Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:56

General

  • Target

    2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe

  • Size

    361KB

  • MD5

    8d6081be15596b9b110b0995ffc40dfc

  • SHA1

    259450770e007ca32becda53a1d76a55bf22b0c5

  • SHA256

    cafb08a742ddcb1982a652b4fc77a1ef0979e11787749fa46fa3bca63d15a429

  • SHA512

    9b0beefd51f55bd31cb6be7c98bf3736c2bb1a831f54e1d9cea3607d7fe147125943573952d70853308bf78ec9cb228b8b7e07b66f927a0bcae9eff351f477bd

  • SSDEEP

    6144:hflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:hflfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-03_8d6081be15596b9b110b0995ffc40dfc_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Temp\aytqljdbvtolgeyw.exe
      C:\Temp\aytqljdbvtolgeyw.exe run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3232
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4756
        • C:\Temp\igbytrljdb.exe
          C:\Temp\igbytrljdb.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4944
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4668
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:540
        • C:\Temp\i_igbytrljdb.exe
          C:\Temp\i_igbytrljdb.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:624
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\nigaysqkid.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5184
        • C:\Temp\nigaysqkid.exe
          C:\Temp\nigaysqkid.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5740
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4080
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_nigaysqkid.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:984
        • C:\Temp\i_nigaysqkid.exe
          C:\Temp\i_nigaysqkid.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1132
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\icavsnlfdx.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3708
        • C:\Temp\icavsnlfdx.exe
          C:\Temp\icavsnlfdx.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2872
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2572
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_icavsnlfdx.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5056
        • C:\Temp\i_icavsnlfdx.exe
          C:\Temp\i_icavsnlfdx.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5928
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kfdxvpnhfa.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3016
        • C:\Temp\kfdxvpnhfa.exe
          C:\Temp\kfdxvpnhfa.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3240
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2224
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnhfa.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1996
        • C:\Temp\i_kfdxvpnhfa.exe
          C:\Temp\i_kfdxvpnhfa.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3824
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\czusmkecxu.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5060
        • C:\Temp\czusmkecxu.exe
          C:\Temp\czusmkecxu.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4632
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4516
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_czusmkecxu.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:316
        • C:\Temp\i_czusmkecxu.exe
          C:\Temp\i_czusmkecxu.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4576
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zurmjecwuo.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5608
        • C:\Temp\zurmjecwuo.exe
          C:\Temp\zurmjecwuo.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3528
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5044
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zurmjecwuo.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5900
        • C:\Temp\i_zurmjecwuo.exe
          C:\Temp\i_zurmjecwuo.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:936
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\rojhbztrlj.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5368
        • C:\Temp\rojhbztrlj.exe
          C:\Temp\rojhbztrlj.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2200
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5472
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4956
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_rojhbztrlj.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5812
        • C:\Temp\i_rojhbztrlj.exe
          C:\Temp\i_rojhbztrlj.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4696
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\rojgbztrlj.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5008
        • C:\Temp\rojgbztrlj.exe
          C:\Temp\rojgbztrlj.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3604
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4224
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4064
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_rojgbztrlj.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4336
        • C:\Temp\i_rojgbztrlj.exe
          C:\Temp\i_rojgbztrlj.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3888
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ljdbwtolge.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:6128
        • C:\Temp\ljdbwtolge.exe
          C:\Temp\ljdbwtolge.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3340
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5456
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2672
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ljdbwtolge.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2828
        • C:\Temp\i_ljdbwtolge.exe
          C:\Temp\i_ljdbwtolge.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5004
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\jdbvtnlgdy.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:696
        • C:\Temp\jdbvtnlgdy.exe
          C:\Temp\jdbvtnlgdy.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2312
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1764
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2660
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_jdbvtnlgdy.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:5872
        • C:\Temp\i_jdbvtnlgdy.exe
          C:\Temp\i_jdbvtnlgdy.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5284
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\cavsnlfdxv.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4104
        • C:\Temp\cavsnlfdxv.exe
          C:\Temp\cavsnlfdxv.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1840
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1192
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4108
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_cavsnlfdxv.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:704
        • C:\Temp\i_cavsnlfdxv.exe
          C:\Temp\i_cavsnlfdxv.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4316
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ifaxsqkica.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1996
        • C:\Temp\ifaxsqkica.exe
