5
91d7a990b41b4f67aaddf975348f656a

SHA1
a2b3b96afec03421c884e6ef6e9e0251deb23142

SHA256
7621bf6e0e1e83cc420d1218203a5a64451172b234e748709600be64376fd4e6

SHA512
faa5e80c8c20a988d7fa79ea26a9f8d797fe74be3bf1d7f3965df7d8975f43574c6a79e9172f757fb093f2024562ff414da314f1315db337f13c85ef110506a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8PO8IKDM\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit