25fedd152c0a8993f7caabaa93afe36beb52a6832bc23cb684bba2dffc9faac1

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0803c662828c6278a2ed6c34d3848d.exe
Size

361KB
MD5

4e0803c662828c6278a2ed6c34d3848d
SHA1

489bc99a7277c2c9c419afd31eca79d2ea38cf42
SHA256

25fedd152c0a8993f7caabaa93afe36beb52a6832bc23cb684bba2dffc9faac1
SHA512

b1c05ef64471e3665cc6532dd9bbc22e5571a9d47a701187165365227e0ffc596d88c313b3ee7a1dcaf5cf07fcbacbc0be0f5a2bb73669a392385450eb35b0a9
SSDEEP

6144:VflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:VflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2336	ausnhfzxrmkecwro.exe
2588	CreateProcess.exe
2584	jdbvqoigav.exe
2616	CreateProcess.exe
340	CreateProcess.exe
1352	i_jdbvqoigav.exe
2776	CreateProcess.exe
2948	vsnzxspkec.exe
2944	CreateProcess.exe
2592	CreateProcess.exe
2724	i_vsnzxspkec.exe
2856	CreateProcess.exe
2128	smkecwrpjh.exe
2896	CreateProcess.exe
1632	CreateProcess.exe
1532	i_smkecwrpjh.exe
2288	CreateProcess.exe
2284	mgeywrljdb.exe
2760	CreateProcess.exe
2392	CreateProcess.exe
2352	i_mgeywrljdb.exe
2956	CreateProcess.exe
2020	dyvqoidavt.exe
2724	CreateProcess.exe
436	CreateProcess.exe
1840	i_dyvqoidavt.exe
1920	CreateProcess.exe
884	avsnhfzxsm.exe
1056	CreateProcess.exe
1700	CreateProcess.exe
1496	i_avsnhfzxsm.exe
1604	CreateProcess.exe
2220	xrpkecwuoj.exe
2692	CreateProcess.exe
2540	CreateProcess.exe
2608	i_xrpkecwuoj.exe
2972	CreateProcess.exe
2152	rljeywqojd.exe
916	CreateProcess.exe
1012	CreateProcess.exe
2076	i_rljeywqojd.exe
2284	CreateProcess.exe
2168	oigbvtnlfa.exe
3032	CreateProcess.exe
1992	CreateProcess.exe
3040	i_oigbvtnlfa.exe
2332	CreateProcess.exe
296	qkfdxvpkic.exe
2268	CreateProcess.exe
1900	CreateProcess.exe
2352	i_qkfdxvpkic.exe
1756	CreateProcess.exe
2924	spkicwupmh.exe
2124	CreateProcess.exe
2976	CreateProcess.exe
2964	i_spkicwupmh.exe
1580	CreateProcess.exe
1444	urmgezwrlj.exe
1720	CreateProcess.exe
1516	CreateProcess.exe
1400	i_urmgezwrlj.exe
2152	CreateProcess.exe
2932	ztomgeytql.exe
1528	CreateProcess.exe

Loads dropped DLL 60 IoCs

pid	Process
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2948	vsnzxspkec.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2128	smkecwrpjh.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2284	mgeywrljdb.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2020	dyvqoidavt.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
884	avsnhfzxsm.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2220	xrpkecwuoj.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2152	rljeywqojd.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2168	oigbvtnlfa.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
296	qkfdxvpkic.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2924	spkicwupmh.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
1444	urmgezwrlj.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2932	ztomgeytql.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2304	bvtnigaysn.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2136	xvpkhcauom.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
1840	zuomgeztrl.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
1920	wtomgbytql.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
1796	vqnigavsnl.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2400	dxvpnicaus.exe
2336	ausnhfzxrmkecwro.exe

Gathers network information 2 TTPs 19 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2816	ipconfig.exe
2868	ipconfig.exe
2472	ipconfig.exe
2456	ipconfig.exe
1704	ipconfig.exe
2156	ipconfig.exe
1168	ipconfig.exe
2108	ipconfig.exe
2872	ipconfig.exe
2032	ipconfig.exe
2364	ipconfig.exe
1012	ipconfig.exe
2560	ipconfig.exe
3056	ipconfig.exe
2452	ipconfig.exe
2796	ipconfig.exe
2632	ipconfig.exe
1264	ipconfig.exe
1480	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0190ebe8238da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409815553"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000945766c5ae158b98f917f9cadde15d695406abb06986e0e81813fc01b8caedb8000000000e800000000200002000000050ad80618361661346d87367df43b21232675d30910e5f81feffd852793272852000000054c866f8e12aa8053a1032bec91bc9d1d0bb554dd0995c1a3aa0eb8830d3590c400000009e29475853676473ddb7fcbf7812996016e5f6e5c3f9a6ae694b484eae5b686b3ed46d255aa9792ecc1ec694422c9136ae4c7f5601b4b80c3728850a0b4fbc22	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000500acdc774f20d9eab5614b3b2d96d72df2c8a85a86adf594014f4f369fd6469000000000e80000000020000200000004f3cbd48e03e08a1e51035e0d2de08d2c894c3b5eba843f72c4badac60b6013990000000b2b25de5358fa808e86c9b58bef4069e18f1a877b63f9998bfc609e1b1f4775b737ad97fde35ef265e6f5d27ddb4214ac545e7918060139b122cd55920fb3a81b68aa97425d3af6e50ab0fc1d8db6209df101a9b9815f2d9bf306955380c3061459f3383a2f471d107eb71bf1693297c4784f71ceb1ad52aeb8d945ff4659cb8f97294a52a0f56a63dda4fed275895cf400000006db1c06d8d26cf7e3ee100cd42db46e95cd3743a5f24437f71e9a0d39a30e6d014f923c8d92f26bda8f29b9612e800b50b28c03d3cc42956b04aca7cad5bd517	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5AA1551-A475-11EE-97FC-EE5B2FF970AA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2636	4e0803c662828c6278a2ed6c34d3848d.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2336	ausnhfzxrmkecwro.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
2584	jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
1352	i_jdbvqoigav.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2948	vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2724	i_vsnzxspkec.exe
2128	smkecwrpjh.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	i_jdbvqoigav.exe
Token: SeDebugPrivilege	2724	i_vsnzxspkec.exe
Token: SeDebugPrivilege	1532	i_smkecwrpjh.exe
Token: SeDebugPrivilege	2352	i_mgeywrljdb.exe
Token: SeDebugPrivilege	1840	i_dyvqoidavt.exe
Token: SeDebugPrivilege	1496	i_avsnhfzxsm.exe
Token: SeDebugPrivilege	2608	i_xrpkecwuoj.exe
Token: SeDebugPrivilege	2076	i_rljeywqojd.exe
Token: SeDebugPrivilege	3040	i_oigbvtnlfa.exe
Token: SeDebugPrivilege	2352	i_qkfdxvpkic.exe
Token: SeDebugPrivilege	2964	i_spkicwupmh.exe
Token: SeDebugPrivilege	1400	i_urmgezwrlj.exe
Token: SeDebugPrivilege	1064	i_ztomgeytql.exe
Token: SeDebugPrivilege	1684	i_bvtnigaysn.exe
Token: SeDebugPrivilege	516	i_xvpkhcauom.exe
Token: SeDebugPrivilege	2036	i_zuomgeztrl.exe
Token: SeDebugPrivilege	2812	i_wtomgbytql.exe
Token: SeDebugPrivilege	1732	i_vqnigavsnl.exe
Token: SeDebugPrivilege	2596	i_dxvpnicaus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	iexplore.exe
2744	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2336	2636	4e0803c662828c6278a2ed6c34d3848d.exe	28
PID 2636 wrote to memory of 2336	2636	4e0803c662828c6278a2ed6c34d3848d.exe	28
PID 2636 wrote to memory of 2336	2636	4e0803c662828c6278a2ed6c34d3848d.exe	28
PID 2636 wrote to memory of 2336	2636	4e0803c662828c6278a2ed6c34d3848d.exe	28
PID 2636 wrote to memory of 2744	2636	4e0803c662828c6278a2ed6c34d3848d.exe	29
PID 2636 wrote to memory of 2744	2636	4e0803c662828c6278a2ed6c34d3848d.exe	29
PID 2636 wrote to memory of 2744	2636	4e0803c662828c6278a2ed6c34d3848d.exe	29
PID 2636 wrote to memory of 2744	2636	4e0803c662828c6278a2ed6c34d3848d.exe	29
PID 2744 wrote to memory of 2808	2744	iexplore.exe	30
PID 2744 wrote to memory of 2808	2744	iexplore.exe	30
PID 2744 wrote to memory of 2808	2744	iexplore.exe	30
PID 2744 wrote to memory of 2808	2744	iexplore.exe	30
PID 2336 wrote to memory of 2588	2336	ausnhfzxrmkecwro.exe	31
PID 2336 wrote to memory of 2588	2336	ausnhfzxrmkecwro.exe	31
PID 2336 wrote to memory of 2588	2336	ausnhfzxrmkecwro.exe	31
PID 2336 wrote to memory of 2588	2336	ausnhfzxrmkecwro.exe	31
PID 2584 wrote to memory of 2616	2584	jdbvqoigav.exe	33
PID 2584 wrote to memory of 2616	2584	jdbvqoigav.exe	33
PID 2584 wrote to memory of 2616	2584	jdbvqoigav.exe	33
PID 2584 wrote to memory of 2616	2584	jdbvqoigav.exe	33
PID 2336 wrote to memory of 340	2336	ausnhfzxrmkecwro.exe	37
PID 2336 wrote to memory of 340	2336	ausnhfzxrmkecwro.exe	37
PID 2336 wrote to memory of 340	2336	ausnhfzxrmkecwro.exe	37
PID 2336 wrote to memory of 340	2336	ausnhfzxrmkecwro.exe	37
PID 2336 wrote to memory of 2776	2336	ausnhfzxrmkecwro.exe	39
PID 2336 wrote to memory of 2776	2336	ausnhfzxrmkecwro.exe	39
PID 2336 wrote to memory of 2776	2336	ausnhfzxrmkecwro.exe	39
PID 2336 wrote to memory of 2776	2336	ausnhfzxrmkecwro.exe	39
PID 2948 wrote to memory of 2944	2948	vsnzxspkec.exe	41
PID 2948 wrote to memory of 2944	2948	vsnzxspkec.exe	41
PID 2948 wrote to memory of 2944	2948	vsnzxspkec.exe	41
PID 2948 wrote to memory of 2944	2948	vsnzxspkec.exe	41
PID 2336 wrote to memory of 2592	2336	ausnhfzxrmkecwro.exe	44
PID 2336 wrote to memory of 2592	2336	ausnhfzxrmkecwro.exe	44
PID 2336 wrote to memory of 2592	2336	ausnhfzxrmkecwro.exe	44
PID 2336 wrote to memory of 2592	2336	ausnhfzxrmkecwro.exe	44
PID 2336 wrote to memory of 2856	2336	ausnhfzxrmkecwro.exe	46
PID 2336 wrote to memory of 2856	2336	ausnhfzxrmkecwro.exe	46
PID 2336 wrote to memory of 2856	2336	ausnhfzxrmkecwro.exe	46
PID 2336 wrote to memory of 2856	2336	ausnhfzxrmkecwro.exe	46
PID 2128 wrote to memory of 2896	2128	smkecwrpjh.exe	48
PID 2128 wrote to memory of 2896	2128	smkecwrpjh.exe	48
PID 2128 wrote to memory of 2896	2128	smkecwrpjh.exe	48
PID 2128 wrote to memory of 2896	2128	smkecwrpjh.exe	48
PID 2336 wrote to memory of 1632	2336	ausnhfzxrmkecwro.exe	51
PID 2336 wrote to memory of 1632	2336	ausnhfzxrmkecwro.exe	51
PID 2336 wrote to memory of 1632	2336	ausnhfzxrmkecwro.exe	51
PID 2336 wrote to memory of 1632	2336	ausnhfzxrmkecwro.exe	51
PID 2336 wrote to memory of 2288	2336	ausnhfzxrmkecwro.exe	53
PID 2336 wrote to memory of 2288	2336	ausnhfzxrmkecwro.exe	53
PID 2336 wrote to memory of 2288	2336	ausnhfzxrmkecwro.exe	53
PID 2336 wrote to memory of 2288	2336	ausnhfzxrmkecwro.exe	53
PID 2284 wrote to memory of 2760	2284	mgeywrljdb.exe	55
PID 2284 wrote to memory of 2760	2284	mgeywrljdb.exe	55
PID 2284 wrote to memory of 2760	2284	mgeywrljdb.exe	55
PID 2284 wrote to memory of 2760	2284	mgeywrljdb.exe	55
PID 2336 wrote to memory of 2392	2336	ausnhfzxrmkecwro.exe	58
PID 2336 wrote to memory of 2392	2336	ausnhfzxrmkecwro.exe	58
PID 2336 wrote to memory of 2392	2336	ausnhfzxrmkecwro.exe	58
PID 2336 wrote to memory of 2392	2336	ausnhfzxrmkecwro.exe	58
PID 2336 wrote to memory of 2956	2336	ausnhfzxrmkecwro.exe	62
PID 2336 wrote to memory of 2956	2336	ausnhfzxrmkecwro.exe	62
PID 2336 wrote to memory of 2956	2336	ausnhfzxrmkecwro.exe	62
PID 2336 wrote to memory of 2956	2336	ausnhfzxrmkecwro.exe	62