          C:\Temp\ifaxsqkica.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4716
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1540
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1776
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ifaxsqkica.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4428
        • C:\Temp\i_ifaxsqkica.exe
          C:\Temp\i_ifaxsqkica.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4672
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\fcxvpnhfzx.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5060
        • C:\Temp\fcxvpnhfzx.exe
          C:\Temp\fcxvpnhfzx.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:736
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3296
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2764
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_fcxvpnhfzx.exe ups_ins
        3⤵
          PID:836
          • C:\Temp\i_fcxvpnhfzx.exe
            C:\Temp\i_fcxvpnhfzx.exe ups_ins
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2228
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\czurmkecwu.exe ups_run
          3⤵
            PID:5656
            • C:\Temp\czurmkecwu.exe
              C:\Temp\czurmkecwu.exe ups_run
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1652
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:5852
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:3984
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_czurmkecwu.exe ups_ins
              3⤵
                PID:3584
                • C:\Temp\i_czurmkecwu.exe
                  C:\Temp\i_czurmkecwu.exe ups_ins
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2788
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\kecwupezwr.exe ups_run
                3⤵
                  PID:5044
                  • C:\Temp\kecwupezwr.exe
                    C:\Temp\kecwupezwr.exe ups_run
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:768
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:5152
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:3272
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_kecwupezwr.exe ups_ins
                    3⤵
                      PID:5816
                      • C:\Temp\i_kecwupezwr.exe
                        C:\Temp\i_kecwupezwr.exe ups_ins
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5204
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\hbztrljebw.exe ups_run
                      3⤵
                        PID:1984
                        • C:\Temp\hbztrljebw.exe
                          C:\Temp\hbztrljebw.exe ups_run
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3064
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:2104
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:5280
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_hbztrljebw.exe ups_ins
                          3⤵
                            PID:4752
                            • C:\Temp\i_hbztrljebw.exe
                              C:\Temp\i_hbztrljebw.exe ups_ins
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4784
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\eywqojgbyt.exe ups_run
                            3⤵
                              PID:4100
                              • C:\Temp\eywqojgbyt.exe
                                C:\Temp\eywqojgbyt.exe ups_run
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:4124
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:2924
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:5700
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_eywqojgbyt.exe ups_ins
                                3⤵
                                  PID:3188
                                  • C:\Temp\i_eywqojgbyt.exe
                                    C:\Temp\i_eywqojgbyt.exe ups_ins
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:556
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\ytqlidbvtn.exe ups_run
                                  3⤵
                                    PID:4580
                                    • C:\Temp\ytqlidbvtn.exe
                                      C:\Temp\ytqlidbvtn.exe ups_run
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4756
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:4668
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:4880
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_ytqlidbvtn.exe ups_ins
                                      3⤵
                                        PID:1648
                                        • C:\Temp\i_ytqlidbvtn.exe
                                          C:\Temp\i_ytqlidbvtn.exe ups_ins
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4704
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\gaytqljdbv.exe ups_run
                                        3⤵
                                          PID:3024
                                          • C:\Temp\gaytqljdbv.exe
                                            C:\Temp\gaytqljdbv.exe ups_run
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2272
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:2328
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:4064
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_gaytqljdbv.exe ups_ins
                                            3⤵
                                              PID:5228
                                              • C:\Temp\i_gaytqljdbv.exe
                                                C:\Temp\i_gaytqljdbv.exe ups_ins
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2188
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\aysqkicavs.exe ups_run
                                              3⤵
                                                PID:1032
                                                • C:\Temp\aysqkicavs.exe
                                                  C:\Temp\aysqkicavs.exe ups_run
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4324
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:1460
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:1228
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_aysqkicavs.exe ups_ins
                                                  3⤵
                                                    PID:6052
                                                    • C:\Temp\i_aysqkicavs.exe
                                                      C:\Temp\i_aysqkicavs.exe ups_ins
                                                      4⤵
                                                        PID:1480
                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                    2⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:5760
                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5760 CREDAT:17410 /prefetch:2
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3964

                                                Network

                                                      MITRE ATT&CK Enterprise v16

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Temp\CreateProcess.exe

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        14a6bda84066fa9f41c52c49eb7272c3

