f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a

Analysis

max time kernel
155s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe
Size

226KB
MD5

3cffb3967b37b1389f0258c0d5b04dd9
SHA1

dc2b6732fa4990b5eb2e6706901be269f9897b1b
SHA256

f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a
SHA512

7a4d689a20e330a482ac35fe83f20c5cbb7049433266e89a864767fca531cf73cf924ccbfa1a1b8d27aa20a60c3a901864b6a35108281986886f321514d71206
SSDEEP

3072:WGSyY4L+c2JhX7ypa3rV3dZPFvOAngoRUAFa1nxayHdXkb5kA7:NXY4LK+a3lLNngoqRttA7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4844	CP.exe
1492	ausmkfcxup.exe
3772	CP.exe
2432	CP.exe
1796	i_ausmkfcxup.exe
2664	CP.exe
3848	ecwuomgezw.exe
3800	CP.exe
1464	CP.exe
4768	i_ecwuomgezw.exe
4572	CP.exe
3256	rojhbzurmj.exe
4844	CP.exe
4536	CP.exe
2432	i_rojhbzurmj.exe
2896	CP.exe
4748	tolgeywqoi.exe
752	CP.exe
4744	CP.exe
4328	i_tolgeywqoi.exe
4784	CP.exe
3256	qlidavtnlf.exe
1724	CP.exe
384	CP.exe
2024	i_qlidavtnlf.exe
4372	CP.exe
1312	qnifaysqki.exe
2064	CP.exe
3936	CP.exe
4244	i_qnifaysqki.exe
1924	CP.exe
3736	fzxspkhcau.exe
4572	CP.exe
4028	CP.exe
4844	i_fzxspkhcau.exe
2024	CP.exe
4908	ezxrpjhczu.exe
3472	CP.exe
3620	CP.exe
4024	i_ezxrpjhczu.exe
4872	CP.exe
3748	hbzurmbwuo.exe
4088	CP.exe
1724	CP.exe
4348	i_hbzurmbwuo.exe
4844	CP.exe
4028	uomgezwroj.exe
4100	CP.exe
1148	CP.exe
4652	i_uomgezwroj.exe
3532	CP.exe
4604	bwtomgeywq.exe
2288	CP.exe
1692	CP.exe
1732	i_bwtomgeywq.exe
5000	CP.exe
2992	qoigaysqli.exe
4764	CP.exe
5076	CP.exe
3004	i_qoigaysqli.exe
4080	CP.exe
4236	avtnlfdxvq.exe
4028	CP.exe
3800	CP.exe

Gathers network information 2 TTPs 17 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3736	ipconfig.exe
4232	ipconfig.exe
3440	ipconfig.exe
2352	ipconfig.exe
3004	ipconfig.exe
3720	ipconfig.exe
4080	ipconfig.exe
460	ipconfig.exe
1732	ipconfig.exe
5076	ipconfig.exe
2876	ipconfig.exe
3000	ipconfig.exe
1480	ipconfig.exe
3020	ipconfig.exe
5016	ipconfig.exe
3160	ipconfig.exe
3256	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8BDE19D1-DCED-11EE-B9F7-F2C20ACFDC46}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8BDE19CF-DCED-11EE-B9F7-F2C20ACFDC46} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: LoadsDriver 16 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	i_ausmkfcxup.exe
Token: SeDebugPrivilege	4768	i_ecwuomgezw.exe
Token: SeDebugPrivilege	2432	i_rojhbzurmj.exe
Token: SeDebugPrivilege	4328	i_tolgeywqoi.exe
Token: SeDebugPrivilege	2024	i_qlidavtnlf.exe
Token: SeDebugPrivilege	4244	i_qnifaysqki.exe
Token: SeDebugPrivilege	4844	i_fzxspkhcau.exe
Token: SeDebugPrivilege	4024	i_ezxrpjhczu.exe
Token: SeDebugPrivilege	4348	i_hbzurmbwuo.exe
Token: SeDebugPrivilege	4652	i_uomgezwroj.exe
Token: SeDebugPrivilege	1732	i_bwtomgeywq.exe
Token: SeDebugPrivilege	3004	i_qoigaysqli.exe
Token: SeDebugPrivilege	3620	i_avtnlfdxvq.exe
Token: SeDebugPrivilege	3736	i_avsnkfdxvp.exe
Token: SeDebugPrivilege	1876	i_kfzxspkica.exe
Token: SeDebugPrivilege	2664	i_zxrpkhczus.exe
Token: SeDebugPrivilege	4700	i_bzurmjecwu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4392	iexplore.exe
4392	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4392	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	97
PID 2240 wrote to memory of 4392	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	97
PID 2240 wrote to memory of 4844	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	98
PID 2240 wrote to memory of 4844	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	98
PID 2240 wrote to memory of 4844	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	98
PID 4392 wrote to memory of 1148	4392	iexplore.exe	99
PID 4392 wrote to memory of 1148	4392	iexplore.exe	99
PID 4392 wrote to memory of 1148	4392	iexplore.exe	99
PID 1492 wrote to memory of 3772	1492	ausmkfcxup.exe	102
PID 1492 wrote to memory of 3772	1492	ausmkfcxup.exe	102
PID 1492 wrote to memory of 3772	1492	ausmkfcxup.exe	102
PID 2240 wrote to memory of 2432	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	106
PID 2240 wrote to memory of 2432	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	106
PID 2240 wrote to memory of 2432	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	106
PID 2240 wrote to memory of 2664	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	108
PID 2240 wrote to memory of 2664	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	108
PID 2240 wrote to memory of 2664	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	108
PID 3848 wrote to memory of 3800	3848	ecwuomgezw.exe	110
PID 3848 wrote to memory of 3800	3848	ecwuomgezw.exe	110
PID 3848 wrote to memory of 3800	3848	ecwuomgezw.exe	110
PID 2240 wrote to memory of 1464	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	114
PID 2240 wrote to memory of 1464	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	114
PID 2240 wrote to memory of 1464	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	114
PID 2240 wrote to memory of 4572	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	118
PID 2240 wrote to memory of 4572	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	118
PID 2240 wrote to memory of 4572	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	118
PID 3256 wrote to memory of 4844	3256	rojhbzurmj.exe	120
PID 3256 wrote to memory of 4844	3256	rojhbzurmj.exe	120
PID 3256 wrote to memory of 4844	3256	rojhbzurmj.exe	120
PID 2240 wrote to memory of 4536	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	123
PID 2240 wrote to memory of 4536	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	123
PID 2240 wrote to memory of 4536	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	123
PID 2240 wrote to memory of 2896	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	125
PID 2240 wrote to memory of 2896	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	125
PID 2240 wrote to memory of 2896	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	125
PID 4748 wrote to memory of 752	4748	tolgeywqoi.exe	127
PID 4748 wrote to memory of 752	4748	tolgeywqoi.exe	127
PID 4748 wrote to memory of 752	4748	tolgeywqoi.exe	127
PID 2240 wrote to memory of 4744	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	131
PID 2240 wrote to memory of 4744	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	131
PID 2240 wrote to memory of 4744	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	131
PID 2240 wrote to memory of 4784	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	136
PID 2240 wrote to memory of 4784	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	136
PID 2240 wrote to memory of 4784	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	136
PID 3256 wrote to memory of 1724	3256	qlidavtnlf.exe	138
PID 3256 wrote to memory of 1724	3256	qlidavtnlf.exe	138
PID 3256 wrote to memory of 1724	3256	qlidavtnlf.exe	138
PID 2240 wrote to memory of 384	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	142
PID 2240 wrote to memory of 384	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	142
PID 2240 wrote to memory of 384	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	142
PID 2240 wrote to memory of 4372	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	146
PID 2240 wrote to memory of 4372	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	146
PID 2240 wrote to memory of 4372	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	146
PID 1312 wrote to memory of 2064	1312	qnifaysqki.exe	148
PID 1312 wrote to memory of 2064	1312	qnifaysqki.exe	148
PID 1312 wrote to memory of 2064	1312	qnifaysqki.exe	148
PID 2240 wrote to memory of 3936	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	151
PID 2240 wrote to memory of 3936	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	151
PID 2240 wrote to memory of 3936	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	151
PID 2240 wrote to memory of 1924	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	154
PID 2240 wrote to memory of 1924	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	154
PID 2240 wrote to memory of 1924	2240	f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe	154
PID 3736 wrote to memory of 4572	3736	fzxspkhcau.exe	156
PID 3736 wrote to memory of 4572	3736	fzxspkhcau.exe	156

