Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:54

General

  • Target

    2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe

  • Size

    361KB

  • MD5

    7f6f386c0b5b6c9daf623873f4426a36

  • SHA1

    240de396cd30e42f4274659d8e649ab029da8140

  • SHA256

    3d50860483f03ced72f9166831c5f4326aae3acfdd0cc1d278b4e6b3211e9f7e

  • SHA512

    35113c311fb1b0a393e67928c7a55ee544f60e1a989001aaa97cd4301d94f579287b578635774647316fd0b69f06efeacf4630c903e68d8da46e7656852ff00c

  • SSDEEP

    6144:jflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:jflfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-03_7f6f386c0b5b6c9daf623873f4426a36_amadey_darkgate_elex_rhadamanthys_smoke-loader_stop.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Temp\gaysqlidbvtnlfdy.exe
      C:\Temp\gaysqlidbvtnlfdy.exe run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\qljdbvtnlg.exe ups_run
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3648
        • C:\Temp\qljdbvtnlg.exe
          C:\Temp\qljdbvtnlg.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:32
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4184
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_qljdbvtnlg.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1776
        • C:\Temp\i_qljdbvtnlg.exe
          C:\Temp\i_qljdbvtnlg.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\qkicavsnlf.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:724
        • C:\Temp\qkicavsnlf.exe
          C:\Temp\qkicavsnlf.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5076
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3584
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_qkicavsnlf.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2632
        • C:\Temp\i_qkicavsnlf.exe
          C:\Temp\i_qkicavsnlf.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3640
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kfdxvpnifa.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4428
        • C:\Temp\kfdxvpnifa.exe
          C:\Temp\kfdxvpnifa.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3920
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4848
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3972
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnifa.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:720
        • C:\Temp\i_kfdxvpnifa.exe
          C:\Temp\i_kfdxvpnifa.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3060
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\causmkecxu.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:184
        • C:\Temp\causmkecxu.exe
          C:\Temp\causmkecxu.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1048
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3480
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_causmkecxu.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3256
        • C:\Temp\i_causmkecxu.exe
          C:\Temp\i_causmkecxu.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\fzxrpkhczu.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1616
        • C:\Temp\fzxrpkhczu.exe
          C:\Temp\fzxrpkhczu.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1416
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3504
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhczu.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:760
        • C:\Temp\i_fzxrpkhczu.exe
          C:\Temp\i_fzxrpkhczu.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2540
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\wrpjhbzurm.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1084
        • C:\Temp\wrpjhbzurm.exe
          C:\Temp\wrpjhbzurm.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1592
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:5060
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_wrpjhbzurm.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1780
        • C:\Temp\i_wrpjhbzurm.exe
          C:\Temp\i_wrpjhbzurm.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\rmjecwuomg.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4064
        • C:\Temp\rmjecwuomg.exe
          C:\Temp\rmjecwuomg.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1172
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3352
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1688
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_rmjecwuomg.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3168
        • C:\Temp\i_rmjecwuomg.exe
          C:\Temp\i_rmjecwuomg.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:720
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:220
        • C:\Temp\igbytrljdb.exe
          C:\Temp\igbytrljdb.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3092
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5016
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4468
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:560
        • C:\Temp\i_igbytrljdb.exe
          C:\Temp\i_igbytrljdb.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:796
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\oigaytqljd.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:652
        • C:\Temp\oigaytqljd.exe
          C:\Temp\oigaytqljd.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3140
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4672
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1252
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_oigaytqljd.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1840
        • C:\Temp\i_oigaytqljd.exe
          C:\Temp\i_oigaytqljd.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3628
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\igaysqlida.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4520
        • C:\Temp\igaysqlida.exe
          C:\Temp\igaysqlida.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2552
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3924
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2024
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_igaysqlida.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3988
        • C:\Temp\i_igaysqlida.exe
          C:\Temp\i_igaysqlida.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\faysqkicav.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5016
        • C:\Temp\faysqkicav.exe
          C:\Temp\faysqkicav.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3092
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5100
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2548
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_faysqkicav.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:992
        • C:\Temp\i_faysqkicav.exe
          C:\Temp\i_faysqkicav.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4112
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\causmkfcxu.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1568
        • C:\Temp\causmkfcxu.exe
          C:\Temp\causmkfcxu.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4456
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4836
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4008