                                                        SHA1

                                                        5843c6d6e4ea42b202374bb4d287194cf1da28aa

                                                        SHA256

                                                        e200b11d696a62c70b7a4c90c1c8432f234957931342d0ebed35cae97184092d

                                                        SHA512

                                                        fe2f8d9d02a2a2b320c6245187dc0d62f16d09acafc036d3b97fa1a76f419da364eac071c64b287b85b22c6369214e97e0b57f338920f912ec7131039f1c22e9

                                                      • C:\Temp\aytqljdbvtolgeyw.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        6a83c859d3fe9f9445a8af952d18e20b

                                                        SHA1

                                                        eb889b0a9071cecc4e4c311d0cb17a7e1f4d0c88

                                                        SHA256

                                                        e0ab5d0861ec5e8c3c9e2c0f12a196ff557d4b577407bdfd66e99b5d445c72db

                                                        SHA512

                                                        1947f56d6e112fb050dbf3ef9e10185713ea82987c486809d6f3d3feb14dc258b846c3a67595bc97a9d7267588f6ed56c43740775708f90663baf68773e55670

                                                      • C:\Temp\czusmkecxu.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        49005e3bc903e939b2ebd722ecaa073f

                                                        SHA1

                                                        651baae874a7bd6fab3e2ca7eae363c0959c0cce

                                                        SHA256

                                                        ce068db6a779015417497d219e36786b2987166a4c56c543b663aa4b2bd1fddf

                                                        SHA512

                                                        ab79b53db05c15e4a2e07224fce47f7518de9f1d577675bc55fa4eb1d8e1d9206225f8d5867792d4aaee0cdc162fef8c5ed846c8579ead76304594af8b359d75

                                                      • C:\Temp\i_czusmkecxu.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        4ab3bb846feb80a0af70e95acee1193c

                                                        SHA1

                                                        5dea08d4d8b9aea79e0a3c056b6b525b9b63eb89

                                                        SHA256

                                                        c6c105ff16b726ca98f27f32e1592c599d491985154c42b8b849c970d56c91c0

                                                        SHA512

                                                        0bec3064b0c74e2ff0a2ba9da18813c89628c6e0e0338b71c6db04bd7d336090fb96adc0b10218d7912427ec19bec59ad0fd3aff51ed9ae7262b0404e42b4882

                                                      • C:\Temp\i_icavsnlfdx.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        60abbed7b8883a571b9d6f9edb0c159a

                                                        SHA1

                                                        8d09ca92c5b3a03c2775b8efde175700e2e043ef

                                                        SHA256

                                                        75c012f85c3c9ee06b678966b31ec888ae088411fad1adebed93b74a49557788

                                                        SHA512

                                                        12c18bab44787dc63a45d6d544d6aad0c411c08f8f02a01ba84e3d9d5cb90e4136080caa878a9566ab8dca721f669a6cc21c3fe68ddc65ebbba3928d75e1a0ad

                                                      • C:\Temp\i_igbytrljdb.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        0c387b83f0f9da09dffb2986e68e1419

                                                        SHA1

                                                        f6bbc603397dade45e6da294f767f1469069b2e7

                                                        SHA256

                                                        c1e7c74600e48279ac825a719d0bc9926889fc0409914d0bd4f5b212ed595156

                                                        SHA512

                                                        ed0de21dffb25ab926df0a1aed920c780546939809d9033e8d076bdbb0f8f91b4c877880485ce85892e76750a67487fd6789d803130bc0f5ed82898e0b0e3b4a

                                                      • C:\Temp\i_kfdxvpnhfa.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        42615734b5e73c3985c755892df1bb44

                                                        SHA1

                                                        e400965d29737472a61e8eeba64c81e37def4c45

                                                        SHA256

                                                        5a166c1b3143511fd40ccab38dec15839187a568c9412c7c4b648d361096810c

                                                        SHA512

                                                        c8f0bafc1211bee04ec94c610ba7b3db08ac74b1ea4d711158e443470aa97c694799c4a6f8f844c0a4733cf220149be219d20b53f21acf0048399ad8550e5c77

                                                      • C:\Temp\i_nigaysqkid.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        fd42501a24c12f9485d6aeadca155da2

                                                        SHA1

                                                        f142c30451fdfe4119ff3dc4586cc744b96546e1

                                                        SHA256

                                                        96bd445b4229aa25c9ef96aecc2416e34a3aa4273890df1a25512cc81b2c01de

                                                        SHA512

                                                        3bc74db7442b1b77b752d2b471fa9fd81f612ad87e9d927201b22692a77228afa637dbfaa56d75d2f43cfe0be679771ee29c483144cf66ab8424af08f721a844

                                                      • C:\Temp\i_rojgbztrlj.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        c3e90b30ff355eb425aeb426f1f95d13

                                                        SHA1

                                                        3283a9830f226041bbb077ff2c387b038d133e93

                                                        SHA256

                                                        b722c195455f6f901d3f5d6b682c3163fd6c0defc564978fca1240647b007016

                                                        SHA512

                                                        a7a411e1038f3a5dbb848d742d24d8a052883e37b72abbb430e25035210bb6594ec59991d47235ad6abf384892b55158e4914f1330fc8d7a1304aa79ad183bf8

                                                      • C:\Temp\i_rojhbztrlj.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        5ce4b3afac0bf17a9321a881f6a4c79b

                                                        SHA1

                                                        c9fe5b1bd4f1f1af9fbfd9ca81612628c789ba86

                                                        SHA256

                                                        01394479e0ffb9b5f2261c1771f09904c1d37f4f5ce05b66812a0776d05e065b

                                                        SHA512

                                                        54a97295f509352162535bdf041a097737c3f512b54677aeac19915e58c093b6fb9c0bcd441e23c6165cdabfa00dcdbc2f0e4566a48f6f3bc1b34bdaa1247a54

                                                      • C:\Temp\i_zurmjecwuo.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        7db14de90582d695d926fde2e8908cc3

                                                        SHA1

                                                        5b753c9e0fb5c6f530f49b67ee5cfdf32cef7d0e

                                                        SHA256

                                                        3c88867f5ff758f26ca80ff326a9db63ab273fa2efec2a6a7f65032fd39c3f0b

                                                        SHA512

                                                        231bfefa4372088ae84e6a1a2627872df886e84a6158e5957c6d2099fa92d31377a3ee03e18f3294943d09047619804c81115c9d8b9e57593fbc28b132d1f6a8

                                                      • C:\Temp\icavsnlfdx.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        47283e46dbfa39cee8bb4318e3249578

                                                        SHA1

                                                        cd1e202a93f4360b5f37ea31eaf2f1707d9ffb6d

                                                        SHA256

                                                        1976d8b5503cab5b7262c1af5060dfc09997d7fdc47a87abd1898b07e4ad2fc3

                                                        SHA512

                                                        b2aa980f4e9e44270f97e173dcd976a866d50a41ce69889833c4d6becdc5b32f3808ae4a88c6951b2189cad547b8e12df22f30c886b8a8e77b48f68a65ed3ce8

                                                      • C:\Temp\igbytrljdb.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        0d7c51b33cd0b79163a9f463ba0b21e0

                                                        SHA1

                                                        c0c712d9996bf094a6509da3477460dab4f3c6d6

                                                        SHA256

                                                        0b79c87c58debf2e85cf074ee6ca9126ecf49f9d3905b610b7f508cbb54e2f86

                                                        SHA512

                                                        27c28194adf900d3ad5070d8d6453da523609b56fc6384b3cbe284dcf3fbd09ef107b721a589e064686de025f2375adaf2dbae50516dda134a8422bb639988ef

                                                      • C:\Temp\kfdxvpnhfa.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        b09b103fe336bab5059794fe46a127a3

                                                        SHA1

                                                        4f40da2920e950614c0055d7b0b23839f3e46dec

                                                        SHA256

                                                        deaadf63111fa89bfbb68d04ea2d3d132a8c0f424302555628f9a9e26e5a2a1a

                                                        SHA512

                                                        4e3e3d6a6f4d8929b730ca1905b9dd39b61b0c81f1236f04e6640fe31e0108e1204585735081c73ef38afc0f1f7b7ba24bd1fa28de0ca7611d43efab1caaee4f

                                                      • C:\Temp\ljdbwtolge.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        f416695c3376e7b0eb9c6528efd62958