C:\Users\Admin\AppData\Local\Temp\f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe
"C:\Users\Admin\AppData\Local\Temp\f3ecf097a6a7e92a7b8ccd916bf3b4f2631597792a1ea334220e1a3911c7283a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:17410 /prefetch:2
    3⤵
    PID:1148
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ausmkfcxup.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4844
- - C:\Temp\ausmkfcxup.exe
    C:\Temp\ausmkfcxup.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:3772
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1480
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ausmkfcxup.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2432
- - C:\Temp\i_ausmkfcxup.exe
    C:\Temp\i_ausmkfcxup.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ecwuomgezw.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2664
- - C:\Temp\ecwuomgezw.exe
    C:\Temp\ecwuomgezw.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:3800
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3020
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ecwuomgezw.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1464
- - C:\Temp\i_ecwuomgezw.exe
    C:\Temp\i_ecwuomgezw.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\rojhbzurmj.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4572
- - C:\Temp\rojhbzurmj.exe
    C:\Temp\rojhbzurmj.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4844
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:460
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_rojhbzurmj.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:4536
- - C:\Temp\i_rojhbzurmj.exe
    C:\Temp\i_rojhbzurmj.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\tolgeywqoi.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2896
- - C:\Temp\tolgeywqoi.exe
    C:\Temp\tolgeywqoi.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:752
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:5016
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_tolgeywqoi.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:4744
- - C:\Temp\i_tolgeywqoi.exe
    C:\Temp\i_tolgeywqoi.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qlidavtnlf.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4784
- - C:\Temp\qlidavtnlf.exe
    C:\Temp\qlidavtnlf.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1724
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3736
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qlidavtnlf.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:384
- - C:\Temp\i_qlidavtnlf.exe
    C:\Temp\i_qlidavtnlf.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qnifaysqki.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4372
- - C:\Temp\qnifaysqki.exe
    C:\Temp\qnifaysqki.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2064
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1732
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qnifaysqki.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:3936
- - C:\Temp\i_qnifaysqki.exe
    C:\Temp\i_qnifaysqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\fzxspkhcau.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1924
- - C:\Temp\fzxspkhcau.exe
    C:\Temp\fzxspkhcau.exe ups_run
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4572
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:5076
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_fzxspkhcau.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:4028
- - C:\Temp\i_fzxspkhcau.exe
    C:\Temp\i_fzxspkhcau.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ezxrpjhczu.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2024
- - C:\Temp\ezxrpjhczu.exe
    C:\Temp\ezxrpjhczu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4908
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:3472
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2876
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ezxrpjhczu.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:3620
- - C:\Temp\i_ezxrpjhczu.exe
    C:\Temp\i_ezxrpjhczu.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hbzurmbwuo.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4872
- - C:\Temp\hbzurmbwuo.exe
    C:\Temp\hbzurmbwuo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3748
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4088
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3004
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hbzurmbwuo.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1724
- - C:\Temp\i_hbzurmbwuo.exe
    C:\Temp\i_hbzurmbwuo.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\uomgezwroj.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4844
- - C:\Temp\uomgezwroj.exe
    C:\Temp\uomgezwroj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4028
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4100
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:4232
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_uomgezwroj.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1148
- - C:\Temp\i_uomgezwroj.exe
    C:\Temp\i_uomgezwroj.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bwtomgeywq.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:3532
- - C:\Temp\bwtomgeywq.exe
    C:\Temp\bwtomgeywq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2288
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3160
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bwtomgeywq.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1692
- - C:\Temp\i_bwtomgeywq.exe
    C:\Temp\i_bwtomgeywq.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qoigaysqli.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:5000
- - C:\Temp\qoigaysqli.exe
    C:\Temp\qoigaysqli.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2992
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4764
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3440
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qoigaysqli.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:5076
- - C:\Temp\i_qoigaysqli.exe
    C:\Temp\i_qoigaysqli.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\avtnlfdxvq.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:4080
- - C:\Temp\avtnlfdxvq.exe
    C:\Temp\avtnlfdxvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4236
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:4028
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3720
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_avtnlfdxvq.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:3800
- - C:\Temp\i_avtnlfdxvq.exe
    C:\Temp\i_avtnlfdxvq.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\avsnkfdxvp.exe ups_run
  2⤵
  PID:1076
- - C:\Temp\avsnkfdxvp.exe
    C:\Temp\avsnkfdxvp.exe ups_run
    3⤵
    PID:368
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:4088
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3256
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_avsnkfdxvp.exe ups_ins
  2⤵
  PID:3704
- - C:\Temp\i_avsnkfdxvp.exe
    C:\Temp\i_avsnkfdxvp.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\kfzxspkica.exe ups_run
  2⤵
  PID:3720
- - C:\Temp\kfzxspkica.exe
    C:\Temp\kfzxspkica.exe ups_run
    3⤵
    PID:4992
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:4236
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:4080
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_kfzxspkica.exe ups_ins
  2⤵
  PID:3816
- - C:\Temp\i_kfzxspkica.exe
    C:\Temp\i_kfzxspkica.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\zxrpkhczus.exe ups_run
  2⤵
  PID:1400
- - C:\Temp\zxrpkhczus.exe
    C:\Temp\zxrpkhczus.exe ups_run
    3⤵
    PID:3736
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:3704
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3000
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_zxrpkhczus.exe ups_ins
  2⤵
  PID:2952
- - C:\Temp\i_zxrpkhczus.exe
    C:\Temp\i_zxrpkhczus.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bzurmjecwu.exe ups_run
  2⤵
  PID:4044
- - C:\Temp\bzurmjecwu.exe
    C:\Temp\bzurmjecwu.exe ups_run
    3⤵
    PID:2516
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1908
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2352
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bzurmjecwu.exe ups_ins
  2⤵
  PID:4816
- - C:\Temp\i_bzurmjecwu.exe
    C:\Temp\i_bzurmjecwu.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CP.exe

