57e3d7d41b6acba67fca3266332a845e4404b43c250bb25e355a652b6625309a

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

005fd10ab899743879332429df6c74ee.exe
Size

361KB
MD5

005fd10ab899743879332429df6c74ee
SHA1

4007b6468794423fc30a804f542c05b177887826
SHA256

57e3d7d41b6acba67fca3266332a845e4404b43c250bb25e355a652b6625309a
SHA512

9fd026a0c264f3f6983955dceafb834a39c336bb058974b1c7e6fd3449d4a68eebcf5b66ad584a9b6732447d02769230eba3e7ca0cbf5f2ab946a2aa6af050dc
SSDEEP

6144:lflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:lflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2336	bwuomgeywrojhbzt.exe
4856	CreateProcess.exe
4968	gwrojhbztr.exe
4776	CreateProcess.exe
5112	CreateProcess.exe
4500	i_gwrojhbztr.exe
3928	CreateProcess.exe
4740	gbztrljdbw.exe
1884	CreateProcess.exe
4228	CreateProcess.exe
4304	i_gbztrljdbw.exe
1924	CreateProcess.exe
4180	ytnljdbvtn.exe
4108	CreateProcess.exe
3124	CreateProcess.exe
2208	i_ytnljdbvtn.exe
2704	CreateProcess.exe
4556	qlidavtnlf.exe
824	CreateProcess.exe
332	CreateProcess.exe
1280	i_qlidavtnlf.exe
4440	CreateProcess.exe
4708	hfaxsqkica.exe
3028	CreateProcess.exe
824	CreateProcess.exe
4488	i_hfaxsqkica.exe
4284	CreateProcess.exe
3544	nifaxsqkic.exe
2004	CreateProcess.exe
4604	CreateProcess.exe
3404	i_nifaxsqkic.exe
1332	CreateProcess.exe
5072	fzxrpkhczu.exe
4488	CreateProcess.exe
4300	CreateProcess.exe
332	i_fzxrpkhczu.exe
536	CreateProcess.exe
2004	uomhezxrpj.exe
3396	CreateProcess.exe
2016	CreateProcess.exe
2756	i_uomhezxrpj.exe
4176	CreateProcess.exe
4052	pjecwuomge.exe
4824	CreateProcess.exe
4148	CreateProcess.exe
3148	i_pjecwuomge.exe
1652	CreateProcess.exe
4672	ojhbztrlje.exe
4692	CreateProcess.exe
4924	CreateProcess.exe
3028	i_ojhbztrlje.exe
4604	CreateProcess.exe
3404	jdyvtolgey.exe
3284	CreateProcess.exe
824	CreateProcess.exe
3068	i_jdyvtolgey.exe
4528	CreateProcess.exe
2288	gaysqlidav.exe
4564	CreateProcess.exe
4004	CreateProcess.exe
3412	i_gaysqlidav.exe
1924	CreateProcess.exe
4892	idavlfdxvq.exe
4832	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4968	ipconfig.exe
3104	ipconfig.exe
3604	ipconfig.exe
1332	ipconfig.exe
2916	ipconfig.exe
4984	ipconfig.exe
1808	ipconfig.exe
1552	ipconfig.exe
3452	ipconfig.exe
4672	ipconfig.exe
532	ipconfig.exe
4556	ipconfig.exe
4308	ipconfig.exe
2728	ipconfig.exe
1956	ipconfig.exe
2224	ipconfig.exe
4308	ipconfig.exe
3124	ipconfig.exe
4968	ipconfig.exe
1164	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3156108100"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31079910"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3156108100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de6221000000000200000000001066000000010000200000004dbfd538d6c9d6ab96116097e4a37eabf837365efeee76cd86c42b6242d8c20f000000000e8000000002000020000000946bdbb0c6609a542fcf30da2a32e74f591d24380f0e3cc11403cc75e4c4c36620000000bfb8833abe3485fbe37c70e6faf9c0d643326bf2c1a644fff6f7dc1a944dd26b400000002b999f9332179163e0117a243f4347a14fd87be4a9998027b9cf0628bf49abd57f67bd120bb0b3190bbe8575e8056405823bc1490a6c13eed394c969352789b0	