                                                        SHA1

                                                        e980087fb3862a37181e4e74886d3178c3f8ce9d

                                                        SHA256

                                                        5b9ed51996a16735f6680e81904ab1f33d0a44b79371ce2fdbc99e5d0e66a8e7

                                                        SHA512

                                                        61d48e6592eac9928ca80d039128d84f163a1ab181ec967fd856827df336006be47e856b777aa904827a68a610e9488139fccccff9452687e0a256169b45989f

                                                      • C:\Temp\nigaysqkid.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        0c1d11dec8567f4664c71dfbce084b9d

                                                        SHA1

                                                        f8b442b67df26a936bbd0d7466f8f9e9295f9d47

                                                        SHA256

                                                        dc9d25c6822fc7b04fc16af982b318a21d18b17f7020f866e1677f8185c7743b

                                                        SHA512

                                                        ded39686921bb837a6524e6b1c83d9910bf61decb66c8c63b39adf37cb6d65a7f3dc0db6256d45ce6499fa2e861ed297a30d80556f948f8fe4406598f3538914

                                                      • C:\Temp\rojgbztrlj.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        8ca204d6948d88eaaa1fc25fd395c9f2

                                                        SHA1

                                                        caba9f7d16783fbcb7781f300c8245f89f75e894

                                                        SHA256

                                                        4ac63517b9109ef6cfad314978d71c1f3133df316c31c61d5825b349ab5e4abe

                                                        SHA512

                                                        77204835f4cdc27799995d70d1dfb51a497990137db5b6584a1357f6d9c593a04e2b7731cb9a6df0d06d2d0f07d2b0ab7ab3b29448bfe019070e9b84edec910a

                                                      • C:\Temp\rojhbztrlj.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        d2c3d9e7c5ea138d6e5dfc4c08fe98a7

                                                        SHA1

                                                        e24e29d64e68d43315bb21d5856cb3cede662304

                                                        SHA256

                                                        466d5855e89782bce7b3a105534eb7169a7a8f45f0fad92457b39b7c3aa0a90f

                                                        SHA512

                                                        a0b9de95008f9165a7df60dd2a6965661bfbb20f7ebf8175946b97647dd25972acfabe524be19b1905dfd226bc10c60fb17692e233fd109a97f32267c9248840

                                                      • C:\Temp\zurmjecwuo.exe

                                                        Filesize

                                                        361KB

                                                        MD5

                                                        4de44d8358069bc5838042dfdbdc3ea3

                                                        SHA1

                                                        3e90f9c52c7bc752574159d5b181d8e8f3826622

                                                        SHA256

                                                        ca07a8fda831bc5869ab425c8043ac9754219ff1e373dc1a97912ed12f6e1151

                                                        SHA512

                                                        5827ab8a7e8639e77ab11c0c48a55fbaae30dab19d3017adee8d53672f65a7601e4fbc72866ec7f73f6b8254488efa7569785c9b6c5c2e676896a283dd2ecf59

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                        Filesize

                                                        471B

                                                        MD5

                                                        6fa63488caea8b3594fea115df3be326

                                                        SHA1

                                                        c3e7561107396a1178e0d032e55da05ecc81ecd4

                                                        SHA256

                                                        3b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975

                                                        SHA512

                                                        f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                        Filesize

                                                        400B

                                                        MD5

                                                        48213d552f48f2a99dac2ea0109b539f

                                                        SHA1

                                                        fcffd9e73157218d35dfffcdbea6fd14661a6669

                                                        SHA256

                                                        76abf440b8833e2353239a126feb33f112f9cb529934c9abef93b9e7501e80d4

                                                        SHA512

                                                        b95599977bc991f3c38e826d6f828631ae71cba1e53c94ccadff4e27d23228c46e93371ac34297ba787bf37e230b5490573f38a57fc2c1eefd5d37acc53ad0d4

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LN2KZ60H\suggestions[1].en-US

                                                        Filesize

                                                        17KB

                                                        MD5

                                                        5a34cb996293fde2cb7a4ac89587393a

                                                        SHA1

                                                        3c96c993500690d1a77873cd62bc639b3a10653f

                                                        SHA256

                                                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                        SHA512

                                                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee