Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 21:58

General

  • Target

    5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe

  • Size

    361KB

  • MD5

    ad9a8ff45ebc40af2cb5d07ed709f57e

  • SHA1

    f3d334c9b70dc1e9ab192f5e37cd198782707ba1

  • SHA256

    5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1

  • SHA512

    c17c77f9cd587547540532465f041a3a65fc15c57237a470a01a5e94b0b2a8ca0acf06bcda8bcf6258e5e8f3c6f58a6b675cb4ceafade7afa2f30683b7ff82c2

  • SSDEEP

    6144:rflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:rflfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 62 IoCs
  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
    "C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Temp\cwrpjhbwuomgbytr.exe
      C:\Temp\cwrpjhbwuomgbytr.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\gavtnlfays.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2388
        • C:\Temp\gavtnlfays.exe
          C:\Temp\gavtnlfays.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2496
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2460
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_gavtnlfays.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2888
        • C:\Temp\i_gavtnlfays.exe
          C:\Temp\i_gavtnlfays.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1032
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kfdxvpkhca.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1652
        • C:\Temp\kfdxvpkhca.exe
          C:\Temp\kfdxvpkhca.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1676
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2352
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpkhca.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1680
        • C:\Temp\i_kfdxvpkhca.exe
          C:\Temp\i_kfdxvpkhca.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1812
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ausnhfzxrm.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2192
        • C:\Temp\ausnhfzxrm.exe
          C:\Temp\ausnhfzxrm.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:296
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1852
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1796
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ausnhfzxrm.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1128
        • C:\Temp\i_ausnhfzxrm.exe
          C:\Temp\i_ausnhfzxrm.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2108
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xspkecwupj.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:772
        • C:\Temp\xspkecwupj.exe
          C:\Temp\xspkecwupj.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:496
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1728
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_xspkecwupj.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2320
        • C:\Temp\i_xspkecwupj.exe
          C:\Temp\i_xspkecwupj.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\jhczuomgez.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2548
        • C:\Temp\jhczuomgez.exe
          C:\Temp\jhczuomgez.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2204
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2800
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2100
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_jhczuomgez.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:556
        • C:\Temp\i_jhczuomgez.exe
          C:\Temp\i_jhczuomgez.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:576
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\cwuojgbzto.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1664
        • C:\Temp\cwuojgbzto.exe
          C:\Temp\cwuojgbzto.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3024
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2424
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1144
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_cwuojgbzto.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2404
        • C:\Temp\i_cwuojgbzto.exe
          C:\Temp\i_cwuojgbzto.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1876
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zwrobvtolg.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1000
        • C:\Temp\zwrobvtolg.exe
          C:\Temp\zwrobvtolg.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1044
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2288
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1632
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zwrobvtolg.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2152
        • C:\Temp\i_zwrobvtolg.exe
          C:\Temp\i_zwrobvtolg.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\oigbytnlgd.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2996
        • C:\Temp\oigbytnlgd.exe
          C:\Temp\oigbytnlgd.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1640
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2160
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2924
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_oigbytnlgd.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:376
        • C:\Temp\i_oigbytnlgd.exe
          C:\Temp\i_oigbytnlgd.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\dbvtnigays.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2196
        • C:\Temp\dbvtnigays.exe
          C:\Temp\dbvtnigays.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2228
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1724
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1264
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_dbvtnigays.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1312
        • C:\Temp\i_dbvtnigays.exe
          C:\Temp\i_dbvtnigays.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\vqnicavsnh.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2520
        • C:\Temp\vqnicavsnh.exe
          C:\Temp\vqnicavsnh.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3052
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1656
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2676
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_vqnicavsnh.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2952
        • C:\Temp\i_vqnicavsnh.exe
          C:\Temp\i_vqnicavsnh.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1984
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\snlfaxsqke.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1028
        • C:\Temp\snlfaxsqke.exe
          C:\Temp\snlfaxsqke.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1876
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1588
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2404
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_snlfaxsqke.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:916
        • C:\Temp\i_snlfaxsqke.exe
          C:\Temp\i_snlfaxsqke.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\hfaxsmkfcx.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1636
        • C:\Temp\hfaxsmkfcx.exe
          C:\Temp\hfaxsmkfcx.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2980
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2992
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1780
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_hfaxsmkfcx.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1556
        • C:\Temp\i_hfaxsmkfcx.exe
          C:\Temp\i_hfaxsmkfcx.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zxsmkecxrp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:904
        • C:\Temp\zxsmkecxrp.exe
          C:\Temp\zxsmkecxrp.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1516
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2216
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2116
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zxsmkecxrp.exe ups_ins
        3⤵
          PID:2212
          • C:\Temp\i_zxsmkecxrp.exe
            C:\Temp\i_zxsmkecxrp.exe ups_ins
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\smhezxrlje.exe ups_run
          3⤵
            PID:2660
            • C:\Temp\smhezxrlje.exe
              C:\Temp\smhezxrlje.exe ups_run
              4⤵
              • Loads dropped DLL
              PID:1744
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:1724
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:1740
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_smhezxrlje.exe ups_ins
              3⤵
                PID:1284
                • C:\Temp\i_smhezxrlje.exe
                  C:\Temp\i_smhezxrlje.exe ups_ins
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2728
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\pjhbzuomge.exe ups_run
                3⤵
                  PID:2748
                  • C:\Temp\pjhbzuomge.exe
                    C:\Temp\pjhbzuomge.exe ups_run
                    4⤵
                    • Loads dropped DLL
                    PID:2744
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:2480
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:1924
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_pjhbzuomge.exe ups_ins
                    3⤵
                      PID:1032
                      • C:\Temp\i_pjhbzuomge.exe
                        C:\Temp\i_pjhbzuomge.exe ups_ins
                        4⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2856
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\hbwuomgbyt.exe ups_run
                      3⤵
                        PID:2468
                        • C:\Temp\hbwuomgbyt.exe
                          C:\Temp\hbwuomgbyt.exe ups_run
                          4⤵
                          • Loads dropped DLL
                          PID:2644
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:2532
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:2236
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_hbwuomgbyt.exe ups_ins
                          3⤵
                            PID:2476
                            • C:\Temp\i_hbwuomgbyt.exe
                              C:\Temp\i_hbwuomgbyt.exe ups_ins
                              4⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2956
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\wqojgbvtnl.exe ups_run
                            3⤵
                              PID:2024
                              • C:\Temp\wqojgbvtnl.exe
                                C:\Temp\wqojgbvtnl.exe ups_run
                                4⤵
                                • Loads dropped DLL
                                PID:2140
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:2180
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:1204
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_wqojgbvtnl.exe ups_ins
                                3⤵
                                  PID:2108
                                  • C:\Temp\i_wqojgbvtnl.exe
                                    C:\Temp\i_wqojgbvtnl.exe ups_ins
                                    4⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1128
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\ljdbvqniga.exe ups_run
                                  3⤵
                                    PID:292
                                    • C:\Temp\ljdbvqniga.exe
                                      C:\Temp\ljdbvqniga.exe ups_run
                                      4⤵
                                      • Loads dropped DLL
                                      PID:912
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:1772
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:344
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_ljdbvqniga.exe ups_ins
                                      3⤵
                                        PID:320
                                        • C:\Temp\i_ljdbvqniga.exe
                                          C:\Temp\i_ljdbvqniga.exe ups_ins
                                          4⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1012
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\lgdysqkidx.exe ups_run
                                        3⤵
                                          PID:2144
                                          • C:\Temp\lgdysqkidx.exe
                                            C:\Temp\lgdysqkidx.exe ups_run
                                            4⤵
                                            • Loads dropped DLL
                                            PID:1988
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:2628
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:2324
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_lgdysqkidx.exe ups_ins
                                            3⤵
                                              PID:808
                                              • C:\Temp\i_lgdysqkidx.exe
                                                C:\Temp\i_lgdysqkidx.exe ups_ins
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:784
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\aysqkfdxvp.exe ups_run
                                              3⤵
                                                PID:556
                                                • C:\Temp\aysqkfdxvp.exe
                                                  C:\Temp\aysqkfdxvp.exe ups_run
                                                  4⤵
                                                  • Loads dropped DLL
                                                  PID:580
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:656
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:1612
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_aysqkfdxvp.exe ups_ins
                                                  3⤵
                                                    PID:2424
                                                    • C:\Temp\i_aysqkfdxvp.exe
                                                      C:\Temp\i_aysqkfdxvp.exe ups_ins
                                                      4⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3024
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1648
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
                                                    3⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2668

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Temp\CreateProcess.exe

                                                Filesize

                                                3KB

                                                MD5

                                                77c643cb8d60f7a070dc8776fe0e0182

                                                SHA1

                                                555ec707a2158259c6c79746312de7f1bc531691

                                                SHA256

                                                4b937961d8aab6772c6f863437542a82942099a4901f662142c84ebcc55c71ac

                                                SHA512

                                                099ecf46bed6026dfefe61dfc2c99f63d8b5b6a15abfeaa16b28aa60c9f1e3d92927f8ca5b7f35fd85cc67213dafc67310698f0e5bf67b7d26e6f2b4ec8a6ce8

                                              • C:\Temp\ausnhfzxrm.exe

                                                Filesize

                                                361KB

                                                MD5

                                                b814e3ec9f062104242b6ed9cd919745

                                                SHA1

                                                46ea948438b821202b6965e584ab5f738c189308

                                                SHA256

                                                81f5551dc16ba25e98852c8a88a3453f15495e3b019f124034912c8f21190317

                                                SHA512

                                                c440d4cb9bf696b1551be5e1504666e6267371e62014dabf8bde80d8971a7a6c41cd66c5847898d64421234c475ddc826ad246552f06007d432178327d14a049

                                              • C:\Temp\cwuojgbzto.exe

                                                Filesize

                                                361KB

                                                MD5

                                                6b18de590d65dcf2ed28a1cde98147ab

                                                SHA1

                                                15cbbe82a472b8cf08e8fa2412f2d474292fa249

                                                SHA256

                                                a60da04994be464f5996d6bc9fd85728a349687e1d45be7ba9a61e945f4c4cbb

                                                SHA512

                                                6e6829cf805402ca8ca8a0e86b227f51d28640b68d0b8fe26106e3f66a23fefb95d4d3cef26b19e196f8141e071845139284ae647ef3b773cd8439447714d5be

                                              • C:\Temp\gavtnlfays.exe

                                                Filesize

                                                361KB

                                                MD5

                                                e5a230c11b6fb905b25eee7dc6744ac4

                                                SHA1

                                                c13c76646c1af9982dacba585fd5105395ba9552

                                                SHA256

                                                8a75b038579c1a81d896e56924cd2643f1cd255e2029a0143f9fd6da0acf2c66

                                                SHA512

                                                c2a088cad9e418ccf20ddedf92f2da649a8c7dc82ff2aa8a6e332c5d8f293a35bbb2248f809f523a6329ba42902c6cf5d1b424e3dec1a9f412ff6b6605572d0d

                                              • C:\Temp\i_ausnhfzxrm.exe

                                                Filesize

                                                361KB

                                                MD5

                                                bdfb9f57f9269a0dd71b6649fa2f1577

                                                SHA1

                                                5f6c81f3f83d8a18479e13a0ee4309ecf96a1808

                                                SHA256

                                                32633c9e28ddd0e355d8c5b8ef5f9ea2d906ec77b17ed0d305e0345650d87d40

                                                SHA512

                                                879bf1029b37dbb847a89b262adb8e6625d680146dfcdb05426554133e89052df57ed733635c9ebcfd1ef3d94a62fc9a8590dd41f86ce3a841e62b0381c7bda9

                                              • C:\Temp\i_cwuojgbzto.exe

                                                Filesize

                                                361KB

                                                MD5

                                                a3c770442a409a01e47c4b7cc2703a13

                                                SHA1

                                                88b499c5f02295252a738d6c0cd554d4c0e68818

                                                SHA256

                                                6cb4527ea13c1c03888b070c718c5443b5e97b1e3963554b3c6b0a6ae86379bc

                                                SHA512

                                                e4dec15b500e3ea1dcd9fba232fe53d61d1b6d386d665eff8afa857aa7abe6a4d618b1e0436c853677ff9779a20b2911f418d070d93d6477a3038071dd908b64

                                              • C:\Temp\i_gavtnlfays.exe

                                                Filesize

                                                361KB

                                                MD5

                                                df3c3f3f56a56f341a42cfc06df5110f

                                                SHA1

                                                24d7b43b56fa58376553efa977943c268a26ce35

                                                SHA256

                                                7bf1caaea37ec729df6579d773787889f5bf29e3b4595094069b568b52be32ea

                                                SHA512

                                                05a80c7fe41d8a2d255de7d2070e34de5373f6bc1714b29e28872ade802f2516311b3c3b87245a9103b74e474cbf84732de706fc94c4ce2d1849e1759c5f99a0

                                              • C:\Temp\i_jhczuomgez.exe

                                                Filesize

                                                361KB

                                                MD5

                                                44213d8a5d8ae0add1f4769d6f1eb039

                                                SHA1

                                                8d26358b9d987d7b7b65a34917559ecbe9894e86

                                                SHA256

                                                636a6fa578f5ac40f8bb0e12c5c28332c846c3e49d8f389084ce047d616a1f83

                                                SHA512

                                                d2ab9b38fa56dd0f0b2e96055b8ad12e808748011136c690587b93f14941460165a6d4fdc5e2b30522a8c6253620e14d20a34ede530393987d23067f94dd6e0e