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_causmkfcxu.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4344
        • C:\Temp\i_causmkfcxu.exe
          C:\Temp\i_causmkfcxu.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4956
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kfcxupnhfz.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4672
        • C:\Temp\kfcxupnhfz.exe
          C:\Temp\kfcxupnhfz.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3140
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:652
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2280
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kfcxupnhfz.exe ups_ins
        3⤵
          PID:4552
          • C:\Temp\i_kfcxupnhfz.exe
            C:\Temp\i_kfcxupnhfz.exe ups_ins
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4504
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\ecwupmhfzx.exe ups_run
          3⤵
            PID:388
            • C:\Temp\ecwupmhfzx.exe
              C:\Temp\ecwupmhfzx.exe ups_run
              4⤵
              • System Location Discovery: System Language Discovery
              PID:5012
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:4100
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:832
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_ecwupmhfzx.exe ups_ins
              3⤵
                PID:3900
                • C:\Temp\i_ecwupmhfzx.exe
                  C:\Temp\i_ecwupmhfzx.exe ups_ins
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2052
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\bztrljebwu.exe ups_run
                3⤵
                  PID:1168
                  • C:\Temp\bztrljebwu.exe
                    C:\Temp\bztrljebwu.exe ups_run
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3920
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:3216
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:3648
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_bztrljebwu.exe ups_ins
                    3⤵
                      PID:4728
                      • C:\Temp\i_bztrljebwu.exe
                        C:\Temp\i_bztrljebwu.exe ups_ins
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3764
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\ywqojgbztr.exe ups_run
                      3⤵
                        PID:2124
                        • C:\Temp\ywqojgbztr.exe
                          C:\Temp\ywqojgbztr.exe ups_run
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2300
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:936
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:4388
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_ywqojgbztr.exe ups_ins
                          3⤵
                            PID:2188
                            • C:\Temp\i_ywqojgbztr.exe
                              C:\Temp\i_ywqojgbztr.exe ups_ins
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1876
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
                            3⤵
                              PID:3672
                              • C:\Temp\eywqoigbyt.exe
                                C:\Temp\eywqoigbyt.exe ups_run
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:4948
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:796
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:1620
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
                                3⤵
                                  PID:4868
                                  • C:\Temp\i_eywqoigbyt.exe
                                    C:\Temp\i_eywqoigbyt.exe ups_ins
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3608
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
                                  3⤵
                                    PID:1076
                                    • C:\Temp\yvqoigaytq.exe
                                      C:\Temp\yvqoigaytq.exe ups_run
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2860
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:1080
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:1288
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
                                      3⤵
                                        PID:3952
                                        • C:\Temp\i_yvqoigaytq.exe
                                          C:\Temp\i_yvqoigaytq.exe ups_ins
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1056
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\sqlidavtnl.exe ups_run
                                        3⤵
                                          PID:2564
                                          • C:\Temp\sqlidavtnl.exe
                                            C:\Temp\sqlidavtnl.exe ups_run
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3192
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:2668
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:3524
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_sqlidavtnl.exe ups_ins
                                            3⤵
                                              PID:3288
                                              • C:\Temp\i_sqlidavtnl.exe
                                                C:\Temp\i_sqlidavtnl.exe ups_ins
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4520
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\pnhfaxsqki.exe ups_run
                                              3⤵
                                                PID:4828
                                                • C:\Temp\pnhfaxsqki.exe
                                                  C:\Temp\pnhfaxsqki.exe ups_run
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3216
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:1096
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:2228
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_pnhfaxsqki.exe ups_ins
                                                  3⤵
                                                    PID:1416
                                                    • C:\Temp\i_pnhfaxsqki.exe
                                                      C:\Temp\i_pnhfaxsqki.exe ups_ins
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:968
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2168
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4488

                                              Network

                                                    MITRE ATT&CK Enterprise v16

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Temp\CreateProcess.exe

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      b87f6ca9b766721033ec7cf62f08c032

                                                      SHA1

                                                      83c86e882544929e612d632af4a6b85effbe29e6

                                                      SHA256

                                                      cbbf09449982457e2560f1109303ae31baeaa7bb31da02aed46da067d20ae5bb

                                                      SHA512

                                                      b02ce64b6b399bb428628b92c114569942b3ede5c9bc3ecd55c9f0e0671b55cb625835a198ce69a8aebb5526c316aa7d651a9b4e566a7cab72477a25495b399c

                                                    • C:\Temp\causmkecxu.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      48ebfff146dba68b9195a635f0cd0d70

                                                      SHA1

                                                      9167f1a4a2e2c0c429bfcc20aabcb80fdf555b7d

                                                      SHA256

                                                      8b67f79c02190d21bb0834eedead4b375b688d7cd2bf8f17892607532dd0cacd

                                                      SHA512

                                                      358b2083d1c429ac5026efffbd2706a77073887d112cf7889f48411dd4722c0240d02ca3d12d0d5370c7d7f38d595cf09cb7989aee4da0a83ddf2c751904d073

                                                    • C:\Temp\fzxrpkhczu.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      c21f3d6919e8eb2f305553682aa13630

                                                      SHA1

                                                      ff48fdb93d90396a37bcf62cfe580860bb1a4744

                                                      SHA256

                                                      07f5358fe3f0d8814948d2cd2036e0a651a2074e960855d33a01cf91fb1bd1fb

                                                      SHA512

                                                      9e38f046baaad712762cc8bd907a9c6aa05dab1bb11c15327c1e3f57565b991e6db1d62e339f2f3b17981151571c7a38c2584ecdc353eb076e33efb856fda0de

                                                    • C:\Temp\gaysqlidbvtnlfdy.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      8bd59ffe6e3f2901ef8d3407ed3bd7b8

                                                      SHA1

                                                      83616d24963b4ef41499c2c263104e7f0fa07d80

                                                      SHA256

                                                      606fac37db0f300b4eb0974fd1857c5f31d5c9a8dc2d91e24a978e4b7bd57910

                                                      SHA512

                                                      608500663cb6ff423e8b381d698aba1ae219580c824a03b1ef7fa881d1484b916ccb19e08c2a4422ffb670939770ea16a06a8ea795c9fa04765af30867b25807

                                                    • C:\Temp\i_causmkecxu.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      fdf962bb8b76a88ddcb01d26946a8071

                                                      SHA1

                                                      e701602a1c50a74765c46813d3d0dd764f54e0c5

                                                      SHA256

                                                      1c8426899e25573ca4b1278c63cc06bdd710cc1f3cfbdba10ffb2afbd548f458

                                                      SHA512

                                                      851bede32c8e47913d8c76d1feab8c7b9c90448e3844b7b3f87fe7114760ab72eff2fcbadba6b43cae4070841bef6422b101c21bea9dbbd412675db0adc0c583

                                                    • C:\Temp\i_fzxrpkhczu.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      41df8293ab5c97ab2c4b3e9530d76f27

                                                      SHA1

                                                      3e065912e7a227404936199cec1c7d172459d436

                                                      SHA256

                                                      d2ed66dbadf4f8ba261a83b42b331161e70b378b5e35a6b64c812058f754f0d8

                                                      SHA512

                                                      9d36c13b178c1b3d3c2bf4c0302b799923979dff65a242ccc70f18452349caf3393d44ed459dd68eeaa9ceec7d88679ea3348d4642dca86d74dfe3d4fe16c6e9

                                                    • C:\Temp\i_igbytrljdb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      8c524ffefc22d4d21d595571491f376a

                                                      SHA1

                                                      ee9c9233eb6da79bdee82fea68912b9a5e4ef81d

                                                      SHA256

                                                      7e2cac8272a6263d98d9bc86fbbaad088bd41f1651b554dab0e6621f14c7b4ae

                                                      SHA512

                                                      5207727daa491908ac2bfdcc2a2d768591a9f1127738bfc0b30448c33fd2dac495e547808c6983a817d0bff6a797240c563821acf5ed9d652ddcabaa3fddd196

                                                    • C:\Temp\i_kfdxvpnifa.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      32b1c9c3e7f0b2b77b813e041cf724e0

                                                      SHA1

                                                      51d3a17a95a3df9b6011c2500700134ba604ba77

                                                      SHA256

                                                      aa68498ae1b0d4c9499ee42a7e206914f503211c4506e734029c9beafaf5e71f

                                                      SHA512

                                                      4ac311e80b33bfec645d093619802721827f17503b10cb43f76d57188a5ce2666199256368109239638cd907ad6a4c8a55e501c07a602c94f84e69a00721a16c

                                                    • C:\Temp\i_qkicavsnlf.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b2add65ce3a6428a71cc7f3972e86204

                                                      SHA1

                                                      5a311a5c0ab2589eb8bb398f60f67ec9f51d5657

                                                      SHA256

                                                      9302ac6916b64c25f925154d4e193535c4280eff1601b51e04e4c9f84025241f

                                                      SHA512

                                                      a548f6016c73128bac86b9921e0310b681512c8389544209afd300e4d1a46973a2dae0133893a1fd4dcc229d051bb233f96f6e58df8576242e64f04c0881fc2f

                                                    • C:\Temp\i_qljdbvtnlg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      7a57b247a09b6da3d0d04dd0bc4756f7

                                                      SHA1

                                                      cc58a9eda9481162c3f846027f70a48028b12a57

                                                      SHA256

                                                      3c39c2351e5ddf0f395a21cdc847610ec94b97db6c4491be38b2ccbb68c67fde

                                                      SHA512

                                                      a386e9b10f3cbfebd43f8e34bcc075bbfe324ec45823c2b28d343ca2d0e1504b157077c7fd8409de7e9ded0cc1070fe200d4f41d952e72c81600281841bf3db3

                                                    • C:\Temp\i_rmjecwuomg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      36ed5c47843368dcc32845f3f11f6e06

                                                      SHA1

                                                      4498e5419bc9521fd1ddc06900926612352c901f

                                                      SHA256

                                                      36b5dbcf7f3ba7663124749e61af020dc9721b4353a252b8b0c6c1c886cee444

                                                      SHA512

                                                      ade4a67e2c23abf7f291584f8f585ce7f371279a9a22ba3790541ff1b42000f0053d6628fac563c2ef53ae7e5dfd0294d9d6817741a65a69853679dbd6e53b08

                                                    • C:\Temp\i_wrpjhbzurm.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      aca8c9eb8e675338906dc49bf4f57f5d

                                                      SHA1

                                                      ef637778e8ed4686f6281d4f59e701a024a1d164

                                                      SHA256

                                                      e23787338cbe6526e4ac5cdae2fb29810bd0f316d8063dfdbcc587cf9897d75b

                                                      SHA512

                                                      61654e6c18cff7a505a83ca84d8eaea7146e81feae149379c7eb324d4dcb1de7de05784429138ceebf9b719cb456c48f9083fd27c95a5826e8c073fd68c08312

                                                    • C:\Temp\igbytrljdb.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      23c0e2f0afc791c44c15b3e2e268e804

                                                      SHA1

                                                      61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd

                                                      SHA256

                                                      fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca

                                                      SHA512

                                                      1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d

                                                    • C:\Temp\kfdxvpnifa.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      f22936b9ceede0debf9251248f21ae22

                                                      SHA1

                                                      c29f80848030f2e7045fc957fde97fbc0060032f

                                                      SHA256

                                                      425a716f9fcde9e727c8347b09d70013f434ae4ec2f360cdaecff9eb93076c6c

                                                      SHA512

                                                      6331fd6f3aa449e8956332f63ff0206265b410b0b25c3f96aa98022376dcba78ab3008fe8bda9eac2ad21ca93c46c0cad9f56617236f7bcc8b7e56acb1bffb9d

                                                    • C:\Temp\oigaytqljd.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      e96e19ff7e5a82a1391d9fbbb64c7c9a

                                                      SHA1

                                                      4d263fd98ce3c4d944ec3cbf0e8dba900eaf06e1

                                                      SHA256

                                                      a23099f25829111f03b46f0642f846a809c5f911ff0237c1461793d0be34ebaf

                                                      SHA512

                                                      07b0b5ec6576816d341b371e9a718e4cf0cb95ccc93b067bbb77c4da8053dd117797c9eb2fecd692db6eb9711876bcb7b1c5f2f3a07d15f4fcf079da13b00318

                                                    • C:\Temp\qkicavsnlf.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      8d7095afbf00d372b0f29d96599147a4

                                                      SHA1

                                                      efb845ab82f3eb38f042f917de10e3d20fe6216b

                                                      SHA256

                                                      4bd1b92721a04c71527b116f89696944b578b0ec2268c12133c79454bd8dcc21

                                                      SHA512

                                                      d817c74f4aa5869ebefdb989295f40678b68ad4e168e6c5d1b02667a4b8c82fd6f6e5df87b730f1e587d7d50d4d7c4de8d7609c78958465b0b3257f883351cb2

                                                    • C:\Temp\qljdbvtnlg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      ae61ca76753d97fe441ed4c9b3cb685d

                                                      SHA1

                                                      0aaefc297f03cafc0e4836f8ecf9784d7911a0bc

                                                      SHA256

                                                      be4810ea47d50926a3b70846537bc6f2b6b387fb36077e88a3d8b5ea2c5327ab

                                                      SHA512

                                                      89125e1a74622e228bc8c3563146f290bb265d8d541992c783b8e74cdad4581b0134163973d0a8575279c5d1d48d5708d21bf1cc349a36282dff43b9010628ed

                                                    • C:\Temp\rmjecwuomg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      ccad2b40959b45358526e7a6b0dd3582

                                                      SHA1

                                                      ef6e0c6740e65ab23b1d05353da374500f43d595

                                                      SHA256

                                                      cbcaeab8688111767ac5754e7ad13258d2e34bbbe46f3d654aa45bcaa7275e0d

                                                      SHA512

                                                      b58f57173bfca9e3de7a4f6431eb6505d79e37c8f7d4f10e6baafdd0ca521d18bdf9c5736b68ca5f0326ee01d71591d78f1a881ba793f843230211b699381189

                                                    • C:\Temp\wrpjhbzurm.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      08a707e2b83625cbfb6327d9ad33c9b0

                                                      SHA1

                                                      cbf3eed0fdec4a88c8677bfc142dd3d37168a19a

                                                      SHA256

                                                      b02637212f9560bde400a38a3adaa48a152c01cfe5e5c3ccfbe6515114d229b4

                                                      SHA512

                                                      cafadd9fbe3d4c4fc6d10af256db7a95104ac72eb3a16de1a1a44de667d486117291a302f864d78bd82b09dde094482504b454e1e28fdedc7a9c8e627d00891c

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                      Filesize

                                                      471B

                                                      MD5

                                                      6fa63488caea8b3594fea115df3be326

                                                      SHA1

                                                      c3e7561107396a1178e0d032e55da05ecc81ecd4

                                                      SHA256

                                                      3b67d81ecd4a7d8e6cf9c0aac3216b42673664287e2b126f46f33c11404ff975

                                                      SHA512

                                                      f1d1f0c27ec78458c1cfe994bd51fd2da4dc4a69196dba788cd7987041a7c6c3b8a51f94d84cfb498700c543f54eeae74ccef3c9c839d3a1b648e00e54e0cb62

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

                                                      Filesize

                                                      400B

                                                      MD5

                                                      d88b404d9ef9dbb7f487efc2c9059932

                                                      SHA1

                                                      7f77868f9bdb0b36b97d7789b74e55b08629ed67

                                                      SHA256

                                                      28451710b1a40ad631eccff213a73987a6e37fb055d865bcc1519b7ca573f02f

                                                      SHA512

                                                      f62cf481c71d58ab8dccd47ca932156cd8fc2ecdfcd9d2becc823d724945a93ced788c6ba9eb33bf315b23e8962ffa39811c3c93c86b219d020e89f7eac8f2d4

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

                                                      Filesize

                                                      4KB

                                                      MD5

                                                      da597791be3b6e732f0bc8b20e38ee62

                                                      SHA1

                                                      1125c45d285c360542027d7554a5c442288974de

                                                      SHA256

                                                      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                                                      SHA512

                                                      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DU1MKF3\suggestions[1].en-US

                                                      Filesize

                                                      17KB

                                                      MD5

                                                      5a34cb996293fde2cb7a4ac89587393a

                                                      SHA1

                                                      3c96c993500690d1a77873cd62bc639b3a10653f

                                                      SHA256

                                                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                      SHA512

                                                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                    • C:\Users\Admin\AppData\Local\Temp\KnoB546.tmp

                                                      Filesize

                                                      88KB

                                                      MD5

                                                      002d5646771d31d1e7c57990cc020150

                                                      SHA1

                                                      a28ec731f9106c252f313cca349a68ef94ee3de9

                                                      SHA256

                                                      1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

                                                      SHA512

                                                      689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6