Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 18:51

General

  • Target

    2025-07-02_b0e7146be2b1ec74bde1e0a887f1c6f6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe

  • Size

    361KB

  • MD5

    b0e7146be2b1ec74bde1e0a887f1c6f6

  • SHA1

    3b8faf0fd6e06e5ad6f0946f4a0545642a9fd9a8

  • SHA256

    d1a4559eec6b6424ac638a9756c15b4fbfd436ee9f64b757f4ecc20417138611

  • SHA512

    9f6fd60ad43b0cdfc736925b3c740064cb7551ea8cd8527f2771a8ed1651f50a15bc6e691f00d87daa204f80b5d2c5430f72fb1e2eac6e275090acb3c3a0ffe3

  • SSDEEP

    6144:DflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:DflfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-02_b0e7146be2b1ec74bde1e0a887f1c6f6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-02_b0e7146be2b1ec74bde1e0a887f1c6f6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Temp\wrojhbztrmgeywro.exe
      C:\Temp\wrojhbztrmgeywro.exe run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\eywrojhbzt.exe ups_run
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:956
        • C:\Temp\eywrojhbzt.exe
          C:\Temp\eywrojhbzt.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:412
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3044
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_eywrojhbzt.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2196
        • C:\Temp\i_eywrojhbzt.exe
          C:\Temp\i_eywrojhbzt.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4692
        • C:\Temp\igbytrljdb.exe
          C:\Temp\igbytrljdb.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4612
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4800
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4820
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4640
        • C:\Temp\i_igbytrljdb.exe
          C:\Temp\i_igbytrljdb.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4904
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\lgdyvqoiga.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4816
        • C:\Temp\lgdyvqoiga.exe
          C:\Temp\lgdyvqoiga.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4836
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1220
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:6100
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_lgdyvqoiga.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3352
        • C:\Temp\i_lgdyvqoiga.exe
          C:\Temp\i_lgdyvqoiga.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:920
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\aysqlidbvt.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4740
        • C:\Temp\aysqlidbvt.exe
          C:\Temp\aysqlidbvt.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5544
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1440
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_aysqlidbvt.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5900
        • C:\Temp\i_aysqlidbvt.exe
          C:\Temp\i_aysqlidbvt.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\vpnhfaxsqk.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3936
        • C:\Temp\vpnhfaxsqk.exe
          C:\Temp\vpnhfaxsqk.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5052
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5140
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_vpnhfaxsqk.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4416
        • C:\Temp\i_vpnhfaxsqk.exe
          C:\Temp\i_vpnhfaxsqk.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\pkicausmkf.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5424
        • C:\Temp\pkicausmkf.exe
          C:\Temp\pkicausmkf.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2292
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5812
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_pkicausmkf.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2344
        • C:\Temp\i_pkicausmkf.exe
          C:\Temp\i_pkicausmkf.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4288
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\pmhfzxrpkh.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5752
        • C:\Temp\pmhfzxrpkh.exe
          C:\Temp\pmhfzxrpkh.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5008
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2804
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2536
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_pmhfzxrpkh.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5612
        • C:\Temp\i_pmhfzxrpkh.exe
          C:\Temp\i_pmhfzxrpkh.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2240
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\mhezxrpjhb.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5488
        • C:\Temp\mhezxrpjhb.exe
          C:\Temp\mhezxrpjhb.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:6080
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3968
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5996
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_mhezxrpjhb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5860
        • C:\Temp\i_mhezxrpjhb.exe
          C:\Temp\i_mhezxrpjhb.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\gbztrljecw.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1464
        • C:\Temp\gbztrljecw.exe
          C:\Temp\gbztrljecw.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2032
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5476
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1880
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_gbztrljecw.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5724
        • C:\Temp\i_gbztrljecw.exe
          C:\Temp\i_gbztrljecw.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\bztrljdbwt.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3880
        • C:\Temp\bztrljdbwt.exe
          C:\Temp\bztrljdbwt.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5408
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5760
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1996
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_bztrljdbwt.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3716
        • C:\Temp\i_bztrljdbwt.exe
          C:\Temp\i_bztrljdbwt.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2200
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\gaytqljdbv.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5692
        • C:\Temp\gaytqljdbv.exe
          C:\Temp\gaytqljdbv.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4088
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4312
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4736
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_gaytqljdbv.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5960
        • C:\Temp\i_gaytqljdbv.exe
          C:\Temp\i_gaytqljdbv.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:396