                                              • C:\Temp\i_kfdxvpkhca.exe

                                                Filesize

                                                361KB

                                                MD5

                                                21e57aade5a299598e47ceb088ff6023

                                                SHA1

                                                0225b0c19cfca55cfea1cae1bc550ec92a6829bd

                                                SHA256

                                                3d9208a8516bf2bfd3828e90b57d2b9b5eb12a5f98bed33d7c2d1d137778143f

                                                SHA512

                                                f02e1efc083769c16528a17ac3b92ecae45b5f4e748641341559a1924f18ea68b7a19b73319b3df0a3ca6ae7ce402fab351fd05dc6d23213ef1cd74cf151553e

                                              • C:\Temp\i_xspkecwupj.exe

                                                Filesize

                                                361KB

                                                MD5

                                                57041c68ec8685773c2c108f0c037d65

                                                SHA1

                                                047dc8cd438de80e8f64f7e936482a97316f626f

                                                SHA256

                                                d5b15db1261847e8bf0ee2509655a1871807c6782d2f2c0c8f52836242f7c01c

                                                SHA512

                                                c08b456c68b3cd9f3bd59bb9a70ff4de20d71fc60348541342a4e0b6c068dee928ccf81b7d9c5cb7a18835d4b8f670d9aad1018bb43d23764c9a1578658dac06

                                              • C:\Temp\i_zwrobvtolg.exe

                                                Filesize

                                                361KB

                                                MD5

                                                d3fcd32bcc51f8657c0dac7cc7ac073a

                                                SHA1

                                                787095dd0c183cfbe2a10115881d30cc88412a3a

                                                SHA256

                                                bf2d66feae8b30c9cc232c28654ce5d12f5ba833ae2146b27767654ce65da210

                                                SHA512

                                                918237acd018d9f36ddf15655234d6cdd7c23bbd1ecd4fad3a9f61aae40e9155bdc4ec8450a4f795a38d295fd78c188e5d75dc68b93a3f417ba7b0d15f71f0a4

                                              • C:\Temp\jhczuomgez.exe

                                                Filesize

                                                361KB

                                                MD5

                                                b6d0bd97a8b390299252becb8c06e1ad

                                                SHA1

                                                e9162ebbb2ae67dc72a1b37cb1b0daccc2a0c30e

                                                SHA256

                                                ccb7b9d52cbaf5a4c97c9f054ef8ec0f87555114f7aa5a3b502a830906dbfd40

                                                SHA512

                                                9794c89217c234a6b187b1f536ef3715207e73ba765b734a3b275123155849f0f6febcf95f5e1e345d2af2c54b5cbf98c5bbea7c773568dbd1782bce950bc02a

                                              • C:\Temp\kfdxvpkhca.exe

                                                Filesize

                                                361KB

                                                MD5

                                                e107ce3300052c90714fcf6b3b0a8546

                                                SHA1

                                                d88ed1d5747fa60d6a69f48fceeab50e68a29631

                                                SHA256

                                                f6e67882c0ab48c4169f2971b1766182ea20aea6f69bf15fafb8792c615ee0a1

                                                SHA512

                                                c7b40939620c8866319d19725fefc7b51723df970e3247b5c0e08da2e77aa113ac36b8482edaacb79c69ad7d4de5bc6a14100713522cae8d0f3750f9d4956aa2

                                              • C:\Temp\oigbytnlgd.exe

                                                Filesize

                                                361KB

                                                MD5

                                                8fd28ff470820cf52d0450cd9c87955c

                                                SHA1

                                                fbb58ba65c50c93b7b7f67e86c0f1eb1d29e5cad

                                                SHA256

                                                0f3650c82ff754afc5fafc4dbe5224ba4ca4ac92d098abeb0f4544af28ead47f

                                                SHA512

                                                5e0b8ce17ebdfdbe4048a05290a4324f88779d66d5ad4291b058b3cc716c558849affba2ad5e2d740b0c8a13d50028c851197a96fd6a9af3418d903afec6cdc8

                                              • C:\Temp\xspkecwupj.exe

                                                Filesize

                                                361KB

                                                MD5

                                                fb2d66542d5cb605f485bf6cb494fe43

                                                SHA1

                                                42643e9ed8887c7e5c8ed5f203e0a7c56190bf73

                                                SHA256

                                                2e1d7491c15a160eac68e81b8ad47c13848708deac424d489b5effed8951a763

                                                SHA512

                                                363309b7783a9d0ca323e982842d4787590f16d7a3606323d5da63b5d0ca76182a99ce2242cbdc903d00aa65b9e0c69c511cfa456197dfe5ab1003b402e27403

                                              • C:\Temp\zwrobvtolg.exe

                                                Filesize

                                                361KB

                                                MD5

                                                741cef329224d2e8600cc235149453a9

                                                SHA1

                                                099b9ec6baaf3e469c8458c7fe1e74bdc1f9ba31

                                                SHA256

                                                c510b077b01ca4260db1743f70354db41f823f0098f3b36b77bfcf7390ff1540

                                                SHA512

                                                04faeae48b656b753bae43bdb70fc8c14f4c84e3b0bc5739a5c2574cc0c6d09c50a2507604d7c76963e380025b2640b511f81149a4ece93b955a8de323639ca3

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                67KB

                                                MD5

                                                753df6889fd7410a2e9fe333da83a429

                                                SHA1

                                                3c425f16e8267186061dd48ac1c77c122962456e

                                                SHA256

                                                b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                                                SHA512

                                                9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                344B

                                                MD5

                                                ee4ad4b50c9f0c9eca7d9e7ffa5bed80

                                                SHA1

                                                7eb5ebabd47944f1ad378f57bbb349cdbb93baba

                                                SHA256

                                                3727077612f1b61b32a826c0c9972c29611ec6046bec578f039bad5baffdb50d

                                                SHA512

                                                e30dbcffd77329fc2fc64021bc41bdf14df32c53e6ef07d4d44d0bb2e4eb59443c589ba263180ac03fc14934377a0586d4d8357cda48e30c0950259e3c641b87

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                344B

                                                MD5

                                                70831cd6854df1895be44d0fb056c6c5

                                                SHA1

                                                b28c531d8410f2b4f53e0754567f928559f14242

                                                SHA256

                                                37e384fa743aa5352d4271df5574d292fc9d9652b7a631af1e1838856df8bc53

                                                SHA512

                                                c3ce92ede87195a4bb6c18cec597562576b507f0f653d8fda9388dff473d43e34c5702176da093ae5d5be7941c39ff6f1ad6a12b81f4ff1672c442b6f9e7a35f

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                344B

                                                MD5

                                                d2d52c31ff3fd0fbad2b8e04f0974300

                                                SHA1

                                                9161d84bf75f0b3293351b8ec63bf845ee0e0367

                                                SHA256

                                                74bc9ff7f07225dd953112aa417710500434f5d218dea97c8c625b0537bb1a82

                                                SHA512

                                                56dcd3e2fe933c6e55a1edac7c822079146b379aac1db228454eda5461ff7a6c7cd855f17ee79a7dead9d6a6baa661d5ecb158587f131393138b62060a98fb5c

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                344B

                                                MD5

                                                8ddd1c1b610acaa0700af3094b51b20a

                                                SHA1

                                                92eb927d1b3ac72d4b5e33561c54e3221c413cc1

                                                SHA256

                                                b0e49583d7197b3fb08ff42593fa280b6cb2e48ce0600ba97bfd52189be36cbd

                                                SHA512

                                                0362663af8176edcc2bd694085a168397d40072e14df9b60e33975fe496513eefb0e27fbe91640ef03c24909fc1a608293c453f3bbcaa8453d20fe93b11ac212

                                              • C:\Users\Admin\AppData\Local\Temp\Tar741F.tmp

                                                Filesize

                                                175KB

                                                MD5

                                                dd73cead4b93366cf3465c8cd32e2796

                                                SHA1

                                                74546226dfe9ceb8184651e920d1dbfb432b314e

                                                SHA256

                                                a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                                                SHA512

                                                ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                                              • \Temp\cwrpjhbwuomgbytr.exe

                                                Filesize

                                                361KB

                                                MD5

                                                466acdd0cb7434376f5fe335acc215a1

                                                SHA1

                                                debb65b86543688ed9c66a9185908ffee3756347

                                                SHA256

                                                78fde3ca55849da0a1a313a47ef5894337d37e621c205cb4e8db8164910cc4c1

                                                SHA512

                                                1ed5182ac0503385c92a9b088d53acfea3fe9b881a611d0a6dfb0901599214284dbd6b53528c399a69b8b4fc37ff06c26704a0c17a0c6d9cb651595c898c04d6