Filesize
4KB

MD5
0da87487a46ac0b219dfc10ebb7dbc09

SHA1
a58ed225df243160327f19f2d03ccb60693c562b

SHA256
88d1f04b969503b4d87d7c986ed8f2f830a9f85073fbea644e380692ab3d997c

SHA512
cbcae2c33b3e87e76b34a228115178a587797620e0047704d3d50ad39ea453b32a544bbc6c229347ee3e658d3dcc656c46fe42e90d3210383ad5c76852e198f4

Download Submit
C:\Temp\ausmkfcxup.exe

Filesize
226KB

MD5
891060e9f0b351d35526d9d842474789

SHA1
1337e327fc67c285c27066664b5d127539470490

SHA256
ee7a24022630da5ebcf92962a26e99330b20a90492e7cb9aae9fa04716a68175

SHA512
6084d9511acf9191ab0be4053a38ae25bf6c26938f3c94e856c504efb22ea430ba9f0c3afe06f8fc744f8a1a418c38ca7ad3ac37169754113a50da895dd8bbe4

Download Submit
C:\Temp\ecwuomgezw.exe

Filesize
226KB

MD5
b6ee70754687c7e1cd154881668ed8e6

SHA1
22f10793376b3af59e2279b557c84b949dc40ead

SHA256
33ad9807e62d4588475cfe1469ce6ac993a7daff942dc8957b9959c84560fbb3

SHA512
e0fa3e5f865563418a864a42b591d5d1cbaac26ab0ab07881b0f118467f5eb863b2b0c240f051c3e7854d4670ac2e05ba48af94c08b21298979c94001200474c

Download Submit
C:\Temp\ezxrpjhczu.exe

Filesize
226KB

MD5
cc48e83de1d701cd9a5a29c04a65df8a

SHA1
67abd09f99c370eb6eff1e2d8a2f16bb0dd4c49c

SHA256
a6e5c072a3312158b9bc3ec8b7f84b6cfef94c6cab9fb85c2c47c7625c909dca

SHA512
a3f5ecea4c27104f40e08e1cfa53994d391c598a6e9358806668c56e2c863f839ed62650b10c5b88d7d8caf07a2e21881d7c462326dbe4f1f312ee23d58b53e3

Download Submit
C:\Temp\fzxspkhcau.exe

Filesize
226KB

MD5
dafc3edab9170b6d3dcace5ba7a27497

SHA1
e75143171a7a3893e559690ba780e75dd822e9b6

SHA256
2d9b87309e1a267f845afe94b6b63e12ffde44d3cd0e52d692bae62af613ec29

SHA512
354c92fc7a291d15ae4eed1056cf2e6553a58ccda0be0322972ebda9826920970622ba5ca9cf3ea854b0a06992c463620ceca8d0ceb5ed1a014e83abe6e9523e

Download Submit
C:\Temp\hbzurmbwuo.exe

Filesize
226KB

MD5
621a77c0fc82dcde792d0675db043406

SHA1
d220fc9cc80b5183280619c53935ad658a7c7749

SHA256
564b5dd86fa60c015597cc8114d467a636e16b8d6ccdf9c758ede9caada293a1

SHA512
a52306abe4fdf5672995d97a839ec618ff00fd7531b5ced5372634ee2a110e5c2db85e01f7b233ac9bc3fe9c913d3050c751f91c7f24025a74785a27d7bc9dba

Download Submit
C:\Temp\i_ausmkfcxup.exe

Filesize
226KB

MD5
cb3cd0f766d1285e508dbbc4c9760ad2

SHA1
e4a186f5a7aae97a79de4c5096d0ff64252cd784

SHA256
99d8b161341bd1dde042eefb59dbc4814eb10e9f799b9356ccb2b32a9b4420a4

SHA512
eab0458be1abe097bf81e1d6bb19413661cf876e906ed3ab7bef193ee3f762c4a6bbd6d9b0d19bdcff105c36f1c52e60986346b50ac9c899a568612b3d544400

Download Submit
C:\Temp\i_ecwuomgezw.exe

Filesize
226KB

MD5
419f004ca3ed2e1fd4ef09523c36d57d

SHA1
1fdce37af7009d68bb48a799f9ec788fd05c7f28

SHA256
e1b2bf1613a188ef9e1f8ca294ab4f99a6acd565c438882da9f2f188d986c6a6

SHA512
c03f4a65df788568c07dc98b70c2052852729a0d2958ecac332afa8b79ba24eeea8fcc8a04a43aa39adeb47f48291db381cd210ce2b5752d669d08c5f7b6f1be

Download Submit
C:\Temp\i_ezxrpjhczu.exe

Filesize
226KB

MD5
c279fe9e73d89419822d00e50e633241

SHA1
0e3faa56f01fa7e7b5aa650a95f7c4edbc299c1a

SHA256
924f1460af15a03d0286507aa09e477c8799955622e76df17b2d268be233e3b6

SHA512
94e668e456534a96410c947805f0ca5a3ff374cc916a45ed7fcc24980c24c47aaff899bd0e552ae77cce388d152b91a1e2aa90ad71234653ed343f461332c453

Download Submit
C:\Temp\i_fzxspkhcau.exe

Filesize
226KB

MD5
b6d95d51a49279356224fb39219b8f71

SHA1
38bc0dd5d556ab69758365d8b491086b6c610cae

SHA256
19c952d2678795ef5fc98ce01599a5fbb8c5de7346b92cf3b65114b8e1606773

SHA512
764dc9992699846c24e38dc1e023d5137d00d54d5a6161fd8c4eb2a57e12361f30887bff01a2fc956d2aaef89f57815e8b0124f8c0d681990c48b299d6e5fc66

Download Submit
C:\Temp\i_hbzurmbwuo.exe

Filesize
226KB

MD5
d86b1cc98cbec2a1de0123deb695973b

SHA1
d8ded4a8776a6314877276e9e45f022c5cdefbf0

SHA256
48aff9b092bb84410c9fd49c8bd8de1b4d8ac0f8e8452344614f54322cbe91c2

SHA512
44296f4b37673a646ccde8e2b37116b169a7da6e8092f55174f46fc5338ffa3a9308845f40660e2af7c3c624b34838a82dfc74b20c4fe7429a1dfef7afb227fb

Download Submit
C:\Temp\i_qlidavtnlf.exe

Filesize
157KB

MD5
67bf81649ae82573849e2a4275615012

SHA1
d343649b5b268ec80130b52a9964d9dc27b0a54d

SHA256
233a95e81c8eead14c5b52ad6e8661838fd3dafeaca922af26b8376f03d80286

SHA512
a6aa0c4e6347e1affa2b0786208efe20fa31472e28762daba437d74362b72cdaa76b1e9b4e0b9888bf03175903c131fa36b5d4795a2f3617e3454b8e4249d633

Download Submit
C:\Temp\i_qlidavtnlf.exe

Filesize
116KB

MD5
a2a83ef889776a9e25fdc362992cca77

SHA1
8c0557a14652828afc55c349f8e78126a2d8f9c1

SHA256
526396ce22a60313fb3b1d7d8a38f88597455cda3afc09afd8c73048fc663268

SHA512
ab3bd28d571b2b00fef9d28cc0d8cc14c151a34eff04ca5083a6321ad0f12216e61cc40ab17834ac6cc7edcba89f8e0e487e6dfec37f872f6921ad2868c9dd87

Download Submit
C:\Temp\i_qnifaysqki.exe

Filesize
226KB

MD5
776a3e67091c46e7d1d1cb71d32cb681

SHA1
a7e7dcc4938613d9a90ee8f449400fe7951ddb31

SHA256
26d42d56773d9238ead85890f7283cf8955fa61d49c8c549b0ba5e61cf6f567e

SHA512
307d369257ea9bdc16705a41e15ea9c376696bf98285d492180c5262d06651faae4a8cf39862ff274f046acbfe18a43cf73add4b8bfecccef84771d3a052baa2

Download Submit
C:\Temp\i_rojhbzurmj.exe

Filesize
226KB

MD5
bd3c23c995be6c41f99e363ba8326395

SHA1
c771629a0749e44f9c61a1f51c3a4f2cb477385d

SHA256
24ff35268d85cc405c703f3d460cda9c92162120d682ce655bc4dcba40f4c99b

SHA512
323ec1d5ca05eb1031be07837bc9a48f0a2474982eebc32f39f2481cb0778365e75634cae7c22b037adc2d82d37c15e35b9e2325c48e0d1091d54a6e7aa6f2cf

Download Submit
C:\Temp\i_tolgeywqoi.exe

Filesize
226KB

MD5
009cc57a6b6e28aa3ff098f9072af76f

SHA1
1d2df8a8ea4ec6c62e2cb6d1e1ed2c81feee0132

SHA256
dc007c9b4d097c14635f054cd357c75783fa24faf158a8a82a3efa8339ce8dc7

SHA512
94b32d8502cfc530991c96e7965cf0198121efc1d2f3866a13ff289da1d0424947321d4c66d5b549442017f24efcb44645d135eb8e51a9cd93eeeba21141536f

Download Submit
C:\Temp\qlidavtnlf.exe

Filesize
226KB

MD5
140385b49027cc255cdfc5684a8469b7

SHA1
c0c94d98e1bb5898704ddf6e1fccb866497efd01

SHA256
9b7192ae7d1165501805488a2a2e1df629451a1022ac6df9e83495e94fa056c9

SHA512
abeb8bb44456f8c02ee380bd033a5c9d1c8a7a7b21666874fc11abf57bd95be484ea7ef086b899e991f6d9bbefbb08d310a54247df04e299419fdc9b9cf5dd83

Download Submit
C:\Temp\qnifaysqki.exe

Filesize
226KB

MD5
3018d97b9c550ba342da0b8b823b909a

SHA1
e50fb79feef4751fbd05976e31493d2ba72d078f

SHA256
9f093708e40bc13f637508f7402be020c7c3e7d00521a258c7bf365bc22d336f

SHA512
5b8370dccb08d2f32c5c743b47830955ae97c1136bc1a2f45021634af4a3c090f73433dd6b6bee633a32ed37882e54c2c04af24eba8ded687d8448b41895aeb7

Download Submit
C:\Temp\rojhbzurmj.exe

Filesize
226KB

MD5
24e232b93793e773e516ce781e681e53

SHA1
507ef68ab16d078bdfc186360a90d979d04df9c5

SHA256
5376fae901b282bba3bc78d1376f28c573bcb45dc1538eb285388accaffeac80

SHA512
2c08f42dedff83fb14e81b91b977bf9575ddccf48fa629775c600016b7175200debe2b595ed4e21d1d7cc20b21f00c2e1d318d3fb92d2a1b6e48e736888ab0ac

Download Submit
C:\Temp\tolgeywqoi.exe

Filesize
226KB

MD5
b7fb95a6ba53180e4865ebcab46bfc74

SHA1
0d1610860487be8c276df07f3d3b12581fba5067

SHA256
4bcccbd3a0e4638a5d483b45e5cb1b6a7ea705fa59934d8b9372062fdb35615a

SHA512
37757654e49a44a63545c401689b93b0a0f06da75d21b14aef1138b1bb98f670b19d56c34d71c16ca8901373f37063238a43d6817f45853b8d88febc91d5df1e

Download Submit