25fedd152c0a8993f7caabaa93afe36beb52a6832bc23cb684bba2dffc9faac1

Analysis

max time kernel
146s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0803c662828c6278a2ed6c34d3848d.exe
Size

361KB
MD5

4e0803c662828c6278a2ed6c34d3848d
SHA1

489bc99a7277c2c9c419afd31eca79d2ea38cf42
SHA256

25fedd152c0a8993f7caabaa93afe36beb52a6832bc23cb684bba2dffc9faac1
SHA512

b1c05ef64471e3665cc6532dd9bbc22e5571a9d47a701187165365227e0ffc596d88c313b3ee7a1dcaf5cf07fcbacbc0be0f5a2bb73669a392385450eb35b0a9
SSDEEP

6144:VflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:VflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3924	pjhbzurmjwuomgez.exe
4796	CreateProcess.exe
2572	rljebwuomg.exe
2492	CreateProcess.exe
2172	CreateProcess.exe
4176	i_rljebwuomg.exe
4008	CreateProcess.exe
4052	ljdbwtomge.exe
2484	CreateProcess.exe
864	CreateProcess.exe
4080	i_ljdbwtomge.exe
2708	CreateProcess.exe
3528	igaytqlidb.exe
2476	CreateProcess.exe
4396	CreateProcess.exe
1992	i_igaytqlidb.exe
4816	CreateProcess.exe
2200	lfdxvqniga.exe
3636	CreateProcess.exe
996	CreateProcess.exe
3332	i_lfdxvqniga.exe
2576	CreateProcess.exe
1052	ifaysqkica.exe
2772	CreateProcess.exe
4160	CreateProcess.exe
4800	i_ifaysqkica.exe
2488	CreateProcess.exe
4444	nhfzxspkic.exe
3384	CreateProcess.exe
2500	CreateProcess.exe
1276	i_nhfzxspkic.exe
3872	CreateProcess.exe
3496	nhfzxspkhc.exe
1928	CreateProcess.exe
1980	CreateProcess.exe
3260	i_nhfzxspkhc.exe
3928	CreateProcess.exe
5000	hcwuomhezx.exe
2400	CreateProcess.exe
2636	CreateProcess.exe
1372	i_hcwuomhezx.exe
1556	CreateProcess.exe
4432	mgezojhbzt.exe
3076	CreateProcess.exe
508	CreateProcess.exe
3452	i_mgezojhbzt.exe
4172	CreateProcess.exe
372	gezwrojhbz.exe
784	CreateProcess.exe
4424	CreateProcess.exe
3572	i_gezwrojhbz.exe
4140	CreateProcess.exe
2496	geywqojgby.exe
1200	CreateProcess.exe
1084	CreateProcess.exe
4688	i_geywqojgby.exe
2656	CreateProcess.exe
1412	gbvtnlfdyv.exe
4308	CreateProcess.exe
216	CreateProcess.exe
1804	i_gbvtnlfdyv.exe
2084	CreateProcess.exe
940	igaysqlida.exe
4108	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1932	ipconfig.exe
2576	ipconfig.exe
1888	ipconfig.exe
1440	ipconfig.exe
4088	ipconfig.exe
2300	ipconfig.exe
3688	ipconfig.exe
2204	ipconfig.exe
3880	ipconfig.exe
5036	ipconfig.exe
2752	ipconfig.exe
868	ipconfig.exe
3200	ipconfig.exe
4816	ipconfig.exe
2560	ipconfig.exe
3716	ipconfig.exe
1372	ipconfig.exe
864	ipconfig.exe
4496	ipconfig.exe
5084	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078530"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3068656799"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078530"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DD284D4D-A475-11EE-A0B6-EA4D20080768} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078530"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a009eab18238da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3068656799"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3001625419"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0dde2b18238da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c0000000002000000000010660000000100002000000033a79f858fafdc807e07c89f4ce77be52aa73e73b0b2e40d0b93fd38e389e334000000000e80000000020000200000005b99db17ca1121e51c348980824931e02151105f0f342e0657d592dfe1f8e02320000000aba4384e0726277272f0ee74992b1ed4b6d669247fb0b44206a5617d17620f0040000000e7d0ebb26d017bfd132a3cabeb4fa7fd628c07a9e6e45fd22a0c4519e8e0e0d9ae6ab8ec27f075aee6bff4845ac442e8e3e3ecaabc28f7b4585822a53999634d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078530"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410418636"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000e79c8ac19479045a65ba6be95910d2147c350089165a43c5d261212eb812ebe6000000000e8000000002000020000000097d58a1f1f4d4eedbc9cefe8740ca6cba0330522a735812123bd26fe61c4d1e20000000fac5c5566bfcf14c4e1e9363fad5904e6f2dd0a2c345f421cf7887366ce14ea0400000005c138eefb5b2fb7476f6e1f41657bc496f1ebfc9ac43030700e8eea47a04ef1bdf21901d3e2448c203a85aafc9e4d92a3026dd909149d4062689829bd8ee8809	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3001625419"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
3924	pjhbzurmjwuomgez.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe
2840	4e0803c662828c6278a2ed6c34d3848d.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	i_rljebwuomg.exe
Token: SeDebugPrivilege	4080	i_ljdbwtomge.exe
Token: SeDebugPrivilege	1992	i_igaytqlidb.exe
Token: SeDebugPrivilege	3332	i_lfdxvqniga.exe
Token: SeDebugPrivilege	4800	i_ifaysqkica.exe
Token: SeDebugPrivilege	1276	i_nhfzxspkic.exe
Token: SeDebugPrivilege	3260	i_nhfzxspkhc.exe
Token: SeDebugPrivilege	1372	i_hcwuomhezx.exe
Token: SeDebugPrivilege	3452	i_mgezojhbzt.exe
Token: SeDebugPrivilege	3572	i_gezwrojhbz.exe
Token: SeDebugPrivilege	4688	i_geywqojgby.exe
Token: SeDebugPrivilege	1804	i_gbvtnlfdyv.exe
Token: SeDebugPrivilege	1476	i_igaysqlida.exe
Token: SeDebugPrivilege	640	i_icavsnkfdx.exe
Token: SeDebugPrivilege	1224	i_icxupnhfzx.exe
Token: SeDebugPrivilege	1048	i_ecwupmhezx.exe
Token: SeDebugPrivilege	4732	i_pjhbzurmke.exe
Token: SeDebugPrivilege	4088	i_ojebwuomge.exe
Token: SeDebugPrivilege	968	i_ljebwtomge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1096	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1096	iexplore.exe
1096	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3924	2840	4e0803c662828c6278a2ed6c34d3848d.exe	89
PID 2840 wrote to memory of 3924	2840	4e0803c662828c6278a2ed6c34d3848d.exe	89
PID 2840 wrote to memory of 3924	2840	4e0803c662828c6278a2ed6c34d3848d.exe	89
PID 2840 wrote to memory of 1096	2840	4e0803c662828c6278a2ed6c34d3848d.exe	90
PID 2840 wrote to memory of 1096	2840	4e0803c662828c6278a2ed6c34d3848d.exe	90
PID 1096 wrote to memory of 2532	1096	iexplore.exe	91
PID 1096 wrote to memory of 2532	1096	iexplore.exe	91
PID 1096 wrote to memory of 2532	1096	iexplore.exe	91
PID 3924 wrote to memory of 4796	3924	pjhbzurmjwuomgez.exe	93
PID 3924 wrote to memory of 4796	3924	pjhbzurmjwuomgez.exe	93
PID 3924 wrote to memory of 4796	3924	pjhbzurmjwuomgez.exe	93
PID 2572 wrote to memory of 2492	2572	rljebwuomg.exe	95
PID 2572 wrote to memory of 2492	2572	rljebwuomg.exe	95