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\aysqkidavt.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5904
        • C:\Temp\aysqkidavt.exe
          C:\Temp\aysqkidavt.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3100
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5264
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1312
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_aysqkidavt.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2348
        • C:\Temp\i_aysqkidavt.exe
          C:\Temp\i_aysqkidavt.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3876
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\avsnlfdxvp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3092
        • C:\Temp\avsnlfdxvp.exe
          C:\Temp\avsnlfdxvp.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1644
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4048
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5700
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_avsnlfdxvp.exe ups_ins
        3⤵
          PID:5232
          • C:\Temp\i_avsnlfdxvp.exe
            C:\Temp\i_avsnlfdxvp.exe ups_ins
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1660
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\faxsqkausm.exe ups_run
          3⤵
            PID:4784
            • C:\Temp\faxsqkausm.exe
              C:\Temp\faxsqkausm.exe ups_run
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4908
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:4732
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:5064
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_faxsqkausm.exe ups_ins
              3⤵
                PID:2920
                • C:\Temp\i_faxsqkausm.exe
                  C:\Temp\i_faxsqkausm.exe ups_ins
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2028
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\fzxspkicau.exe ups_run
                3⤵
                  PID:5764
                  • C:\Temp\fzxspkicau.exe
                    C:\Temp\fzxspkicau.exe ups_run
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:316
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:3548
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:4860
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_fzxspkicau.exe ups_ins
                    3⤵
                      PID:3944
                      • C:\Temp\i_fzxspkicau.exe
                        C:\Temp\i_fzxspkicau.exe ups_ins
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5452
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\cxrpjhbzur.exe ups_run
                      3⤵
                        PID:5304
                        • C:\Temp\cxrpjhbzur.exe
                          C:\Temp\cxrpjhbzur.exe ups_run
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:944
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:4968
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:4912
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_cxrpjhbzur.exe ups_ins
                          3⤵
                            PID:3964
                            • C:\Temp\i_cxrpjhbzur.exe
                              C:\Temp\i_cxrpjhbzur.exe ups_ins
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4748
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\ztrmjecwuo.exe ups_run
                            3⤵
                              PID:5324
                              • C:\Temp\ztrmjecwuo.exe
                                C:\Temp\ztrmjecwuo.exe ups_run
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1480
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:3928
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:1608
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_ztrmjecwuo.exe ups_ins
                                3⤵
                                  PID:5544
                                  • C:\Temp\i_ztrmjecwuo.exe
                                    C:\Temp\i_ztrmjecwuo.exe ups_ins
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5084
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\bztrmjebwu.exe ups_run
                                  3⤵
                                    PID:5592
                                    • C:\Temp\bztrmjebwu.exe
                                      C:\Temp\bztrmjebwu.exe ups_run
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5200
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:4460
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:1564
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_bztrmjebwu.exe ups_ins
                                      3⤵
                                        PID:1512
                                        • C:\Temp\i_bztrmjebwu.exe
                                          C:\Temp\i_bztrmjebwu.exe ups_ins
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1964
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\ywqoigbytr.exe ups_run
                                        3⤵
                                          PID:1804
                                          • C:\Temp\ywqoigbytr.exe
                                            C:\Temp\ywqoigbytr.exe ups_run
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3744
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:744
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:4240
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_ywqoigbytr.exe ups_ins
                                            3⤵
                                              PID:876
                                              • C:\Temp\i_ywqoigbytr.exe
                                                C:\Temp\i_ywqoigbytr.exe ups_ins
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4400
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\ytqljdbvtn.exe ups_run
                                              3⤵
                                                PID:2292
                                                • C:\Temp\ytqljdbvtn.exe
                                                  C:\Temp\ytqljdbvtn.exe ups_run
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3612
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:5424
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:5840
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_ytqljdbvtn.exe ups_ins
                                                  3⤵
                                                    PID:4468
                                                    • C:\Temp\i_ytqljdbvtn.exe
                                                      C:\Temp\i_ytqljdbvtn.exe ups_ins
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5652
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:372
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:372 CREDAT:17410 /prefetch:2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5248