C:\Users\Admin\AppData\Local\Temp\4e0803c662828c6278a2ed6c34d3848d.exe
"C:\Users\Admin\AppData\Local\Temp\4e0803c662828c6278a2ed6c34d3848d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Temp\ausnhfzxrmkecwro.exe
  C:\Temp\ausnhfzxrmkecwro.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdbvqoigav.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Temp\jdbvqoigav.exe
      C:\Temp\jdbvqoigav.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2616
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2108
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdbvqoigav.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:340
  - - C:\Temp\i_jdbvqoigav.exe
      C:\Temp\i_jdbvqoigav.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vsnzxspkec.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2776
  - - C:\Temp\vsnzxspkec.exe
      C:\Temp\vsnzxspkec.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2944
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vsnzxspkec.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2592
  - - C:\Temp\i_vsnzxspkec.exe
      C:\Temp\i_vsnzxspkec.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkecwrpjh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2856
  - - C:\Temp\smkecwrpjh.exe
      C:\Temp\smkecwrpjh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2896
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkecwrpjh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1632
  - - C:\Temp\i_smkecwrpjh.exe
      C:\Temp\i_smkecwrpjh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgeywrljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2288
  - - C:\Temp\mgeywrljdb.exe
      C:\Temp\mgeywrljdb.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2760
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1264
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgeywrljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2392
  - - C:\Temp\i_mgeywrljdb.exe
      C:\Temp\i_mgeywrljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dyvqoidavt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2956
  - - C:\Temp\dyvqoidavt.exe
      C:\Temp\dyvqoidavt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2020
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dyvqoidavt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:436
  - - C:\Temp\i_dyvqoidavt.exe
      C:\Temp\i_dyvqoidavt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avsnhfzxsm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1920
  - - C:\Temp\avsnhfzxsm.exe
      C:\Temp\avsnhfzxsm.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:884
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1056
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1480
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avsnhfzxsm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1700
  - - C:\Temp\i_avsnhfzxsm.exe
      C:\Temp\i_avsnhfzxsm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkecwuoj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1604
  - - C:\Temp\xrpkecwuoj.exe
      C:\Temp\xrpkecwuoj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2220
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2816
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkecwuoj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2540
  - - C:\Temp\i_xrpkecwuoj.exe
      C:\Temp\i_xrpkecwuoj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljeywqojd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2972
  - - C:\Temp\rljeywqojd.exe
      C:\Temp\rljeywqojd.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2152
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2868
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljeywqojd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1012
  - - C:\Temp\i_rljeywqojd.exe
      C:\Temp\i_rljeywqojd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbvtnlfa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2284
  - - C:\Temp\oigbvtnlfa.exe
      C:\Temp\oigbvtnlfa.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2168
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3032
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbvtnlfa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1992
  - - C:\Temp\i_oigbvtnlfa.exe
      C:\Temp\i_oigbvtnlfa.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qkfdxvpkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2332
  - - C:\Temp\qkfdxvpkic.exe
      C:\Temp\qkfdxvpkic.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:296