PID 2572 wrote to memory of 2492	2572	rljebwuomg.exe	95
PID 3924 wrote to memory of 2172	3924	pjhbzurmjwuomgez.exe	99
PID 3924 wrote to memory of 2172	3924	pjhbzurmjwuomgez.exe	99
PID 3924 wrote to memory of 2172	3924	pjhbzurmjwuomgez.exe	99
PID 3924 wrote to memory of 4008	3924	pjhbzurmjwuomgez.exe	102
PID 3924 wrote to memory of 4008	3924	pjhbzurmjwuomgez.exe	102
PID 3924 wrote to memory of 4008	3924	pjhbzurmjwuomgez.exe	102
PID 4052 wrote to memory of 2484	4052	ljdbwtomge.exe	106
PID 4052 wrote to memory of 2484	4052	ljdbwtomge.exe	106
PID 4052 wrote to memory of 2484	4052	ljdbwtomge.exe	106
PID 3924 wrote to memory of 864	3924	pjhbzurmjwuomgez.exe	107
PID 3924 wrote to memory of 864	3924	pjhbzurmjwuomgez.exe	107
PID 3924 wrote to memory of 864	3924	pjhbzurmjwuomgez.exe	107
PID 3924 wrote to memory of 2708	3924	pjhbzurmjwuomgez.exe	113
PID 3924 wrote to memory of 2708	3924	pjhbzurmjwuomgez.exe	113
PID 3924 wrote to memory of 2708	3924	pjhbzurmjwuomgez.exe	113
PID 3528 wrote to memory of 2476	3528	igaytqlidb.exe	111
PID 3528 wrote to memory of 2476	3528	igaytqlidb.exe	111
PID 3528 wrote to memory of 2476	3528	igaytqlidb.exe	111
PID 3924 wrote to memory of 4396	3924	pjhbzurmjwuomgez.exe	115
PID 3924 wrote to memory of 4396	3924	pjhbzurmjwuomgez.exe	115
PID 3924 wrote to memory of 4396	3924	pjhbzurmjwuomgez.exe	115
PID 3924 wrote to memory of 4816	3924	pjhbzurmjwuomgez.exe	116
PID 3924 wrote to memory of 4816	3924	pjhbzurmjwuomgez.exe	116
PID 3924 wrote to memory of 4816	3924	pjhbzurmjwuomgez.exe	116
PID 2200 wrote to memory of 3636	2200	lfdxvqniga.exe	118
PID 2200 wrote to memory of 3636	2200	lfdxvqniga.exe	118
PID 2200 wrote to memory of 3636	2200	lfdxvqniga.exe	118
PID 3924 wrote to memory of 996	3924	pjhbzurmjwuomgez.exe	123
PID 3924 wrote to memory of 996	3924	pjhbzurmjwuomgez.exe	123
PID 3924 wrote to memory of 996	3924	pjhbzurmjwuomgez.exe	123
PID 3924 wrote to memory of 2576	3924	pjhbzurmjwuomgez.exe	125
PID 3924 wrote to memory of 2576	3924	pjhbzurmjwuomgez.exe	125
PID 3924 wrote to memory of 2576	3924	pjhbzurmjwuomgez.exe	125
PID 1052 wrote to memory of 2772	1052	ifaysqkica.exe	127
PID 1052 wrote to memory of 2772	1052	ifaysqkica.exe	127
PID 1052 wrote to memory of 2772	1052	ifaysqkica.exe	127
PID 3924 wrote to memory of 4160	3924	pjhbzurmjwuomgez.exe	130
PID 3924 wrote to memory of 4160	3924	pjhbzurmjwuomgez.exe	130
PID 3924 wrote to memory of 4160	3924	pjhbzurmjwuomgez.exe	130
PID 3924 wrote to memory of 2488	3924	pjhbzurmjwuomgez.exe	132
PID 3924 wrote to memory of 2488	3924	pjhbzurmjwuomgez.exe	132
PID 3924 wrote to memory of 2488	3924	pjhbzurmjwuomgez.exe	132
PID 4444 wrote to memory of 3384	4444	nhfzxspkic.exe	134
PID 4444 wrote to memory of 3384	4444	nhfzxspkic.exe	134
PID 4444 wrote to memory of 3384	4444	nhfzxspkic.exe	134
PID 3924 wrote to memory of 2500	3924	pjhbzurmjwuomgez.exe	138
PID 3924 wrote to memory of 2500	3924	pjhbzurmjwuomgez.exe	138
PID 3924 wrote to memory of 2500	3924	pjhbzurmjwuomgez.exe	138
PID 3924 wrote to memory of 3872	3924	pjhbzurmjwuomgez.exe	140
PID 3924 wrote to memory of 3872	3924	pjhbzurmjwuomgez.exe	140

C:\Users\Admin\AppData\Local\Temp\4e0803c662828c6278a2ed6c34d3848d.exe
"C:\Users\Admin\AppData\Local\Temp\4e0803c662828c6278a2ed6c34d3848d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Temp\pjhbzurmjwuomgez.exe
  C:\Temp\pjhbzurmjwuomgez.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljebwuomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4796
  - - C:\Temp\rljebwuomg.exe
      C:\Temp\rljebwuomg.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1888
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljebwuomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbwtomge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4008
  - - C:\Temp\ljdbwtomge.exe
      C:\Temp\ljdbwtomge.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2484
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbwtomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:864
  - - C:\Temp\i_ljdbwtomge.exe
      C:\Temp\i_ljdbwtomge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igaytqlidb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igaytqlidb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdxvqniga.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4816
  - - C:\Temp\lfdxvqniga.exe
      C:\Temp\lfdxvqniga.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3636
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdxvqniga.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:996
  - - C:\Temp\i_lfdxvqniga.exe
      C:\Temp\i_lfdxvqniga.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ifaysqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2576
  - - C:\Temp\ifaysqkica.exe
      C:\Temp\ifaysqkica.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1932
      - C:\Temp\i_pjhbzurmke.exe
        
        C:\Temp\i_pjhbzurmke.exe ups_ins
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ifaysqkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4160
  - - C:\Temp\i_ifaysqkica.exe
      C:\Temp\i_ifaysqkica.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4800
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxspkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2488
  - - C:\Temp\nhfzxspkic.exe
      C:\Temp\nhfzxspkic.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3384
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4088
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxspkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2500
  - - C:\Temp\i_nhfzxspkic.exe
      C:\Temp\i_nhfzxspkic.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1276
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxspkhc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3872
  - - C:\Temp\nhfzxspkhc.exe
      C:\Temp\nhfzxspkhc.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3496
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1928
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxspkhc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1980
  - - C:\Temp\i_nhfzxspkhc.exe
      C:\Temp\i_nhfzxspkhc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3260
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hcwuomhezx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3928
  - - C:\Temp\hcwuomhezx.exe
      C:\Temp\hcwuomhezx.exe ups_run
      4⤵
      Executes dropped EXE
      PID:5000
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hcwuomhezx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgezojhbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1556
  - - C:\Temp\mgezojhbzt.exe
      C:\Temp\mgezojhbzt.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4432
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3076
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgezojhbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:508
  - - C:\Temp\i_mgezojhbzt.exe
      C:\Temp\i_mgezojhbzt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3452
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gezwrojhbz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4172
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gezwrojhbz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4424
  - - C:\Temp\i_gezwrojhbz.exe
      C:\Temp\i_gezwrojhbz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqojgby.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4140
  - - C:\temp\CreateProcess.exe
      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:3384
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2560
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqojgby.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbvtnlfdyv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbvtnlfdyv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igaysqlida.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igaysqlida.exe ups_ins
    3⤵
    PID:3528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnkfdx.exe ups_run
    3⤵
    PID:4792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnkfdx.exe ups_ins
    3⤵
    PID:1444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icxupnhfzx.exe ups_run
    3⤵
    PID:828
  - - C:\Temp\icxupnhfzx.exe
      C:\Temp\icxupnhfzx.exe ups_run
      4⤵
      PID:548
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icxupnhfzx.exe ups_ins
    3⤵
    PID:3184
  - - C:\Temp\i_icxupnhfzx.exe
      C:\Temp\i_icxupnhfzx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1224
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwupmhezx.exe ups_run
    3⤵
    PID:4500
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwupmhezx.exe ups_ins
    3⤵
    PID:224
  - - C:\Temp\i_ecwupmhezx.exe
      C:\Temp\i_ecwupmhezx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1048
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhbzurmke.exe ups_run
    3⤵
    PID:3288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhbzurmke.exe ups_ins
    3⤵
    PID:2772
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojebwuomge.exe ups_run
    3⤵
    PID:3716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojebwuomge.exe ups_ins
    3⤵
    PID:4304
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljebwtomge.exe ups_run
    3⤵
    PID:2496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljebwtomge.exe ups_ins
    3⤵
    PID:4444
  - - C:\Temp\i_ljebwtomge.exe
      C:\Temp\i_ljebwtomge.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lidbvtnlgd.exe ups_run
    3⤵
    PID:2420
  - - C:\Temp\lidbvtnlgd.exe
      C:\Temp\lidbvtnlgd.exe ups_run
      4⤵
      PID:2276
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2488
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5036
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2532

C:\Temp\i_rljebwuomg.exe
C:\Temp\i_rljebwuomg.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3716
- C:\Temp\ojebwuomge.exe
  C:\Temp\ojebwuomge.exe ups_run
  2⤵
  PID:3212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
    3⤵
    PID:4856

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1440

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2476

C:\Temp\igaytqlidb.exe
C:\Temp\igaytqlidb.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Temp\i_igaysqlida.exe
  C:\Temp\i_igaysqlida.exe ups_ins
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476

C:\Temp\i_igaytqlidb.exe
C:\Temp\i_igaytqlidb.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2300

C:\Temp\i_hcwuomhezx.exe
C:\Temp\i_hcwuomhezx.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Temp\gezwrojhbz.exe
C:\Temp\gezwrojhbz.exe ups_run
1⤵
- Executes dropped EXE
PID:372
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  - Executes dropped EXE
  PID:784

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2752

C:\Temp\geywqojgby.exe
C:\Temp\geywqojgby.exe ups_run
1⤵
- Executes dropped EXE
PID:2496
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Temp\ljebwtomge.exe
  C:\Temp\ljebwtomge.exe ups_run
  2⤵
  PID:4140

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:868

C:\Temp\i_geywqojgby.exe
C:\Temp\i_geywqojgby.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Temp\gbvtnlfdyv.exe
C:\Temp\gbvtnlfdyv.exe ups_run
1⤵
- Executes dropped EXE
PID:1412
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  - Executes dropped EXE
  PID:4308

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3688

C:\Temp\i_gbvtnlfdyv.exe
C:\Temp\i_gbvtnlfdyv.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Temp\igaysqlida.exe
C:\Temp\igaysqlida.exe ups_run
1⤵
- Executes dropped EXE
PID:940
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  - Executes dropped EXE
  PID:4108

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2204

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2412
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:3200

C:\Temp\icavsnkfdx.exe
C:\Temp\icavsnkfdx.exe ups_run
1⤵
PID:2888

C:\Temp\i_icavsnkfdx.exe
C:\Temp\i_icavsnkfdx.exe ups_ins
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:5024
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:4816

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:3880

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1656

C:\Temp\ecwupmhezx.exe
C:\Temp\ecwupmhezx.exe ups_run
1⤵
PID:368

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2576

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:3776

C:\Temp\pjhbzurmke.exe
C:\Temp\pjhbzurmke.exe ups_run
1⤵
PID:1392

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:5084

C:\Temp\i_ojebwuomge.exe
C:\Temp\i_ojebwuomge.exe ups_ins
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\hcwuomhezx.exe

Filesize
132KB

MD5
bd60becee91334654eebc7773f028406

SHA1
3e6d408027e74fa14673fdfd076364674b97c81d

SHA256
07cb9163c6b26731f6e2812881dfc123f0ba474945e73185a430bd9f55e15e96

SHA512
3fb51aac5abf789f644ee57135e13e0de6f91e3263e3ee0bec46e595da1f6752d72f1edb00deeebc9eac73849f974c40d1a7714df2683b469efe35dfe322426f

Download Submit
C:\Temp\hcwuomhezx.exe

Filesize
117KB

MD5
3e2ffdb6be927d5039ce1ebca5faca02

SHA1
ed32d3cac05a9d3733dad7a37e9472d1c36fd7b4

SHA256
da7f9c5fcd933dbe28409911a05a53f8218ad3c37ba57340fc110a8b40c09e03

SHA512
06bf3ca607185eea8633d67b2dfedd31070f2b146af8eadaf852a8e5666e49d368080b393c3b397a95d1928385a13dda752daab57f047685f15b7af761f4bd8c

Download Submit
C:\Temp\i_hcwuomhezx.exe

Filesize
361KB

MD5
4ab9aae7416d305343c3a85a86776fee

SHA1
0f5c35b06c28f1505d552d298beb3c459ce4b52e

SHA256
4487ca65d60dea1a2bec6b39a3d1c3edebdf8e136ae30131079ab5fc868ef675

SHA512
23cd5429ebae31fd8ce94b58aa3cd3116e1c882a93637325fd555e9bb90ddacda92277c5df11d5dfaa2e067d9300692813d99648221f0c1fcbc1608e4222581a

Download Submit
C:\Temp\i_hcwuomhezx.exe

Filesize
255KB

MD5
c6ff3edc6c6b28a64cf6083fc1949c42

SHA1
81aa038aa68a017a11c58ce01035ad20a7c17685

SHA256
1434ff6df4beb5e5d88b2bc09a2a03d170ad68962f3e038f24b047fc8a93e34c

SHA512
e16d1a2b4b88af27345a8c314750dfac73a7da310a9d827c6511edbb7658e15444f50c2a0476127b693664c980f8d621ae4f519228a1b29d65e97a6a18149dff

Download Submit
C:\Temp\i_ifaysqkica.exe

Filesize
361KB

MD5
32b1c9c3e7f0b2b77b813e041cf724e0

SHA1
51d3a17a95a3df9b6011c2500700134ba604ba77

SHA256
aa68498ae1b0d4c9499ee42a7e206914f503211c4506e734029c9beafaf5e71f

SHA512
4ac311e80b33bfec645d093619802721827f17503b10cb43f76d57188a5ce2666199256368109239638cd907ad6a4c8a55e501c07a602c94f84e69a00721a16c

Download Submit
C:\Temp\i_igaytqlidb.exe

Filesize
361KB

MD5
bc1525e78cb38ba968c83c3c1ca8cdd0

SHA1
a5b303eeae78ff04f3c5c7d1542bfab7cd520908

SHA256
c47bc2cbb9b72b8acb9612800d03b65863af512399a4d0ec0f58e45bf49d2f44

SHA512
1bb9dbd99054962b3f4945692826d0e735a5ef48ca8611cf1fe1b3a653221b6db2e949bdd8e11a6b017141485d1072192fb8fd6b1c4fbe19a70a72a21338d0c1

Download Submit
C:\Temp\i_lfdxvqniga.exe

Filesize
361KB

MD5
752dc425f5810466769e28765b53223d

SHA1
e574d738f7bfb0b9574a8138f0ebefc2497417ea

SHA256
a6d344ceed55dddb832d02ab7676638b078f976a25a8bb3d75788ebb9b465e86

SHA512
55e3685008df346592771ab346aa8f73dcc8303218933d2d7c36ab45df151efbc68c2dc54310a945e7f62a3edc81298a891812faf78e84b8e441b278ea76c4a7

Download Submit
C:\Temp\i_ljdbwtomge.exe

Filesize
361KB

MD5
825862e537616b6b1ef4b4b59f5be3b9

SHA1
188d6b58c7d409aac8e32333be4a0e771149141b

SHA256
bd2e636544ebd3341f117601c6019ec2cc49066e2b488ed78296d96a72a6d404

SHA512
d39bd756f84f7fcbcc32056fc5990fa201afcd9d1925a774423dd0467ff74de1ce39cd3dc09b5276a132f6861a9d7fb8d9b5ad67e56f7f267dada896f7849851

Download Submit
C:\Temp\i_nhfzxspkhc.exe

Filesize
361KB

MD5
6185164ca80a6d016b87a2e77f0ed608

SHA1
4ab9723734739c41bfe0cefd5a6903f36e17fd3d

SHA256
83d954ed0d384c2d8eee884ecf9a5a6ee43955f728808c55efa401fa09c59e7d

SHA512
4d0415d5477302af54091437a3334823a8ce4b3ab66b912098beb6bb28aa9ae8fc616b1143986c12df586fce669acbbee14ce2bedc01e74bea7e2a319d6b4aff

Download Submit
C:\Temp\i_nhfzxspkic.exe

Filesize
361KB

MD5
217f416eeb14d424fc997273c40fe003

SHA1
d9c9db19d2bfb0d4fab654a492e58071c6bb8be8

SHA256
c992e811f620f26c6aca4a6c2534a2aeaae31d993503ae96d4a81a05c02902ee

SHA512
88e433cd17337383feb3328c3fc5a11eb7f8c81930d436d6a609a7d6ebd21e654a07dcc1a12a75d70eac4066f59d9e7dea030b9ab8a5ff5542cfb66465243ca5

Download Submit
C:\Temp\i_rljebwuomg.exe

Filesize
317KB

MD5
643cfbc13f706732bd64dc84ea6c0597

SHA1
427ecccb5b07c97786b805a384a0011cd7361353

SHA256
7a5489448dd79d140b723db84c154e9dcee6e5bfb1cb0d5a65aa1be3a66eeadd

SHA512
176a39c242fbecb33c388d0bc6a2a8704c0f0ca581a038cd19e2f9f0a6045ef6a080533bd8c17dce7b5c2238149eec18a103bf58caa2495366ab4dcafeea7298

Download Submit
C:\Temp\i_rljebwuomg.exe

Filesize
240KB

MD5
c7365a94b46f721fee8b9d6aba786a01

SHA1
ff8c84cd24a7c3ab1ce8f95fbc41014ea42846b0

SHA256
0560f5501f65d8ab7d25e9f0869284248134162ae7eacf6dfd43597449b4bb76

SHA512
c09b65783f6d87f77ee151e1f05fe645344eee676b843af31182dfe8e5bdd68025ee4b674428fccc5cc45a92c032195385cbc252c3ee3bde261f35db17597750

Download Submit
C:\Temp\ifaysqkica.exe

Filesize
361KB

MD5
c455d322fac28494688da5ab8a8f04ed

SHA1
7250855080dce6d336b8283c842ad8833e8a652c

SHA256
c582fc60547c1cc805f84c8d99296a8d99d9dbabb615c57143e64322570101f4

SHA512
c19231e5c6855143248e032ca8a292328adf239b7e4a532a2f2f3cd7a89eb364649bcc44c12a57699287444a620c25c7779af32282e61a8ae25eacc54d4bf13e

Download Submit
C:\Temp\igaytqlidb.exe

Filesize
212KB

MD5
10a1b4839147ea5cd5d6d04ec5167a1f

SHA1
5bed6064229a0789bf94b7b5155a82c9238f5898

SHA256
3e40982f5f777458300ecb7e20099b0ed6518f83b009e76e7cab7cb0bdffcae0

SHA512
2f90144c4d9b15c329adf99266a6dadaed6371d8bdb85591a0a07fd622dcdbf2e0d20de9ba87d12a3200e70070a402c43072cc79a0987e62d3ff0801a1002dc4

Download Submit
C:\Temp\igaytqlidb.exe

Filesize
236KB

MD5
cc46514c72fd3e07f77dbd82adae2e98

SHA1
cac96977eda4093201bc56336a92e135c19cbe51

SHA256
95b7382e3dada932b0ceb8c3507a108fa3ad35779148d5af2aaad6eeaef413b3

SHA512
00a45c2aabfb71b6b68635a300422bd4382e731ca6c9b7b970dcaae7039d1b047de1701a5f2ef9106c327118441ea048eab0c7dc56c08f06eb90872d4abdc01f

Download Submit
C:\Temp\lfdxvqniga.exe

Filesize
361KB

MD5
087c66408c4e509cf6299cde819c8f76

SHA1
1017eff42d4a1b670503d834305f9e5b5e639835

SHA256
90648b2f1512b8c4048e05de4a293847eb26b2240bed172335ec9a1b4e4d9f1f

SHA512
60d6d899dd503de54d22354aeb136acd23e0bcabf63fd4da9f64db7e2a4200e632e6cd5eaf3645ded5dfef5f9218e5f9add2c67a1951a1efa60259fcadbb8549

Download Submit
C:\Temp\ljdbwtomge.exe

Filesize
361KB

MD5
d91ebedde2158773521780d30104d937

SHA1
f57c92b74b9b1f4c562c47ff3b1fac29674caf3f

SHA256
fb272bf2e423ad1ed3c81f404f4ccee31f09ca00d81d42a8310b3f705a29f69a

SHA512
485e85522cb6d5387f1531d446e5af8dcb04d315bc9056b2aede8c68f7985b320d1cb44fe6853bd92b88aad2d9f842c39cc9559277ef53bc960f2762da7f432c

Download Submit
C:\Temp\mgezojhbzt.exe

Filesize
361KB

MD5
2809c8e3a30371dc637c6a43db2485a4

SHA1
85e30816e7ca8cf2079ca44879dfbc70fc378fac

SHA256
c7ae45548cdf8e5d7f057e1cd28fbf79d928b0effcc2ef4cbb84b3191de66b82

SHA512
6e9f19dc62353f6589753722e0011b80de90487e4268d5839e5c0e773a60609151d0c67320232e2301a407fb9eb3898ddf27c56346bd1414a1efe88b1f12eb5c

Download Submit
C:\Temp\nhfzxspkhc.exe

Filesize
361KB

MD5
cf6bf69720387e511b22dc774d1829b6

SHA1
83db0c0495a4079959d39adbd4a0463b119e48d3

SHA256
fa79ef061ae4a841a23721cc6fa0f40a55c28d5c77ea3f29c03fae3fb2ee4ea0

SHA512
7568ede24cbbcd940d52e3502fe6f7142ae7e506aef219f16ce69d942b64c94ee7351886820aa351f282053934a79b15907cef259d106b25b4a3e0c7e9a2bae3

Download Submit
C:\Temp\nhfzxspkic.exe

Filesize
361KB

MD5
55ae352153ef9799a4acabb0577778e8

SHA1
12612dfea33f7a19586094dbe2933b58df7ecf82

SHA256
10c3a757068dd821fbc301dc0941e0a2c07c3d6beb355aa8303c12fec5b18ea6

SHA512
b7dd05b2d87c364e004f02502fe36e45f5500cd0ca69dbdd87c7668dbee383ed98c2c7211b8699d1292ba6e6683e15fca7f8c031f6a32eccd10f78a2b216fef8

Download Submit
C:\Temp\pjhbzurmjwuomgez.exe

Filesize
361KB

MD5
0f8786ef1ff2db5dab7716358575a4e9

SHA1
c9df4e1a25b05938a87a739f818d60692254a6f0

SHA256
3b18e671e32c77e1c8f2e1843df2b8635e7b34ac132c13894a52a5f6806aad60

SHA512
f0ad1cfd0947e6f5795147221516ce5e4b9f9439e480b59a37b17e23a0d139c2e6025dd6bfc049d6da62f4bf97759f6a5f3ddbad5e2f51e5b1061b5d583586af

Download Submit
C:\Temp\rljebwuomg.exe

Filesize
361KB

MD5
088c49c39e6b30163f3e0dab7209b9c3

SHA1
89945e524003530664e97b11517999d05f76c17a

SHA256
4b382636b258f4faf8274c60ea21ef9ee61151c7b71a8bb16d06c211095eb6f9

SHA512
8686b368ba3f78e913e21bf7f7c9e92c9e2c237b2570104e817ad7f951d86fb85057fb292bcf45e5ba0801a185032eb02372bf4bebd65576524f69a9d90061a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verEE67.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
4146d4ec526ffba56265653a49fc8524

SHA1
5598b256928122fab221993767784c66ce3ee093

SHA256
cef7c5f53ce6ba445f5a13f64ebce2b5419fd458757ae0366e84618ccad8b7fd

SHA512
da42badb42e5bde7c5deff3a12aaf56068639b363ef8ffd96aa46f0dae2875b953f04f34ac866010970f8be16eed3a7a20c8ff0f485e4399e5e64704c66d1efa

Download Submit