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000d35f7753620dad9eabe52034c951d18eacb6169f0bcf04e913aecbb93b127c01000000000e800000000200002000000065fbfd70794e704a405aafef24d07075a206aef4107524dcca56cc41bb554af020000000f9e3f2a2b7f60a7dd91b3fa1d5023fd5480616122c1dd997a44f5eb800d017ad40000000fe87ee2ea4706a7cdbda8cef41dbb66b5d189e3933afc52de254e84cc1047ae754028a1e734d08212c51cc3e9899b410c4b04d7f01e449bab5764fade67abd4c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00f5ebae63dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E54B57F2-A9D9-11EE-9ECD-EA184F49D407} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03b65bae63dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3156108100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411011356"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31079910"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31079910"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31079910"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3156108100"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
2336	bwuomgeywrojhbzt.exe
2336	bwuomgeywrojhbzt.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe
4284	005fd10ab899743879332429df6c74ee.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	i_gwrojhbztr.exe
Token: SeDebugPrivilege	4304	i_gbztrljdbw.exe
Token: SeDebugPrivilege	2208	i_ytnljdbvtn.exe
Token: SeDebugPrivilege	1280	i_qlidavtnlf.exe
Token: SeDebugPrivilege	4488	i_hfaxsqkica.exe
Token: SeDebugPrivilege	3404	i_nifaxsqkic.exe
Token: SeDebugPrivilege	332	i_fzxrpkhczu.exe
Token: SeDebugPrivilege	2756	i_uomhezxrpj.exe
Token: SeDebugPrivilege	3148	i_pjecwuomge.exe
Token: SeDebugPrivilege	3028	i_ojhbztrlje.exe
Token: SeDebugPrivilege	3068	i_jdyvtolgey.exe
Token: SeDebugPrivilege	3412	i_gaysqlidav.exe
Token: SeDebugPrivilege	816	i_idavlfdxvq.exe
Token: SeDebugPrivilege	4880	i_cxvpnifaxs.exe
Token: SeDebugPrivilege	2720	i_ausmkfcxvp.exe
Token: SeDebugPrivilege	216	i_rpkhcausmk.exe
Token: SeDebugPrivilege	2916	i_xrmkecwupe.exe
Token: SeDebugPrivilege	3932	i_rpjhbztrmj.exe
Token: SeDebugPrivilege	4372	i_ljdbwtomge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1400	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1400	iexplore.exe
1400	iexplore.exe
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2336	4284	005fd10ab899743879332429df6c74ee.exe	94
PID 4284 wrote to memory of 2336	4284	005fd10ab899743879332429df6c74ee.exe	94
PID 4284 wrote to memory of 2336	4284	005fd10ab899743879332429df6c74ee.exe	94
PID 4284 wrote to memory of 1400	4284	005fd10ab899743879332429df6c74ee.exe	95
PID 4284 wrote to memory of 1400	4284	005fd10ab899743879332429df6c74ee.exe	95
PID 1400 wrote to memory of 3020	1400	iexplore.exe	96
PID 1400 wrote to memory of 3020	1400	iexplore.exe	96
PID 1400 wrote to memory of 3020	1400	iexplore.exe	96
PID 2336 wrote to memory of 4856	2336	bwuomgeywrojhbzt.exe	99
PID 2336 wrote to memory of 4856	2336	bwuomgeywrojhbzt.exe	99
PID 2336 wrote to memory of 4856	2336	bwuomgeywrojhbzt.exe	99
PID 4968 wrote to memory of 4776	4968	gwrojhbztr.exe	102
PID 4968 wrote to memory of 4776	4968	gwrojhbztr.exe	102