                                              Network

                                                    MITRE ATT&CK Enterprise v16

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Temp\CreateProcess.exe

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      b9c28e970fee764c12d78c39f5b77866

                                                      SHA1

                                                      acdc2001b5e5cf7683ed449e68b0d6d5f9473b0c

                                                      SHA256

                                                      59676b6b0ecba89ac6810fc513621bd6976b806a32c6397e080042f57b985df4

                                                      SHA512

                                                      0c49c81f093acd62c01e9aa0074e5b4de29775a150fd6bd08c32c2a6b22d46e54eccff7f23e5b789847b85fe410897f68a8e0e2f8b1375db302f476a3cc601bf

                                                    • C:\Temp\aysqlidbvt.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      183047f7977762e7a63898593af4312a

                                                      SHA1

                                                      78f0e158e522b7acd1500df2c5d9bcdcc9251317

                                                      SHA256

                                                      c482737e0e0a5bd0b0c0e43ba7afde40c96915b880a0f4d20d996a0a45f5dd79

                                                      SHA512

                                                      d0d4390a2b876d19cf1ff9efeae66c7d6eaefd534a8a471594f6af169a6d7f2c3b3ab171b2bef5dca490b9d617d52c019d6354e50c7eb609d876ba852a180bc1

                                                    • C:\Temp\eywrojhbzt.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      ce35793d291eb266d8f1cc25a193f22d

                                                      SHA1

                                                      11dd21f8985e5d6b6fc9374c2375a36077e8149f

                                                      SHA256

                                                      8abccb4ac6bc537c520803afa5cfbd50be54b50b738da727fe4b033616a2eb2e

                                                      SHA512

                                                      62aa03168bc10f66228fb31cc803fd70288904277f285ba72212096376d09827eabe91360cf0a4920b8a4e71e1ff4e496f92f2b26cd28b8fa98ce7b765f742e7

                                                    • C:\Temp\gbztrljecw.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      867e4bdcaa68912bc8e45819722464f3

                                                      SHA1

                                                      8d3886ce8f2e51b19019ddaf94f138d38eb1bb3b

                                                      SHA256

                                                      c4fe4cdba89ede66889b63c0fba00b8e1b35f1da39ed9eec126d278d48bd4219

                                                      SHA512

                                                      d89b11d9dd4d5c2f64d85281531859c82a7e5e6c26d7253cc56420eedfe3b7fbc7dd3aa1c1f851c10b0ee83c1f6b310eeb58b022ab5762f2448191068b60a9f7

                                                    • C:\Temp\i_aysqlidbvt.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      5504c2bfd9683bae93048be37cd7d48b

                                                      SHA1

                                                      df359deda6316ed49e152f7269451351b2235749

                                                      SHA256

                                                      71b7a000c6130735d624ae39f6957543bc64299126e928b8cdf03ceebb1f1d62

                                                      SHA512

                                                      e939c81684370feba8d0212aa60af492c3b1f85fb80e2d3fd843965db7fb430dca5625dae970b93ec3f5d27f4f09fd449576b2661fafe8c33837c7d336ee176e

                                                    • C:\Temp\i_eywrojhbzt.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      2aee25658f0a0ccf5e21fe5016700f54

                                                      SHA1

                                                      2f591b70eeffb6ecd27bbbfe7386cd62930564d4

                                                      SHA256

                                                      c6d982bf1f21f86c6348a2eeb9d2fc9d0393d7db22c76a6dad1ff72a1baa22bc

                                                      SHA512

                                                      60545e81ba587ce157841dca60511a9eb87f4406605ec45bcbe37339f9f3488adf18fcc833482387a698ed340a201acdde860fc2c9020ecc3c05ba51f49840f4

                                                    • C:\Temp\i_igbytrljdb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      0cda26f46226e5e10c0bd5876a4ac77a

                                                      SHA1

                                                      ac9887392dde3d9178ad712d5bdd97f5ee35f388

                                                      SHA256

                                                      a23335c71afa48085a57909ec69db5aeab596b6a24ab3289de26ae75f9eff234

                                                      SHA512

                                                      7c186199b0b77b7fe0647629209d140076fe20389061ecee7e8a0677ebf56254eebfcd9128366811e1947cd19e3b040e353f37210d458bb0f46f66fdeceaf1bd

                                                    • C:\Temp\i_lgdyvqoiga.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      bfcb0890a6c13d6ada5bd63db12c9e06

                                                      SHA1

                                                      6a7db7c0405ec30b966a3dab56e360e475327f44

                                                      SHA256

                                                      8d5706231afaf0a190c7eed139b94e00325d36879808bbda2e885dd4100f227a

                                                      SHA512

                                                      2a7c141d91a14260f0bf6fec2facfc4aad0d0e39c5856df156d9bc1a714725d12d9aa7610b254b5bea4133912723f5765b4f50b9e9a7196d92648c3a19406a6e

                                                    • C:\Temp\i_mhezxrpjhb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      8c9101a8fb76fcd05538db747ff63d9b

                                                      SHA1

                                                      332a85a252453bbcf84388fd06442be65a9cc467

                                                      SHA256

                                                      ca850a78cd5a4861102661b0ff02bb04c8afddd94bc3c30ffdc363a52eb8fae3

                                                      SHA512

                                                      3852bff9e07f659f25965ca16667bcee2fcc9600edfd49691676e788308def32220b578b0ed7c59e46da557596c405597565939d3c05711006cabe9fb966b55a

                                                    • C:\Temp\i_pkicausmkf.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b641c698958e9f331ff0528338dfcea8

                                                      SHA1

                                                      d0f6789da8bcefd009b7d4fa21b2026eaf9f1c02

                                                      SHA256

                                                      a7a8d409c46df04e3b755324dcbb51edd495c494146936a723336a88b993f5f8

                                                      SHA512

                                                      123d3c851d09b71b73e08944678a4cf88336fb194945d8390fef536ba45e67eac4b0444ff28a7b630663818b907b4bb04c2ae206251ef6dff8719eda3405b570

                                                    • C:\Temp\i_pmhfzxrpkh.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      6ecf9786cb3a59ab58eba6264e242b2f

                                                      SHA1

                                                      138ad592ead9067cb0b66c71810b008e15b6af13

                                                      SHA256

                                                      2b0458e86f0e7344ff13dd9a04c92fcd972535118532e0e21b62eb5481b92539

                                                      SHA512

                                                      741bfb91a5a136e464c389105b83b90cc5ed615c45dbe5a7b17b3ff0cc0dbeccd2606e0f541dd45fef1c1d468cfd71f7e283710d33b801d372cbc369a3eff57d

                                                    • C:\Temp\i_vpnhfaxsqk.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      1de5c4b77c53667b8a19a48cbaf4fd8d

                                                      SHA1

                                                      3feab0ea6fe4f559c522ae410a80e53cfd6f59b2

                                                      SHA256

                                                      37a609b0c9e9567bd599e3e26f16a9388c1a2e9c02ef0b11a3fb6cd20190fe97

                                                      SHA512

                                                      d2d11ac777c3d48bc74b6da74dfac1e6f91d51eb9e349fe28d5dd230a25ab8562eb81e0ea13b02cd76bb746eb676971ded36e549987e756757c37a5b21ad69f3

                                                    • C:\Temp\igbytrljdb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      857f72821023358a520c815ab1867a26

                                                      SHA1

                                                      475cee414ea29e1220e5b19e2ba657a5b3cebed9

                                                      SHA256

                                                      655f600a3b9de693dd0d5a6cc528fe69a1fe0bfd44f838b207c33c392b879a3a

                                                      SHA512

                                                      c8a1bc2e099e38f66238bc404ba02e441ce95faeb2ae265a25db6a31e487a22782fa26fa5722362df64fee20b6a7f83c37ebdb23363e08ce03e15e8de2a89c23

                                                    • C:\Temp\lgdyvqoiga.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      7d7c0e672369f57b2f8a8d2e1166995f

                                                      SHA1

                                                      33acc6fc746ef7f8912d29f79f47a28496f7d04e

                                                      SHA256

                                                      7abea7de5b13eaf49c0703b38c452af4a5b85279536dabf49a6d2aed2017cab9

                                                      SHA512

                                                      f1155328dd509d281f580d56c6ecf4f464d76e5b29c022151a58c0cd41ce11e0adc47922e02fa5c440f57ddf397cd7391aa1031a7821dcc0be5995b58b4b8012

                                                    • C:\Temp\mhezxrpjhb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      fc9c5f24281554755f1587d072317c9d

                                                      SHA1

                                                      e62e7d1a404a5a696685959e10755a6141ad08cf

                                                      SHA256

                                                      2dc6ac01bd8a882134525ab736232fcf49c218eacb285102ad4b015bef717973

                                                      SHA512

                                                      08efbc3ba6eb4ef2afef564e6d4241068e090b322ce92bc7a9942a19b2a93eae94fbb717a87599a91e52a2e3a5e2e14dfb9978679d0e265123136607bedc8a05

                                                    • C:\Temp\pkicausmkf.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b689936fd1fa150f7beab4e6ef0b7ca2

                                                      SHA1

                                                      f7d14d986b501a5eaed490a0842e184eae4c42ba

                                                      SHA256

                                                      195895b156a06bd83c04181247aacb9a4fc0eeea3cce2f6cdef4398a9732b0d7

                                                      SHA512

                                                      f78a3216626f01f710e5736beee0fc5042a2716bbe08b22dd5fec158427efc738ec862ade46edbceab7802ab0ae8b02789c74b50cb34c7b08991c50b0011a05b

                                                    • C:\Temp\pmhfzxrpkh.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      55ee0d73ff218c49d715dff586c256bc

                                                      SHA1

                                                      64749c339943f1460582efc27930c15919f287c5

                                                      SHA256

                                                      2c043e56b7fe97919486fdbf51290cf9ac0daf31fbb4b372201b4f381940d293

                                                      SHA512

                                                      95b89d87b95736d7ce366d7659dfb506d615adb74e6aa9656b077d54de9c8c24a4ed555626efa5d8b08f67a3de8c0759196a0d7448ff6ee014119ce055ef1dc5

                                                    • C:\Temp\vpnhfaxsqk.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      01dbb726b27d84bcc623a219f3e8270a

                                                      SHA1

                                                      7233ea637fb046ae928afd628a536864fe0d602c

                                                      SHA256

                                                      330e3562f2e690da6c0796a8ced06a52d7eaadc9528a23753adead78e215f713

                                                      SHA512

                                                      18aecafeffff6caded5f0320594e01b93306409813f7ca363dd1fe5cf5eba2743869b4b59d426f079e1e8a04fa011122b0a448c0bc18c039ec528c26c4d00c66

                                                    • C:\Temp\wrojhbztrmgeywro.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      4d64ae23460f70aeb72336b63b01dd65

                                                      SHA1

                                                      ebea4ce55fe184536958979b7e6a15a18a39c545

                                                      SHA256

                                                      1a70a0db74f9bc334a90aca872544ae9eb488cc2ea247737ad7d2eca4320b27b

                                                      SHA512

                                                      a0d9973a31b4940b7b59c23a24c50e6ee2477aa2bce3437359da603bc0c2a35ba606cef05487f44dada2efba3829afe5a34f09a25ad4f2f79c5e476fec36a589

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                      Filesize

                                                      471B

                                                      MD5

                                                      6fa63488caea8b3594fea115df3be326

                                                      SHA1

                                                      c3e7561107396a1178e0d032e55da05ecc81ecd4

                                                      SHA256

                                                      3b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975

                                                      SHA512

                                                      f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                      Filesize

                                                      400B

                                                      MD5

                                                      c6a2875bdd658411aeccde29fc2f6def

                                                      SHA1

                                                      aab39bb49982acc74fc803f3fe9c4084535430d9

                                                      SHA256

                                                      11e674e3bd7407d36f333ddc16b1ff86a89d0128f4bbe658ac803cfaed6c05f9

                                                      SHA512

                                                      b8889a25a1f78f4c4f4429832024d0be489491144f87407e745031922d86f5f68e670f94f2f9c9cc57c8afb0a09bb0e91b3a33971162d0c0987139b4998033c6

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q17O5V2O\suggestions[1].en-US

                                                      Filesize

                                                      17KB

                                                      MD5

                                                      5a34cb996293fde2cb7a4ac89587393a

                                                      SHA1

                                                      3c96c993500690d1a77873cd62bc639b3a10653f

                                                      SHA256

                                                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                      SHA512

                                                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee