a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e

Analysis

max time kernel
147s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
Size

226KB
MD5

0e3b12a005eb739c89469918e64c4a26
SHA1

5b92e902d2dda3d70f015cadec66a4312c90c144
SHA256

a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e
SHA512

f514df586f7069c03b4ca1ca713b0f7598f6f9d04c7f571b6efbef590f6bdbd1b2fcef8b27003ea8f244aafa73873895615486e23a8215929c99d361333c838d
SSDEEP

3072:3GSyY4L+c2JhX7ypa3rV3dZPFvOAngoRUAFa1nxayHdXkb5kA7:WXY4LK+a3lLNngoqRttA7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2572	CP.exe
2680	hcauhezxrl.exe
2460	CP.exe
2544	CP.exe
2972	i_hcauhezxrl.exe
2692	CP.exe
2744	jecwuojgbz.exe
2748	CP.exe
2092	CP.exe
316	i_jecwuojgbz.exe
2272	CP.exe
1988	tolgeytqlj.exe
964	CP.exe
1984	CP.exe
2732	i_tolgeytqlj.exe
564	CP.exe
1748	gaytqlfdyv.exe
2088	CP.exe
1692	CP.exe
1144	i_gaytqlfdyv.exe
3016	CP.exe
2752	dysqlidxvp.exe
2644	CP.exe
2904	CP.exe
2468	i_dysqlidxvp.exe
2544	CP.exe
2452	nifaysmkfc.exe
2424	CP.exe
1724	CP.exe
2748	i_nifaysmkfc.exe
2216	CP.exe
2256	ausnhfzxrm.exe
2356	CP.exe
1292	CP.exe
1296	i_ausnhfzxrm.exe
1316	CP.exe
2852	nhfzurmkez.exe
2936	CP.exe
2604	CP.exe
2404	i_nhfzurmkez.exe
772	CP.exe
1536	hcwuomhbzt.exe
1056	CP.exe
848	CP.exe
1504	i_hcwuomhbzt.exe
2968	CP.exe
2492	omgbztrlgd.exe
1004	CP.exe
2716	CP.exe
1976	i_omgbztrlgd.exe
1644	CP.exe
1724	bytrlgdyvq.exe
2256	CP.exe
2916	CP.exe
1292	i_bytrlgdyvq.exe
1624	CP.exe
2296	qljdyvqnic.exe
2920	CP.exe
2280	CP.exe
1248	i_qljdyvqnic.exe
2404	CP.exe
2308	lfdyvqkica.exe
792	CP.exe
984	CP.exe

Loads dropped DLL 62 IoCs

pid	Process
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2680	hcauhezxrl.exe
2680	hcauhezxrl.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2744	jecwuojgbz.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1988	tolgeytqlj.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1748	gaytqlfdyv.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2752	dysqlidxvp.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2452	nifaysmkfc.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2256	ausnhfzxrm.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2852	nhfzurmkez.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1536	hcwuomhbzt.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2492	omgbztrlgd.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1724	bytrlgdyvq.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2296	qljdyvqnic.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2308	lfdyvqkica.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1936	avsnkfzxsp.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2008	nkfzxrpkec.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1560	cauomheztr.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
880	auomheztrl.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
1692	mjeywrojdb.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
804	bwtoigbytn.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
2792	wqoigbvtnd.exe
360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2740	ipconfig.exe
2708	ipconfig.exe
1600	ipconfig.exe
1280	ipconfig.exe
2748	ipconfig.exe
2672	ipconfig.exe
596	ipconfig.exe
1096	ipconfig.exe
2092	ipconfig.exe
1504	ipconfig.exe
1736	ipconfig.exe
1740	ipconfig.exe
2536	ipconfig.exe
2868	ipconfig.exe
708	ipconfig.exe
2228	ipconfig.exe
2768	ipconfig.exe
1496	ipconfig.exe
2216	ipconfig.exe
2836	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420775541"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{20CC46F1-0824-11EF-93CC-729E5AF85804} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000009405b735a7d4885563db2a7367a823c95656b30271684893ffc66fe0a0af86c7000000000e8000000002000020000000b14c7924682ee4bbc187902eff2a296e59d65ea25c64924f7bfb25d2262f790d200000008c1497b86c54d14522ba5b68dd013425818310d406903940dbf625f4325ba96c40000000a7b0471e38dae4f64aedee16e4fe5ad2ab37c3d06043d6d332b0eed07b0d88b5c4e60a9d0ca0ac6a115ccb104f5f3d71fa1f947a8f22b93455a1d4c39b9dcd99	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000000c39e7cbca220319e930eecfc59f3b1045b2a6f09dafb49b97cf008017d94e2b000000000e80000000020000200000007c7635e9108060e7ce906f11c522f7ed9964a8b5e67f734300305ac636bcba1f900000000b99ed9cb4497c8a0f5f9954fc89c5c2c345f95fa0dbc319b9f3bd02d32ee2d9e5c24e9747673c06b6351d91179f4a714d45f46db2c469d1c0bd08dcfd81ad563cb395a1336e2bb0e78079de33dc94ee364fabd63f9d557429893864fb60d28f537d24709f18db2601071cf558a8c35d77fda4b41c71b012e7df0bef0181ae59db5cd669abd819517b8df3d7fc48f4834000000029cf792c0e66550193988771cf83908bc5cd004b5301300ac195d4784915587b4fc20bf004cb823c952b86a3f3450fb1da5ef58c5755d0c74b6a71fc8c0f5e15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e119f8309cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	i_hcauhezxrl.exe
Token: SeDebugPrivilege	316	i_jecwuojgbz.exe
Token: SeDebugPrivilege	2732	i_tolgeytqlj.exe
Token: SeDebugPrivilege	1144	i_gaytqlfdyv.exe
Token: SeDebugPrivilege	2468	i_dysqlidxvp.exe
Token: SeDebugPrivilege	2748	i_nifaysmkfc.exe
Token: SeDebugPrivilege	1296	i_ausnhfzxrm.exe
Token: SeDebugPrivilege	2404	i_nhfzurmkez.exe
Token: SeDebugPrivilege	1504	i_hcwuomhbzt.exe
Token: SeDebugPrivilege	1976	i_omgbztrlgd.exe
Token: SeDebugPrivilege	1292	i_bytrlgdyvq.exe
Token: SeDebugPrivilege	1248	i_qljdyvqnic.exe
Token: SeDebugPrivilege	592	i_lfdyvqkica.exe
Token: SeDebugPrivilege	1532	i_avsnkfzxsp.exe
Token: SeDebugPrivilege	3048	i_nkfzxrpkec.exe
Token: SeDebugPrivilege	616	i_cauomheztr.exe
Token: SeDebugPrivilege	1704	i_auomheztrl.exe
Token: SeDebugPrivilege	2656	i_mjeywrojdb.exe
Token: SeDebugPrivilege	3004	i_bwtoigbytn.exe
Token: SeDebugPrivilege	2584	i_wqoigbvtnd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2200	iexplore.exe
2200	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 2200	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	28
PID 360 wrote to memory of 2200	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	28
PID 360 wrote to memory of 2200	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	28
PID 360 wrote to memory of 2200	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	28
PID 2200 wrote to memory of 2036	2200	iexplore.exe	29
PID 2200 wrote to memory of 2036	2200	iexplore.exe	29
PID 2200 wrote to memory of 2036	2200	iexplore.exe	29
PID 2200 wrote to memory of 2036	2200	iexplore.exe	29
PID 360 wrote to memory of 2572	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	30
PID 360 wrote to memory of 2572	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	30
PID 360 wrote to memory of 2572	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	30
PID 360 wrote to memory of 2572	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	30
PID 2680 wrote to memory of 2460	2680	hcauhezxrl.exe	33
PID 2680 wrote to memory of 2460	2680	hcauhezxrl.exe	33
PID 2680 wrote to memory of 2460	2680	hcauhezxrl.exe	33
PID 2680 wrote to memory of 2460	2680	hcauhezxrl.exe	33
PID 360 wrote to memory of 2544	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	36
PID 360 wrote to memory of 2544	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	36
PID 360 wrote to memory of 2544	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	36
PID 360 wrote to memory of 2544	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	36
PID 360 wrote to memory of 2692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	38
PID 360 wrote to memory of 2692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	38
PID 360 wrote to memory of 2692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	38
PID 360 wrote to memory of 2692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	38
PID 2744 wrote to memory of 2748	2744	jecwuojgbz.exe	40
PID 2744 wrote to memory of 2748	2744	jecwuojgbz.exe	40
PID 2744 wrote to memory of 2748	2744	jecwuojgbz.exe	40
PID 2744 wrote to memory of 2748	2744	jecwuojgbz.exe	40
PID 360 wrote to memory of 2092	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	43
PID 360 wrote to memory of 2092	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	43
PID 360 wrote to memory of 2092	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	43
PID 360 wrote to memory of 2092	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	43
PID 360 wrote to memory of 2272	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	45
PID 360 wrote to memory of 2272	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	45
PID 360 wrote to memory of 2272	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	45
PID 360 wrote to memory of 2272	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	45
PID 1988 wrote to memory of 964	1988	tolgeytqlj.exe	47
PID 1988 wrote to memory of 964	1988	tolgeytqlj.exe	47
PID 1988 wrote to memory of 964	1988	tolgeytqlj.exe	47
PID 1988 wrote to memory of 964	1988	tolgeytqlj.exe	47
PID 360 wrote to memory of 1984	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	50
PID 360 wrote to memory of 1984	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	50
PID 360 wrote to memory of 1984	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	50
PID 360 wrote to memory of 1984	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	50
PID 360 wrote to memory of 564	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	52
PID 360 wrote to memory of 564	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	52
PID 360 wrote to memory of 564	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	52
PID 360 wrote to memory of 564	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	52
PID 1748 wrote to memory of 2088	1748	gaytqlfdyv.exe	54
PID 1748 wrote to memory of 2088	1748	gaytqlfdyv.exe	54
PID 1748 wrote to memory of 2088	1748	gaytqlfdyv.exe	54
PID 1748 wrote to memory of 2088	1748	gaytqlfdyv.exe	54
PID 360 wrote to memory of 1692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	57
PID 360 wrote to memory of 1692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	57
PID 360 wrote to memory of 1692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	57
PID 360 wrote to memory of 1692	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	57
PID 360 wrote to memory of 3016	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	59
PID 360 wrote to memory of 3016	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	59
PID 360 wrote to memory of 3016	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	59
PID 360 wrote to memory of 3016	360	a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe	59
PID 2752 wrote to memory of 2644	2752	dysqlidxvp.exe	61
PID 2752 wrote to memory of 2644	2752	dysqlidxvp.exe	61
PID 2752 wrote to memory of 2644	2752	dysqlidxvp.exe	61
PID 2752 wrote to memory of 2644	2752	dysqlidxvp.exe	61

C:\Users\Admin\AppData\Local\Temp\a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe
"C:\Users\Admin\AppData\Local\Temp\a96f1895021ff8f3ffb4ccba92f78ef51bfdf3c840896190df1394297b33de5e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2036
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hcauhezxrl.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2572
- - C:\Temp\hcauhezxrl.exe
    C:\Temp\hcauhezxrl.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2460
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2536
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hcauhezxrl.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2544
- - C:\Temp\i_hcauhezxrl.exe
    C:\Temp\i_hcauhezxrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\jecwuojgbz.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2692
- - C:\Temp\jecwuojgbz.exe
    C:\Temp\jecwuojgbz.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2748
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2868
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_jecwuojgbz.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2092
- - C:\Temp\i_jecwuojgbz.exe
    C:\Temp\i_jecwuojgbz.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\tolgeytqlj.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2272
- - C:\Temp\tolgeytqlj.exe
    C:\Temp\tolgeytqlj.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:964
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:708
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_tolgeytqlj.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1984
- - C:\Temp\i_tolgeytqlj.exe
    C:\Temp\i_tolgeytqlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\gaytqlfdyv.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:564
- - C:\Temp\gaytqlfdyv.exe
    C:\Temp\gaytqlfdyv.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2088
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2228
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_gaytqlfdyv.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1692
- - C:\Temp\i_gaytqlfdyv.exe
    C:\Temp\i_gaytqlfdyv.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\dysqlidxvp.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:3016
- - C:\Temp\dysqlidxvp.exe
    C:\Temp\dysqlidxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2644
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2672
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_dysqlidxvp.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2904
- - C:\Temp\i_dysqlidxvp.exe
    C:\Temp\i_dysqlidxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\nifaysmkfc.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2544
- - C:\Temp\nifaysmkfc.exe
    C:\Temp\nifaysmkfc.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2452
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2424
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2708
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_nifaysmkfc.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1724
- - C:\Temp\i_nifaysmkfc.exe
    C:\Temp\i_nifaysmkfc.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ausnhfzxrm.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2216
- - C:\Temp\ausnhfzxrm.exe
    C:\Temp\ausnhfzxrm.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2256
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2356
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1600
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ausnhfzxrm.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1292
- - C:\Temp\i_ausnhfzxrm.exe
    C:\Temp\i_ausnhfzxrm.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\nhfzurmkez.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1316
- - C:\Temp\nhfzurmkez.exe
    C:\Temp\nhfzurmkez.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2852
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2936
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2768
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_nhfzurmkez.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2604
- - C:\Temp\i_nhfzurmkez.exe
    C:\Temp\i_nhfzurmkez.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hcwuomhbzt.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:772
- - C:\Temp\hcwuomhbzt.exe
    C:\Temp\hcwuomhbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1536
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1056
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1496
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hcwuomhbzt.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:848
- - C:\Temp\i_hcwuomhbzt.exe
    C:\Temp\i_hcwuomhbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\omgbztrlgd.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2968
- - C:\Temp\omgbztrlgd.exe
    C:\Temp\omgbztrlgd.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2492
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1004
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1280
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_omgbztrlgd.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2716
- - C:\Temp\i_omgbztrlgd.exe
    C:\Temp\i_omgbztrlgd.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bytrlgdyvq.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1644
- - C:\Temp\bytrlgdyvq.exe
    C:\Temp\bytrlgdyvq.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1724
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2256
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2216
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bytrlgdyvq.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2916
- - C:\Temp\i_bytrlgdyvq.exe
    C:\Temp\i_bytrlgdyvq.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qljdyvqnic.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1624
- - C:\Temp\qljdyvqnic.exe
    C:\Temp\qljdyvqnic.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2296
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2920
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1740
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qljdyvqnic.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2280
- - C:\Temp\i_qljdyvqnic.exe
    C:\Temp\i_qljdyvqnic.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\lfdyvqkica.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2404
- - C:\Temp\lfdyvqkica.exe
    C:\Temp\lfdyvqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:792
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:596
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_lfdyvqkica.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:984
- - C:\Temp\i_lfdyvqkica.exe
    C:\Temp\i_lfdyvqkica.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\avsnkfzxsp.exe ups_run
  2⤵
  PID:428
- - C:\Temp\avsnkfzxsp.exe
    C:\Temp\avsnkfzxsp.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:1936
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2392
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1096
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_avsnkfzxsp.exe ups_ins
  2⤵
  PID:1528
- - C:\Temp\i_avsnkfzxsp.exe
    C:\Temp\i_avsnkfzxsp.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\nkfzxrpkec.exe ups_run
  2⤵
  PID:1200
- - C:\Temp\nkfzxrpkec.exe
    C:\Temp\nkfzxrpkec.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2008
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1864
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2836
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_nkfzxrpkec.exe ups_ins
  2⤵
  PID:820
- - C:\Temp\i_nkfzxrpkec.exe
    C:\Temp\i_nkfzxrpkec.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\cauomheztr.exe ups_run
  2⤵
  PID:2800
- - C:\Temp\cauomheztr.exe
    C:\Temp\cauomheztr.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:1560
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1992
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2092
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_cauomheztr.exe ups_ins
  2⤵
  PID:784
- - C:\Temp\i_cauomheztr.exe
    C:\Temp\i_cauomheztr.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\auomheztrl.exe ups_run
  2⤵
  PID:2976
- - C:\Temp\auomheztrl.exe
    C:\Temp\auomheztrl.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:880
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:892
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1504
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_auomheztrl.exe ups_ins
  2⤵
  PID:1312
- - C:\Temp\i_auomheztrl.exe
    C:\Temp\i_auomheztrl.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\mjeywrojdb.exe ups_run
  2⤵
  PID:2728
- - C:\Temp\mjeywrojdb.exe
    C:\Temp\mjeywrojdb.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:1692
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1012
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1736
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_mjeywrojdb.exe ups_ins
  2⤵
  PID:2596
- - C:\Temp\i_mjeywrojdb.exe
    C:\Temp\i_mjeywrojdb.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bwtoigbytn.exe ups_run
  2⤵
  PID:3016
- - C:\Temp\bwtoigbytn.exe
    C:\Temp\bwtoigbytn.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2420
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2740
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bwtoigbytn.exe ups_ins
  2⤵
  PID:2904
- - C:\Temp\i_bwtoigbytn.exe
    C:\Temp\i_bwtoigbytn.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\wqoigbvtnd.exe ups_run
  2⤵
  PID:2468
- - C:\Temp\wqoigbvtnd.exe
    C:\Temp\wqoigbvtnd.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2792
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2424
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2748
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_wqoigbvtnd.exe ups_ins
  2⤵
  PID:2968
- - C:\Temp\i_wqoigbvtnd.exe
    C:\Temp\i_wqoigbvtnd.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\ausnhfzxrm.exe

Filesize
226KB

MD5
8508b22374f4d9d14a91eae9ae9229a6

SHA1
cc267983d9b2ff525b2f081eae6c65d0709b0302

SHA256
2706bfbc0f6518d29754c75a902ff5af8a9b66582d4987ff29b79eb5c821518a

SHA512
50c78adc10d1eb201dedcb7a3073c00fbdfe7e7a15dd871f175990634efd4f8a85ad74f8c5ebbe147b55075dc48f41d82f30e0adb7ab740fcd44d4aed2b5987e

Download Submit
C:\Temp\dysqlidxvp.exe

Filesize
226KB

MD5
f285c7415cc553ab1912eeac578336f6

SHA1
e7090fa8f04e3cf5f8ccb50e0089c31f6a675730

SHA256
343bebd556c3772240ba82fa1c82cc519c376912ccbf05dbd3d918abcc43cf36

SHA512
dd7655b387f58a389babd8d1757e72bb1f23a197b88bc78da77909b28e589cb7fecfd020b58e788b18c819b5d63f5a5c470ed760f5fc47d4e9207f66a6c27f7c

Download Submit
C:\Temp\gaytqlfdyv.exe

Filesize
226KB

MD5
b96afb60522595b3cfbb5425947aeb9f

SHA1
bbaaa0863419f27f8198a0ff8f1ff002d506de4a

SHA256
6d480ba56c2c7b3f091ca5870e599807445ed0a23cb9ff1a57f50b1a37cb7c4c

SHA512
ee8f2a8c058f0e086e835d4f37d34d736500383f9f3021c8f95634d9ff28d09e3f95b7d46718c8b5ce391ed40264eeecdca7d4520faf4763e03f8a2dca6b3ac8

Download Submit
C:\Temp\hcauhezxrl.exe

Filesize
226KB

MD5
1994ae90581c7bd99589a7c66d930f6f

SHA1
1cf50204234084ab4960c5538eaf3b839ac2aeb6

SHA256
fd7392a78220b3d8df239c18d3104b9c6f9e012aa36c6c5e76fadcf78a423f65

SHA512
688fb00fe718a90c901399e065ca747a7b13c45a680c52f557f90c8b4322511a10d4b8e387146f9b0b7b46db51c4ec63291976b86ab7a8d1b1dbabe6ebf4ca48

Download Submit
C:\Temp\i_ausnhfzxrm.exe

Filesize
226KB

MD5
2c7c92461052c8e0f5580912396181f3

SHA1
9a134cb0d3b3123d56459fe5582c0bdfa0191e60

SHA256
de1a7f67b06eb911b832b29f55c24184734a9e9e9b3b70ae7e271bfee6382ffa

SHA512
2239823c9b52a78aecff9855f9053dbcfad7e31de633b73cc139d1e17ade71ff7bb17919caac43cc12f612dcf9cc11f331fc17c3090905ab5f78232a42e50b43

Download Submit
C:\Temp\i_dysqlidxvp.exe

Filesize
226KB

MD5
b56e5238d6d0887aa79b175cd93a990f

SHA1
303ec6a833474f23cb4428179786c2826ffc7bb1

SHA256
df52fc7cf2574c01cae3e3d72008c6d751b0f0e0133c44d9a4f920aa8be96e11

SHA512
fea55041a567650f1493b26299ec228d0361ca917f08ba2403dc7903a6d254a4bedabd630f60824ecbb62ba9ffd18c1181714fff772c6b189f280e6ef0ccff18

Download Submit
C:\Temp\i_gaytqlfdyv.exe

Filesize
226KB

MD5
fa8d183877637c3360f889f5386a7eae

SHA1
7b4e7440c08b559038372c856b9b46e4eb59326f

SHA256
af4577a51c98630e603e2acd6b069fb6727c3a410bfafbd56ab5db97f048ae0e

SHA512
48bb6099de294ee5cf82ea6f116a87b4b025a1c6fe657ffdfd974a2f0e2095e7917cf4ec8075e403d2abfeb92e87fea2e13cb51e2118ff0d11de84b58079adbe

Download Submit
C:\Temp\i_hcauhezxrl.exe

Filesize
226KB

MD5
4bc06246200f68ccb9e7759f1a87dd98

SHA1
ecf552cea9245edc4a28ad577afdc556c72d2b5b

SHA256
b4b0afa6009b1bf9221ec95363dfbba342046df0b1b8a8405853c3aa6029320d

SHA512
0979471352848178e32fac87309f06762872b8ae53746deb2146fd8787fc6fbe7d4bce72b57ea5dec8d4d49718c9467c06dae8725e75c8ab04782ee601047397

Download Submit
C:\Temp\i_jecwuojgbz.exe

Filesize
226KB

MD5
93f127be53e5b986e4d107776b4c9926

SHA1
98fffff9c2cedca0de43bf092e0f99fd8cbe5dea

SHA256
b17e4b7daf10a7384ead69912908c92ad4c75689dac37ad3dc7f83d8d3bd5dc5

SHA512
d827aa5ea79798cb298d5d4ba4e3b8668c12592a046c4801d4bb527d7c96474e93d872c87fa3adea1ac445a28bdaf43f653b0c2162113ce0cf8edf619c09f3f7

Download Submit
C:\Temp\i_nifaysmkfc.exe

Filesize
226KB

MD5
8ca2c3f17368a20fda1ba30d66addf23

SHA1
30daf871c695cda4151c5d480ad682bd754f9e00

SHA256
ab91c6ce47999f05bebd7b2508015b39e243f9c3725d0294aeb07c5ee11d859c

SHA512
98d051fa9bb9be7bf7aa85b1a2eb2a3f7b42643ef868e6cdc11880de949cdcf10fb4a801fd8d68efbe25ba6d3ec8d8cdc13f1b5926b41bf904a4778a2094ef92

Download Submit
C:\Temp\i_tolgeytqlj.exe

Filesize
226KB

MD5
ea0eb2cbd504f9723b0e61724e7daad0

SHA1
42067c706e4082b7224e3534de7d37f4a3950ebd

SHA256
76f8444c1794708514a702af94d619ecdd1013ac5f7f384dd20fe47a74928fbe

SHA512
de7b5f2bb3df51894c9c6779bf6c76faf3862901db78777a128bc4fe07dd3797c82f6b1d52a45d0faeb5e339975570df4d29777a7262dd90b642bdbbedf31905

Download Submit
C:\Temp\jecwuojgbz.exe

Filesize
226KB

MD5
523aca3913dbf67d567331c21bc2e225

SHA1
cd47344c16d30839913dc025cc9218517ee080ca

SHA256
73d45c9e2a74a4d99307e80d69d689c76ec49de3e7803535c249e8951b64aec8

SHA512
9a816daeedda11e6dcd92f04fad0ffecd7758408aadf194b7fa06e6c4d0825799fbd5068d26164c9f2435a5dea400c54cf053c73948a23f4b671b0d8b04de245

Download Submit
C:\Temp\nhfzurmkez.exe

Filesize
226KB

MD5
08cd90feee41c11e413e761ad8dd9bdc

SHA1
e42c0cef1b4b2c5d69ccc3fa83e9cb32ce4146a1

SHA256
af3d5e464297ec7bf88fb1b68f3094d5030869b467eadbb3b78a79417482c191

SHA512
bb3deb7b935483f38c043aabc8dff482d5223b7609be656c67ec76d5ec5d89aab7d7f63e8a564f0f1e4a7b531a19565837802ff7c641a424e80265940ffbbd8f

Download Submit
C:\Temp\nifaysmkfc.exe

Filesize
226KB

MD5
07341bf53cd175ef8cc3a66c55073e18

SHA1
1cf5590bf37275edc653c3bd76da370dcf85179f

SHA256
cdddd1eccf25e3337fd16c30ce8353175571ff4e45b7416276ff7d14dbeeef6c

SHA512
04ebbd680cb922347449241379cefceccd945118445e5b9b98299315673a85904547670372e0b684ae2ad182f773a54a6293784c0db03dcf002340bf54fb8c16

Download Submit
C:\Temp\tolgeytqlj.exe

Filesize
226KB

MD5
babb28d772278d2659535fb26828885c

SHA1
419bab4c931b0c24a65546b44a7e52bfcf9c8fc5

SHA256
3e961a877273b64108e17d737d2bed71a831e7946112c2718c9c888d6628e460

SHA512
487e5cc0180029d3316aafe55cb23994469da36b6c6feca1fe6aa1fe361eea6e17c529168dd8f99faa26fbf0e6a472d4304d0dd0250d8fac3335c047750dd551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90c45412d62d75b159912aec10e189a7

SHA1
78af7980b52f97ed2d7254eaf26fd7f2407ce1e0

SHA256
e999d820feda918d918827c4cf848fda473d42ae39b65aeeef62d890b3a88f84

SHA512
dfc7e5d67cc8aec95f412ce12a0f92b2e821d0139e950b27d2f4e41577fefc14823cf8d6d0a06ea06f280acb7bef939f50c0966101cc73a5aac6078734199948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1fffd52e338a40acf0e59f6fbbf264e2

SHA1
74a8d16414c7d74e40de90cfbb4c642a36d38a7c

SHA256
4737b9476d541fa0651ec27d846723119f0a903db5a013be3fd78e1c0ec83819

SHA512
7c04e27999df82f342b43fe26fa5019511be103638ede42a1cd90446324f04a01b63c1cf6faed28015123806f2b462c6ca7dfef504f1bd4b0419805f33a41662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2201ae276e7552de97875cfff6124eb8

SHA1
0c04b1fa4c34fc336c9862fe1c9e94606eca7109

SHA256
0b77aa65fcbeff009e7bf1e4025619397b8bb84bd386f98745f44fdcfe8bd6ce

SHA512
35a860ffe055e41b7d7e46fba89e926c7db0ac8bf2106459a5d2fb23eb232f97b368385e59257ccd93337fdf302440122a91c1b65d7d82a7f5a660929a50461b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99221f6c25440bdeadc79e0f030ee856

SHA1
7b8d6bfc4d16460618658a3a8ab6a7fc6eb59027

SHA256
6e451c67177754509beecac4b202fd20e980c68eaa82719e0503478a34ed8b76

SHA512
fde40f73205d00ab2160f2dfa923ea88dc8a1a1f66efe0cb811bc30f592facc085888e4a5fb219389c3dea993d52fc4d0485b47244b623d56480ce4e0d2f810d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38981c52fcc808b61c0c860c357b976a

SHA1
5721c5397926d1d609ee54e8d932a9fd575b265c

SHA256
53bfd8a62649076457f0921b4e7acb4559bde652edba3057af110b03e392d812

SHA512
1e87a76e08153421ede6c30b3236e9eaa0b8cd0a682a165a1b79137262ef78ade4c4f682581e59bf6dd0808833f379448a33508d57b2ac92ce52eb98afdd28d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1e3e0cbe128a56e6b579ba70214985e

SHA1
7bcad03d313ec4641f3665763780b569814d82f7

SHA256
435c7a5b71b678f4a2b9ef1a372db5073b5582f414537f369dde00ff68a8c359

SHA512
abc5ade5f8e785be0bb8df470cf6ddcd67cfd28f6fb52050d378a7e8f1efe66a3f7ae5342528e85151d8c7c3fd08222c1b84b84c791fab07c29af785bc781e1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38d6ac5a30be5430879132ce1e3cc7f4

SHA1
e071f9f6aa596d4ddf69db5cb93525cf59dd95a6

SHA256
bfbb8a5be3df21129e60e66196334ec0d5ed5c1319805c0a66be38e3abbff9f8

SHA512
c3162c69fe11f9483dc3e2bf4c43a047ffa80e72deb9cc77ae7b19c73ea8e77edc45f88d824cd59dd1529422f58f99c594bf91111ed48aca2a664f9317327283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bc9512a070f4c7302d8b6c7e4b2e417

SHA1
4221746b3f594c06495f727840b63056e4c35586

SHA256
df35c9c656f403cce494b592a06c637f8eed3d2fd7bd6cf27027af073f6aed09

SHA512
a6f58e849ff90b401662da55a620b2ca7a3da419751940b1d9e7bd264275f5a0da5f9b9896e17761b3b1852189d6f6094d022e4dc8f45d60564d9dce331d7b9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74d0d04b3315b5430a0846c1f7658da0

SHA1
6521f6d939011ca5667570049f8401adee779de4

SHA256
94476dd2ffc8c9e2cc4d018bf9c988003e7e68342e691f7c7362448a06c09f28

SHA512
0bf046de5d4a5ae27a0fb2fead51e734e3974ac047f4369fe7c8853a6100075f8caa6225b0f8d4fc033ed1b0d056152bd564b0e9dd8e8f964924474b173424fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b0f1f8a55367a485fa2d2b623b8baa0

SHA1
8322ddab06b02b5a7439db74ce0846c986bcb783

SHA256
2ab3ff9d48388b826acb720267551a6bf4333a28f24615bc1290492a536c9020

SHA512
3ae681984ce03eac90027585340e6fb65005b5eeb855c59ffdeb3b039f37472509d4c618aaa0d5abb54ab23a1ff52cee2c2d3c5e3a0d569c76573e9babb56c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae789830cf57bc9a2438074cfc83117d

SHA1
116f26792e1977f56b48d108c006ca80e2cf12ba

SHA256
b7c72dda105d48beef7b7b286645302862ae1589e696e6296e169ddf1facd672

SHA512
63546c3789c5ddf3714ca5e3a99723b26a5b1f7262928e3cdd74fbc7ad07323ac5eff409e3b8c6934ad7f8bc059c7953acfe52dbcb64840cab6ead13dcfc7d07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
469f83fd1e59981107ef30ebf3cc224d

SHA1
0df5fe07755241d52b0a8db4ab2e6da5c72528d1

SHA256
f6c72c08b5eccc3ae465a4b83ce9fca29e0d5a0a2c863fa8f7498b3ade36d5ce

SHA512
65c9acb1f4c0e5624979eb0ecefbd278aae51f76f3aa20ab616994ba9b5832d9ea67e33d1d33c1c384736ac9705b45138b36bc7fe97a17f84b0334aa0c616af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cec1ef32a9adc26a3ae5ff81a04a94c0

SHA1
df820deb24d385634047e79e0d136417824e55e8

SHA256
567f9ea8b80086f210cff535588961f9650ce4519de0ac3b50e973dc1dd169d7

SHA512
f49d0d27c6579ef6233ff50d78fef41e98c8017c5a7b820659ea500d0c348856688d3d7624fefcda9a2e684cf45d4b3c35c2563d1ac8df98e7972db408418f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed462e4baadb63ae06c2d027ddcf38d0

SHA1
186479f36ece6a334e32d32099480315b492c4d6

SHA256
a329b641ab233a8583d903ce04fe76d4a0cc4b6a23a41da955f2d3becdc098cf

SHA512
189559f4d97a704237325edc9cdb953df914a0e29613c297862323fbbc005fd77139ff99646f639f5d44e449b706eefa462a3ff4abf64984aad5688297f16503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b324291e288f1ed3fa2778f9db85e66a

SHA1
4d6e3b90922945af5528506f0513800ff62d9045

SHA256
cf13c724bfa2cfd9567c9491b1d8cb601b7171ae28b42e770f02bffc3ed7c430

SHA512
bf436be815fadcc5bfd3e85a6b01f5ecbe3577cab875f81f28a37026489cbbebb1e6a6afb9a0d07fbacb1cd7307f5bbd1cfaf95075a852cee2348cfeeee33989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ef625f91f84199ccbcb6c65e89ffb72

SHA1
dd66c68789416d79a83be484f23f3b214c1e3195

SHA256
fd4ca916f2318dfa14d9bc382d65f05b04ad0db43ac9b733931dcd74e74a110b

SHA512
e9e4a917d14fdceb91a386a96eed0481c4a10499896d9b9cd91f81b5c8e466b8d7382fdfb4d4b6129ddd6a79b6c3484746590ca579cf60631ade9f1278312735

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4222.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43ED.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Temp\CP.exe

Filesize
4KB

MD5
0da87487a46ac0b219dfc10ebb7dbc09

SHA1
a58ed225df243160327f19f2d03ccb60693c562b

SHA256
88d1f04b969503b4d87d7c986ed8f2f830a9f85073fbea644e380692ab3d997c

SHA512
cbcae2c33b3e87e76b34a228115178a587797620e0047704d3d50ad39ea453b32a544bbc6c229347ee3e658d3dcc656c46fe42e90d3210383ad5c76852e198f4

Download Submit