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2268
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2472
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qkfdxvpkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1900
  - - C:\Temp\i_qkfdxvpkic.exe
      C:\Temp\i_qkfdxvpkic.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\spkicwupmh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1756
  - - C:\Temp\spkicwupmh.exe
      C:\Temp\spkicwupmh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2924
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2124
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1168
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_spkicwupmh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2976
  - - C:\Temp\i_spkicwupmh.exe
      C:\Temp\i_spkicwupmh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\urmgezwrlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1580
  - - C:\Temp\urmgezwrlj.exe
      C:\Temp\urmgezwrlj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1444
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1720
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_urmgezwrlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1516
  - - C:\Temp\i_urmgezwrlj.exe
      C:\Temp\i_urmgezwrlj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztomgeytql.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2152
  - - C:\Temp\ztomgeytql.exe
      C:\Temp\ztomgeytql.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2932
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1528
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztomgeytql.exe ups_ins
    3⤵
    PID:2956
  - - C:\Temp\i_ztomgeytql.exe
      C:\Temp\i_ztomgeytql.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtnigaysn.exe ups_run
    3⤵
    PID:3028
  - - C:\Temp\bvtnigaysn.exe
      C:\Temp\bvtnigaysn.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2304
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2064
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtnigaysn.exe ups_ins
    3⤵
    PID:3044
  - - C:\Temp\i_bvtnigaysn.exe
      C:\Temp\i_bvtnigaysn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpkhcauom.exe ups_run
    3⤵
    PID:1772
  - - C:\Temp\xvpkhcauom.exe
      C:\Temp\xvpkhcauom.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2136
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:588
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1704
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpkhcauom.exe ups_ins
    3⤵
    PID:1000
  - - C:\Temp\i_xvpkhcauom.exe
      C:\Temp\i_xvpkhcauom.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zuomgeztrl.exe ups_run
    3⤵
    PID:1820
  - - C:\Temp\zuomgeztrl.exe
      C:\Temp\zuomgeztrl.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1840
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2972
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2560
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zuomgeztrl.exe ups_ins
    3⤵
    PID:1672
  - - C:\Temp\i_zuomgeztrl.exe
      C:\Temp\i_zuomgeztrl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2036
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wtomgbytql.exe ups_run
    3⤵
    PID:240
  - - C:\Temp\wtomgbytql.exe
      C:\Temp\wtomgbytql.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1920
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1652
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wtomgbytql.exe ups_ins
    3⤵
    PID:1364
  - - C:\Temp\i_wtomgbytql.exe
      C:\Temp\i_wtomgbytql.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnigavsnl.exe ups_run
    3⤵
    PID:1244
  - - C:\Temp\vqnigavsnl.exe
      C:\Temp\vqnigavsnl.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2384
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2452
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnigavsnl.exe ups_ins
    3⤵
    PID:1592
  - - C:\Temp\i_vqnigavsnl.exe
      C:\Temp\i_vqnigavsnl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvpnicaus.exe ups_run
    3⤵
    PID:2728
  - - C:\Temp\dxvpnicaus.exe
      C:\Temp\dxvpnicaus.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2400
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1576
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvpnicaus.exe ups_ins
    3⤵
    PID:1692
  - - C:\Temp\i_dxvpnicaus.exe
      C:\Temp\i_dxvpnicaus.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\avsnhfzxsm.exe

Filesize
361KB

MD5
1857b0b3bca7663a0b94fe501f348761

SHA1
aa2c0c3db750841c499deccd304025f8628f0a2a

SHA256
2384cf1f8b020f49f00227513e506b353767aaaa99c4b5066fd271593360c50d

SHA512
1bbb60bfece6b28f3ba67fa6ada2884e8ab09351de2b90e43321377a0d47e51caa83412316597f31b542d95fd61f7918d0037b266c16f39e974af6c1a08595f7

Download Submit
C:\Temp\dyvqoidavt.exe

Filesize
361KB

MD5
1d844ab7642d1768f51dc3705a1c2ab8

SHA1
71bb0bc3586084b1b74f490b2d99598a3d60252a

SHA256
964a721a1f59bee7886adcab63591fe1dfff58df89cb6f77d002af3495abbd55

SHA512
b527f28a8266b9856a1364739a716aa9c822e031cb2bec148494a930dc767d4028d6c405ef60d7b6a63f6ab4a3a1e7f69dc9d692edaf082b14f3e91145882268

Download Submit
C:\Temp\i_avsnhfzxsm.exe

Filesize
361KB

MD5
2894579ddc1ccafdab5d56449fad4414

SHA1
cb428aa270dd81b61284c142c7a21bf5bd55d1e0

SHA256
09c7fab1afd9c9eec7805f02cca4b0bdc48b07f6839a27ea87566b9587583e6d

SHA512
43836d5335f54a38eff2d3aa49fca786b585cf5c0a1fcb1937d67379934418f01a80ee4d76b3afd7f6e5c12146f8f9c08b62a0a4864ea0414924f8dd17b2be2e

Download Submit
C:\Temp\i_dyvqoidavt.exe

Filesize
361KB

MD5
1e90760c758f9d3c8b7985c5192aa8f1

SHA1
b1fb61215d3eaa6e3ae2eb463ae876cf0f6695bf

SHA256
3902a571ddff01fd3e91d83ebb18ce58633594de5834ba210c4b953ca961a1af

SHA512
5135d886ccf763bd861129df9b1a82795b7d82f71fc877cb34d4085d3aef4fe4fcafa12963cc4ca672e1d4504acce3adf64a315b6c8bcef1b45bd40aa70e48d6

Download Submit
C:\Temp\i_jdbvqoigav.exe

Filesize
361KB

MD5
b5316bef5a75119924b0f74ff40fc7c2

SHA1
a57bfc98a8b132dae0b0897614759a4e405218a3

SHA256
61127c9a874a2f90347dac5397c600904770833201184b39280072f6e29c9c96

SHA512
85468dfd886b25d53f28178356cdb2d8602e4f4cdab493cbc5c4e1fa073861591f99f999f362a5282e5d36b6c8a00963bd665c7a57ec992ec958c6c5cc7bc028

Download Submit
C:\Temp\i_mgeywrljdb.exe

Filesize
361KB

MD5
ddf4ec69b14fc3db4d4c4e3afb2c7d98

SHA1
90c4934f47304e80cdc7ac0426a3931c00155ae3

SHA256
c88a1fe8fcdc2596757a378922fd319e220269f1a05b79e6eba73bf17df8d10b

SHA512
30703841809e7164f03b3c23ce7231b40c543ff5ed7a41f3ca77298163a613d97000030504c0ab9650df161ea77ee38212975cb7c68bc0482ef5aab718012d9b

Download Submit
C:\Temp\i_smkecwrpjh.exe

Filesize
361KB

MD5
c8c3bb30239146e67c1c00ce5dfbb42d

SHA1
7d512d4eb13c781980a4fb23edb398876d1a176c

SHA256
49e6cbb65e5601b7e942150f0eb0c31496e989b8c87f7d476454400b748225a8

SHA512
98134feb90929e53cf19559717a3f67d45a3f5853cf97a58e48917f6f6a22f4d170798ce81da759577c6ff98191ea8e6c77fad66817d33cc51f75cbfb6a177e7

Download Submit
C:\Temp\i_vsnzxspkec.exe

Filesize
361KB

MD5
061b968b687f49c880bba17d1416fadb

SHA1
fc07eabe812588f3fdefff3c3530bd5569f6ec8d

SHA256
45b9634115ca5f19a24937195fbdb8de50b4377c93f90a81a891f02f5b19dfa6

SHA512
2dbf696fa1b742fbab0e0718521ecfc2a8bacd79ad34ba80cbd8d329fd4c129c0f5e01d61a9038c583fff936d175c25dc9896201c568c2bd670c1272f1c88835

Download Submit
C:\Temp\i_xrpkecwuoj.exe

Filesize
361KB

MD5
3b930e35e26c65ba1018024970cce79b

SHA1
5a315d0f57fec2e57857e9037df79ae4e6d400b5

SHA256
6ea44ea6283f82e7fb142b2d3f7f4b55a965850a9f56f3caae63b75f1f54595c

SHA512
21922a8a78acc3b9a155403cf373478b4522bedb4ef22cf6626189c756e4fe48f70215d3bf295e5943b9d2a97e32ba5ed6b5fc7b5d737e9a288a261b05d5679f

Download Submit
C:\Temp\jdbvqoigav.exe

Filesize
361KB

MD5
fde0ccb3b5f73ae73861722e967e8b60

SHA1
eaadfae7f10da77e04541b3324b642589688480e

SHA256
739d5ebdc28665b0717bed35c410e4d85e3d6760ba1508af3fac76dc42d0ff29

SHA512
f2b5e0a58f4dc6a6a17b9cfe7e13e548169664417cf1faea8aab7a2bc8994e70cf829be96976440c78518e883b859ac9fcac226db2680028d06fe2cf5416dc5f

Download Submit
C:\Temp\mgeywrljdb.exe

Filesize
361KB

MD5
a5eddbec8842d861de5611d0bc4ee6e7

SHA1
e1da17af7fb0b0ce7a4b5f817762b9e505806fcf

SHA256
976fd57e948e6ba89fff402610b3ca65d8329e799ba895bedf1507712d126069

SHA512
842d8ae28c19c20b1510c237cd09a8c226f46802df12aa94caee78eeeff6c6a78bb9ca07244b67f723e3bb79b869c23e49eb3a2cda94bad3de8b5561ae5387c6

Download Submit
C:\Temp\smkecwrpjh.exe

Filesize
361KB

MD5
7262205cc73f902720c1ce3b524da11e

SHA1
a3424dd4de6cd4cb699d4fe3a54c5ae7559cd07b

SHA256
098f603817ebb87c54b6cb2b19deb9122aa45850ca265951d28e5e9b53d26382

SHA512
457818e0d0bb833ba824072ff3394ed7cebce646f214ace48733834ecb1611d314716df40409c7e08d771a2c5a0cca22ef2fe1eff0f11e10c2c826f631455791

Download Submit
C:\Temp\vsnzxspkec.exe

Filesize
361KB

MD5
a54b6c48663e22e1a4df8f00e16a9798

SHA1
82152bef6a00dc5aff275ad27c05758ceb624403

SHA256
f2f30f9c7f74ba49ff1622889664939c2efd935ab16edd80550218eff83e38c6

SHA512
18f523e7663259771df4e7a04435f908c68731bb8151ebd92660ce9e00012de0d198858d34dc080ba28b8b00ed662e88ccb023ec13cf1ab605da93493b312002

Download Submit
C:\Temp\xrpkecwuoj.exe

Filesize
361KB

MD5
7828edf83daafee62b2ffb78e6ba0da5

SHA1
dab5fe25ce9110c26d67b15a25ab160407eceef6

SHA256
0e2b47257146a0149399c70b592d69aa28bf7c9cd8f99b6729eba9f2adcbe9f8

SHA512
f1a62c9b62f82cf91d1fc37813b9b04abb7f8b6e17a396869a99e8fba724cf938650b73b6b4a44c2501321231f644e08fe3f4c79bd0166810fee02460294c418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47d162b34986482a388e3d0566da2f98

SHA1
cfc888ecb5c829d7d6192da6f6da12cffc05fc6a

SHA256
8ea5c2aa5ae7b7461008b92aad8fbaa7465a0ea1b0009b0bfb55657f21d7fe88

SHA512
6b3501323907c9de4be4e6239ead8a1035949ee6ce4ca9c9a442ce078f5497ebb069dffc7ef85e0312f75117c2f793e62048a2e18b6644fc35e67722619e1099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
582ab94c1bd7b0ae0f616f17af9ac51f

SHA1
425885d46140776f211b058319a69b1bd883a80b

SHA256
905b5658a8d372e32e4c77e75369bc03c14a977797d8c530c3e4b7b674ed9c66

SHA512
b1e39a49557fda4ebdf56e5ad0000255c7c84bec4feca2146656b1f448568eda2694c7dec7d4bb05e6e42b7ffa923a596ddffc7f0fdcd1f87907937d4b5d4d64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a95fd24152f705ef914827303f08b35

SHA1
39724fa8424a2c1dcdcea5e2003e7d208c0bab09

SHA256
07cb5988a68dba4d57e3704ee180abc90b929cb88691cb8c3bf1b2df4db109c3

SHA512
957e1d1f1b67fb91157beea08f573913337fc8a962986a2a6b40a9077c6105eac435a1f4000ee9d36ad4a8f9bd696ecc73f45d5a0d4ce0d4d971dcfdbf77fb49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8463d5fb00ce56de1dd0dad1fafa949e

SHA1
3189b9120471bf9801f37f7f5724aa27c500bc00

SHA256
9a6c482fc94f2d89e13baba933fe02aa6aa93480fc715c2342a10feccb5d37af

SHA512
b41f8afa7cdc6a39e4a5c8175d71eed561968a48ba40066de3fa5b7b7320b78132bcfca72b2910e30e7eba862a71fce6727e206024e7c3a648e0af8c688ee7ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16afa9e091233bb41fddd56c52c0136e

SHA1
7d78bf207dbbf60f6d06404087efea73b953ae01

SHA256
a541d21b2352f63cd3c06fc8b25fff3092e59f812db5e0cb572e84755f1c9f62

SHA512
cdcec4023e30e869a24cb29adb8748ec273d5cf32235939e55f48b15063db53ed287c33a37c06a07f79fea0719c42b05eb8249196b915f0f52c92d9d6233ef96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44491c76379a5413d38de87c41d60894

SHA1
29d5760031f77b2bde2d65910cb41bb02bca8b6e

SHA256
054cb73782bc8816d563936b8b20b908cec10c7ae03b5c02b9159ea7a4907b7d

SHA512
6628105c950c8efce11aa2dbe2290583b80c63b7d51422ae33ad97815312d90b7f7c13dd42023edb5c8e6e5eb4a487a2e5322f125eaa11f62762a499a6991d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c19694ca405c809c9fbafdd3836a8525

SHA1
10ae5898d57923ffca400b31c6f0701b03606818

SHA256
a3ef3a329ef390671920d45e4ba87d9eec32422ba5a2b0714beef49587700a04

SHA512
011e43a92c77401347c153a1a9c4bd201bc8051be8c5c7a665096a137f141a5163438e78d1acaeccb779fb76cec094dcce9821a284888cf903deebac0feff698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f086a9a9ff31415b923770b4187fb15

SHA1
7f682028c1661e81fbed6cac42e123df6441e12d

SHA256
f75e29da1fb493fe456e0049ad685aacfd67bad5de6a0efbec1399e4a90e75e7

SHA512
980a3b19b7081c913bf1a5a49d10bb524702a02ad307668618202374ba8de013ee6dcba04a6f35f4b149bf146714f75275be794a484dbc09d2c5cee0554eae71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b8fe57cc7a72639b5e83a98bd115db0

SHA1
e3f67f8687e1e9e30c21c991b2afd78ff985cd1a

SHA256
a171ee17163e9d7707be93bbd177a9d34669a7e6e8aa1adb720ccd8313714cbb

SHA512
b2f3d644d496c08ea318fba62d9d2e2f131b9d33ae39766f305682445acd2c750adfea19284cda9e9935fc07f5e726c5a0d679ba1c6e804ae66cab492c9a27d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD86.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDB8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
bb8e6dd67f6af094e74c5300cc5f4765

SHA1
131dcdcfeeb55f74f373141892398cfbf2594a5a

SHA256
7a1a6fe8c715cc6c53634d427de01f92353562ed3daed7e9d2ef1a19f759041f

SHA512
2784e19f7494f69c99f84c5a609e336154c9f44e41b5ed97df2b1a9d65918f87247467c385138729cd7eb67c996d430d815db49a7ec0e4e765d8ee24fb10580e

Download Submit
\Temp\ausnhfzxrmkecwro.exe

Filesize
361KB

MD5
113188919d4dcffe61a123d33be6310c

SHA1
61c475575c20fb169448d3017c2d3c8e666735ed

SHA256
cdd4ea282f959c0f84bcae66a1d25704ac3313ec26011a1e3c8949d162522f9d

SHA512
5cb2b3ce49035eac7b80db633f3d0d18c5c9814538dbc275a1a2aa704d56117095536f49bfe8617ec6cbd1d0ac57df1e9d5a3d35d3578fb636ff2f2f445ac2a5

Download Submit