PID 4968 wrote to memory of 4776	4968	gwrojhbztr.exe	102
PID 2336 wrote to memory of 5112	2336	bwuomgeywrojhbzt.exe	107
PID 2336 wrote to memory of 5112	2336	bwuomgeywrojhbzt.exe	107
PID 2336 wrote to memory of 5112	2336	bwuomgeywrojhbzt.exe	107
PID 2336 wrote to memory of 3928	2336	bwuomgeywrojhbzt.exe	112
PID 2336 wrote to memory of 3928	2336	bwuomgeywrojhbzt.exe	112
PID 2336 wrote to memory of 3928	2336	bwuomgeywrojhbzt.exe	112
PID 4740 wrote to memory of 1884	4740	gbztrljdbw.exe	114
PID 4740 wrote to memory of 1884	4740	gbztrljdbw.exe	114
PID 4740 wrote to memory of 1884	4740	gbztrljdbw.exe	114
PID 2336 wrote to memory of 4228	2336	bwuomgeywrojhbzt.exe	117
PID 2336 wrote to memory of 4228	2336	bwuomgeywrojhbzt.exe	117
PID 2336 wrote to memory of 4228	2336	bwuomgeywrojhbzt.exe	117
PID 2336 wrote to memory of 1924	2336	bwuomgeywrojhbzt.exe	119
PID 2336 wrote to memory of 1924	2336	bwuomgeywrojhbzt.exe	119
PID 2336 wrote to memory of 1924	2336	bwuomgeywrojhbzt.exe	119
PID 4180 wrote to memory of 4108	4180	ytnljdbvtn.exe	121
PID 4180 wrote to memory of 4108	4180	ytnljdbvtn.exe	121
PID 4180 wrote to memory of 4108	4180	ytnljdbvtn.exe	121
PID 2336 wrote to memory of 3124	2336	bwuomgeywrojhbzt.exe	124
PID 2336 wrote to memory of 3124	2336	bwuomgeywrojhbzt.exe	124
PID 2336 wrote to memory of 3124	2336	bwuomgeywrojhbzt.exe	124
PID 2336 wrote to memory of 2704	2336	bwuomgeywrojhbzt.exe	126
PID 2336 wrote to memory of 2704	2336	bwuomgeywrojhbzt.exe	126
PID 2336 wrote to memory of 2704	2336	bwuomgeywrojhbzt.exe	126
PID 4556 wrote to memory of 824	4556	qlidavtnlf.exe	128
PID 4556 wrote to memory of 824	4556	qlidavtnlf.exe	128
PID 4556 wrote to memory of 824	4556	qlidavtnlf.exe	128
PID 2336 wrote to memory of 332	2336	bwuomgeywrojhbzt.exe	133
PID 2336 wrote to memory of 332	2336	bwuomgeywrojhbzt.exe	133
PID 2336 wrote to memory of 332	2336	bwuomgeywrojhbzt.exe	133
PID 2336 wrote to memory of 4440	2336	bwuomgeywrojhbzt.exe	136
PID 2336 wrote to memory of 4440	2336	bwuomgeywrojhbzt.exe	136
PID 2336 wrote to memory of 4440	2336	bwuomgeywrojhbzt.exe	136
PID 4708 wrote to memory of 3028	4708	hfaxsqkica.exe	138
PID 4708 wrote to memory of 3028	4708	hfaxsqkica.exe	138
PID 4708 wrote to memory of 3028	4708	hfaxsqkica.exe	138
PID 2336 wrote to memory of 824	2336	bwuomgeywrojhbzt.exe	141
PID 2336 wrote to memory of 824	2336	bwuomgeywrojhbzt.exe	141
PID 2336 wrote to memory of 824	2336	bwuomgeywrojhbzt.exe	141
PID 2336 wrote to memory of 4284	2336	bwuomgeywrojhbzt.exe	143
PID 2336 wrote to memory of 4284	2336	bwuomgeywrojhbzt.exe	143
PID 2336 wrote to memory of 4284	2336	bwuomgeywrojhbzt.exe	143
PID 3544 wrote to memory of 2004	3544	nifaxsqkic.exe	145
PID 3544 wrote to memory of 2004	3544	nifaxsqkic.exe	145
PID 3544 wrote to memory of 2004	3544	nifaxsqkic.exe	145
PID 2336 wrote to memory of 4604	2336	bwuomgeywrojhbzt.exe	148
PID 2336 wrote to memory of 4604	2336	bwuomgeywrojhbzt.exe	148
PID 2336 wrote to memory of 4604	2336	bwuomgeywrojhbzt.exe	148
PID 2336 wrote to memory of 1332	2336	bwuomgeywrojhbzt.exe	150
PID 2336 wrote to memory of 1332	2336	bwuomgeywrojhbzt.exe	150

C:\Users\Admin\AppData\Local\Temp\005fd10ab899743879332429df6c74ee.exe
"C:\Users\Admin\AppData\Local\Temp\005fd10ab899743879332429df6c74ee.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Temp\bwuomgeywrojhbzt.exe
  C:\Temp\bwuomgeywrojhbzt.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gwrojhbztr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Temp\gwrojhbztr.exe
      C:\Temp\gwrojhbztr.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4776
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4984
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gwrojhbztr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Temp\i_gwrojhbztr.exe
      C:\Temp\i_gwrojhbztr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4500
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbztrljdbw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3928
  - - C:\Temp\gbztrljdbw.exe
      C:\Temp\gbztrljdbw.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1884
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbztrljdbw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4228
  - - C:\Temp\i_gbztrljdbw.exe
      C:\Temp\i_gbztrljdbw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4304
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytnljdbvtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1924
  - - C:\Temp\ytnljdbvtn.exe
      C:\Temp\ytnljdbvtn.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4108
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytnljdbvtn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3124
  - - C:\Temp\i_ytnljdbvtn.exe
      C:\Temp\i_ytnljdbvtn.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2208
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qlidavtnlf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2704
  - - C:\Temp\qlidavtnlf.exe
      C:\Temp\qlidavtnlf.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:824
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qlidavtnlf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:332
  - - C:\Temp\i_qlidavtnlf.exe
      C:\Temp\i_qlidavtnlf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1280
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfaxsqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4440
  - - C:\Temp\hfaxsqkica.exe
      C:\Temp\hfaxsqkica.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3028
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3124
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfaxsqkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:824
  - - C:\Temp\i_hfaxsqkica.exe
      C:\Temp\i_hfaxsqkica.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4488
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nifaxsqkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4284
  - - C:\Temp\nifaxsqkic.exe
      C:\Temp\nifaxsqkic.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2004
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nifaxsqkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\Temp\i_nifaxsqkic.exe
      C:\Temp\i_nifaxsqkic.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fzxrpkhczu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1332
  - - C:\Temp\fzxrpkhczu.exe
      C:\Temp\fzxrpkhczu.exe ups_run
      4⤵
      Executes dropped EXE
      PID:5072
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4488
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1808
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhczu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4300
  - - C:\Temp\i_fzxrpkhczu.exe
      C:\Temp\i_fzxrpkhczu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomhezxrpj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:536
  - - C:\Temp\uomhezxrpj.exe
      C:\Temp\uomhezxrpj.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2004
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3396
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomhezxrpj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2016
  - - C:\Temp\i_uomhezxrpj.exe
      C:\Temp\i_uomhezxrpj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjecwuomge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4176
  - - C:\Temp\pjecwuomge.exe
      C:\Temp\pjecwuomge.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4052
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4824
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjecwuomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4148
  - - C:\Temp\i_pjecwuomge.exe
      C:\Temp\i_pjecwuomge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3148
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojhbztrlje.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1652
  - - C:\Temp\ojhbztrlje.exe
      C:\Temp\ojhbztrlje.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4672
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1552
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojhbztrlje.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdyvtolgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\Temp\jdyvtolgey.exe
      C:\Temp\jdyvtolgey.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3404
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3284
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdyvtolgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:824
  - - C:\Temp\i_jdyvtolgey.exe
      C:\Temp\i_jdyvtolgey.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3068
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaysqlidav.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4528
  - - C:\Temp\gaysqlidav.exe
      C:\Temp\gaysqlidav.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2288
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4564
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1164
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaysqlidav.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4004
  - - C:\Temp\i_gaysqlidav.exe
      C:\Temp\i_gaysqlidav.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idavlfdxvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1924
  - - C:\Temp\idavlfdxvq.exe
      C:\Temp\idavlfdxvq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4892
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4832
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idavlfdxvq.exe ups_ins
    3⤵
    PID:4160
  - - C:\Temp\i_idavlfdxvq.exe
      C:\Temp\i_idavlfdxvq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:816
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cxvpnifaxs.exe ups_run
    3⤵
    PID:1236
  - - C:\Temp\cxvpnifaxs.exe
      C:\Temp\cxvpnifaxs.exe ups_run
      4⤵
      PID:3408
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1092
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3104
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cxvpnifaxs.exe ups_ins
    3⤵
    PID:4028
  - - C:\Temp\i_cxvpnifaxs.exe
      C:\Temp\i_cxvpnifaxs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4880
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausmkfcxvp.exe ups_run
    3⤵
    PID:4464
  - - C:\Temp\ausmkfcxvp.exe
      C:\Temp\ausmkfcxvp.exe ups_run
      4⤵
      PID:2072
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1164
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3604
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausmkfcxvp.exe ups_ins
    3⤵
    PID:2224
  - - C:\Temp\i_ausmkfcxvp.exe
      C:\Temp\i_ausmkfcxvp.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpkhcausmk.exe ups_run
    3⤵
    PID:4968
  - - C:\Temp\rpkhcausmk.exe
      C:\Temp\rpkhcausmk.exe ups_run
      4⤵
      PID:116
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4548
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3452
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpkhcausmk.exe ups_ins
    3⤵
    PID:4172
  - - C:\Temp\i_rpkhcausmk.exe
      C:\Temp\i_rpkhcausmk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrmkecwupe.exe ups_run
    3⤵
    PID:1448
  - - C:\Temp\xrmkecwupe.exe
      C:\Temp\xrmkecwupe.exe ups_run
      4⤵
      PID:3700
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2968
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1956
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrmkecwupe.exe ups_ins
    3⤵
    PID:4896
  - - C:\Temp\i_xrmkecwupe.exe
      C:\Temp\i_xrmkecwupe.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhbztrmj.exe ups_run
    3⤵
    PID:3728
  - - C:\Temp\rpjhbztrmj.exe
      C:\Temp\rpjhbztrmj.exe ups_run
      4⤵
      PID:4760
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:452
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhbztrmj.exe ups_ins
    3⤵
    PID:2464
  - - C:\Temp\i_rpjhbztrmj.exe
      C:\Temp\i_rpjhbztrmj.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbwtomge.exe ups_run
    3⤵
    PID:4984
  - - C:\Temp\ljdbwtomge.exe
      C:\Temp\ljdbwtomge.exe ups_run
      4⤵
      PID:532
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2720
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2224
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbwtomge.exe ups_ins
    3⤵
    PID:4336
  - - C:\Temp\i_ljdbwtomge.exe
      C:\Temp\i_ljdbwtomge.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igaytqlidb.exe ups_run
    3⤵
    PID:628
  - - C:\Temp\igaytqlidb.exe
      C:\Temp\igaytqlidb.exe ups_run
      4⤵
      PID:5068
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2332
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2916
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3020

C:\Temp\i_ojhbztrlje.exe
C:\Temp\i_ojhbztrlje.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
01c41bcc2a14c2c44562ddb065dee9e3

SHA1
8919ca053f083b1878926175fcd135d6db59b16f

SHA256
7c32df6b6e814a0d4778f736bdcb1a7b9da9a69d933c10660e46bb660d66e405

SHA512
964e16a309a476535007d4af7a77777b4d572e9d81125272be0469ad4c3facf2e80140d2d7d56add08b28abd61f9f6b674a31f8e1627337c53e3b0ea55258929

Download Submit
C:\Temp\bwuomgeywrojhbzt.exe

Filesize
361KB

MD5
bb0d4ff9802e5853773b88cd9f7ab90e

SHA1
4f19c7bbd9ec47eb40265fafefa528deb323f01a

SHA256
4a5db89716bb6bd57108a4c5f630b35eda39638b50215d911e308252611be742

SHA512
b013de5bc8d4da37fa8f692c929c0874e0315aded650c4d45941369afc656cf246616c98dbeb6a2e302ca41f11998f017b283b166ed92eec5c7bdafb3e821dd0

Download Submit
C:\Temp\fzxrpkhczu.exe

Filesize
361KB

MD5
728840f9040c610ee27133ccc6542242

SHA1
c2a1ef16b65f1941000cfe09eaf7daf23f5abc8d

SHA256
077f21ae47f2e1924c8c59abe72d9d230d4014bf90934a54fd666d48c7611a43

SHA512
a99cf727270ace4347cf43b6148914981c71cd06c6ae6c7ebd30e5d6294969a41dbf9c7ebcae48e1526edbcf32bb9a22ec443dfcdce9b0cc2ac7a38ae984a373

Download Submit
C:\Temp\gbztrljdbw.exe

Filesize
361KB

MD5
73ec968be36878c9cf1a42d9bcf27721

SHA1
a4742eff8fa818cb0b8d6d14ef108b3ac49562f3

SHA256
98735abc9214bb2d17fa907161f4b67d856bd27e4c45b5ebec94a18bc70735b6

SHA512
15af75b3d7c6c7a49da775aab3817c424123c7676ef740e1bede6dd3c781bccc9f371fa0bfe4959b5d29c5810aabc6caa09083ad376d5750d998a99495bb00f9

Download Submit
C:\Temp\gwrojhbztr.exe

Filesize
361KB

MD5
064bdb1106ac6ba09cfb7e64c30fb620

SHA1
23cdbb3fba6abf418add8798c4c791660dcbc9c7

SHA256
d9491694efcbb1abfd8416c8994ba08a5f055c040a601462ce546eece05cf8eb

SHA512
fa64e9128d3cf60b7c911d6743626c820142414dd34cc16373078fc71010bc64ea5fa57694c6385b3a106f698b82a87c9372c39d8b3d703f19ba60b744581ca6

Download Submit
C:\Temp\hfaxsqkica.exe

Filesize
361KB

MD5
da14a8e67d30e9d3e786338991be25ee

SHA1
222dca6bbbc354dce0488df1c56a9fd310815d13

SHA256
d65aaaf223b42249495fa17b1f72f7882d00f0bf3c84d7e39251ea382734485d

SHA512
e6ee428cb8d8c35d0256a368a55779de6c087e96293dbdcc7ea7ee12552b6e8e48bba1922d176a95c73277c0ebf32dbf6c0840b62832632db3765e134422130a

Download Submit
C:\Temp\i_fzxrpkhczu.exe

Filesize
361KB

MD5
9697b0ca130d0cd6cd34d2567fac9481

SHA1
e9e729bb52e6f7a9af471cdab11a14b6253383be

SHA256
67de7c2b26fe1628d60fb69bee3e80481c9cc1d7e56200f07e4952638924e72c

SHA512
a3fde3d9e1c4e99f1c6a335d8941eb3d00c89360870df351f2a187ef66cd187f2abeafc5df30d05c2fa06da66e5137113bd792220734f29b2ce1b014771730a2

Download Submit
C:\Temp\i_gbztrljdbw.exe

Filesize
361KB

MD5
e110aeb126354842a694c483726bdf7e

SHA1
4ac5ff9405e802d7df6250a8ecec891754c27a03

SHA256
d28c9a2284ae2eba7520ea66176a389e0656f61939977ffaa6ec114cc9eb30bd

SHA512
5a7d1287075fcf7d11ea9b94412102997d8a241155afca5dfc53d6e7d225ce54ba91a02a702df398778e6bee8b474c66e713dd7dd5f15340cbda2b12eef62f7a

Download Submit
C:\Temp\i_gwrojhbztr.exe

Filesize
361KB

MD5
078171f1c0e66f8da8fe10515f212eea

SHA1
790645fcfa2a5b83c7c6b75c186a72a9e7260f19

SHA256
f08364e14a3e462e7173604ef91cf3f711973da823674974fbb2a07ceb47a9c5

SHA512
4591a821568f8a202c29330ba019ab7601f38f559994aaa832345646fd81d0e5afac4e348a32ab7f09836bde26bc775df78a67f2630092ccf085dabea20bb7b8

Download Submit
C:\Temp\i_hfaxsqkica.exe

Filesize
361KB

MD5
32b1c9c3e7f0b2b77b813e041cf724e0

SHA1
51d3a17a95a3df9b6011c2500700134ba604ba77

SHA256
aa68498ae1b0d4c9499ee42a7e206914f503211c4506e734029c9beafaf5e71f

SHA512
4ac311e80b33bfec645d093619802721827f17503b10cb43f76d57188a5ce2666199256368109239638cd907ad6a4c8a55e501c07a602c94f84e69a00721a16c

Download Submit
C:\Temp\i_nifaxsqkic.exe

Filesize
361KB

MD5
d0961bed36de9923a33a1e3c6e440230

SHA1
14dfa64922dd7b7d00a55c4e50edd3f0fccc5ec0

SHA256
7fbefae7f75f291cbe242a7f814316e0938293b67a65dd7676b002bff7816530

SHA512
98f5f01ad4b2d074bf98cf6b2dd06cea79bb469629905772c3448103d911d555a57a53be7fa35c1079527ff15f97735a898a7d00c6b6432427f4f810ab8644ad

Download Submit
C:\Temp\i_qlidavtnlf.exe

Filesize
361KB

MD5
4e46fbd906f4c6b138a6b3c142662177

SHA1
708c7bed9a948884240a8aade09758f3802c84ae

SHA256
3778484852a7b04aee4abfa1cb34857054df04cd69175d75132d7b628f02ae8d

SHA512
4aecfd338a2de2d61380e90cf45e7809f907a8f8bc8daf919e8b5644d782f3f0e9e66a240d26b00fe8c285004ae11f30197a0c7c2a41c73bf2e2575762d330b6

Download Submit
C:\Temp\i_uomhezxrpj.exe

Filesize
361KB

MD5
93de31c4421c4718c2d6202e50d1a0c2

SHA1
f9b0e30e4b25009a915e8bc829bdbc529168ca5f

SHA256
bae7f5328cf113ce38d9723270479ea4bdca4afae29c74b8562060be8c0337e8

SHA512
d83e13a9d1a079df24e5482fac8e821fd854188f1ce7cdba0a12be5bcab95e2121f257031c3069f6d720a0ed774cc642b1cd0124c98511a5ed2ccdb7c42d8067

Download Submit
C:\Temp\i_ytnljdbvtn.exe

Filesize
361KB

MD5
be0a533e3f2d1f6c4b66fd39c35145b7

SHA1
f326e03f38030cc61e8baa7c847feaa3e4aee35a

SHA256
91d8497d5cc9a231148aa99cea8394502f0399d57424afb559ebc58f6a472af8

SHA512
7c8d16c34301b93fd01f62aeb478d49db918c5779af5e80c81cf54220dd710b161e933f34d001ac6cfa4d2c61ff381c45325c424fd68592ac30e2432271db07f

Download Submit
C:\Temp\nifaxsqkic.exe

Filesize
361KB

MD5
cbf735d2d48801b94429ff222e610618

SHA1
df52d389c558ce2904aa95ee49d9a4fac5dfaf17

SHA256
9e39bfcacb14e68474477ce8b1ade396a77ff8b62ccc70d6383137e94a63b095

SHA512
ea792a8e0e0b2d28ff658404c290ef7b3cafd4d1584bc3e6f813c23f994fd9b6e958f7af63fcf255a2d05128e2625c139a6a4f69f35d5f18e04cf4983dd89baa

Download Submit
C:\Temp\pjecwuomge.exe

Filesize
361KB

MD5
64497a23780777e654b2405b951cc807

SHA1
5970aaf348546748cd429b9ea57ec83ad424e286

SHA256
8d15be90baad811e3d5f29e52992d12a4a2e313689919f45bf45b0e9425a300f

SHA512
86c8adfa45b39e5fe1704c34467a1b25cb3c6d0d69bc9231f6cfc354786573ac73952b5c29f5e9ab7568c53973e438f3d0cdefec4165c91b8048aca60b78da16

Download Submit
C:\Temp\qlidavtnlf.exe

Filesize
241KB

MD5
bd6ade33409fedbb5bb425b1fd237b20

SHA1
ea297e2c6af4be5106d9770d76e4ee9db981477f

SHA256
2680fb27e4f1fc6546c1ab765e83fa9229fe43c5f7eaff6303368697b8a51ec9

SHA512
31dafcc454db4eb0b5691b22cbce7af5cd6889a5f410bc2fe567ed073290d0d3c0e86b45b5c2ada15fddf519039def6c2e765bb5d071d99bdee13a8cdb93cf4c

Download Submit
C:\Temp\qlidavtnlf.exe

Filesize
361KB

MD5
3076d9909661f2abede363a1998b5b5b

SHA1
089d0216d1f89ed1bc62038628502d474fd93c31

SHA256
cd3087460e77daf9a931ea266ff1be65b688a459827545f921bd63fca8cc97a2

SHA512
1c065a10187f61c4a49167daa33a5000df2386191de45da1dea4a8aa8a237457c462e5a6b6af2d01f2d3a6457b177f8440d3637b38fce0884a1c0f522a55013e

Download Submit
C:\Temp\uomhezxrpj.exe

Filesize
361KB

MD5
d48b9629f15eed8e5846a8b1055ad4af

SHA1
6ff3b8ef8af317ccffcb5927d276ce78501e8d94

SHA256
6fca3d6f9a647e0cbf91f9cd8da2b680570a6c03bd367d53f416ea01057a7076

SHA512
8291bbe39ed2823810fdd6ed109ca62b1a34670e337c4feb4617a3dfaaa5ceadcf9d66c631b71f826cdf41a4c1be070ffec0009d6d8cdeaade8c06eb9f830802

Download Submit
C:\Temp\ytnljdbvtn.exe

Filesize
361KB

MD5
5c75cfcffcb26c7df564d18d5e14b03c

SHA1
15ecad3d7e35d415d77fb5f9c57cd8cdf62f0db2

SHA256
39dcfc5fed52c65dc21d9365d3abc47354c83ab81a55dcf540cb4b5622fe3bf7

SHA512
651d2ccd9f712a41a7410bfac622818054c7a77e3ff199e65e743cf0edc813130041ba582d12b0edd4e4dee26a8e1a56557f34c19619bb47a26f965bb8d21054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD8DB.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/4672-28-0x00007FFAAB890000-0x00007FFAAB898000-memory.dmp

Filesize
32KB

Download