a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
Size

361KB
MD5

1808c6139d8d38b833668dac61766e6d
SHA1

31c58fd77f59da88d461d0e68241bf11a547d15e
SHA256

a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58
SHA512

d39ef240cffeabaf706f84b7971ecc79ed9f9378c4f39170984f7e315778b0ba14895dd25d30cffa86648311a9829997cd4bbde192ab4800b0768d451a48b796
SSDEEP

6144:RflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:RflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 57 IoCs

description	pid	Process	procid_target
PID 1960 created 3256	1960	svchost.exe	86
PID 1960 created 868	1960	svchost.exe	89
PID 1960 created 1676	1960	svchost.exe	92
PID 1960 created 4856	1960	svchost.exe	94
PID 1960 created 4480	1960	svchost.exe	96
PID 1960 created 3448	1960	svchost.exe	99
PID 1960 created 4224	1960	svchost.exe	101
PID 1960 created 2160	1960	svchost.exe	103
PID 1960 created 628	1960	svchost.exe	106
PID 1960 created 2300	1960	svchost.exe	109
PID 1960 created 2108	1960	svchost.exe	111
PID 1960 created 4668	1960	svchost.exe	114
PID 1960 created 3028	1960	svchost.exe	116
PID 1960 created 1832	1960	svchost.exe	118
PID 1960 created 3176	1960	svchost.exe	124
PID 1960 created 4256	1960	svchost.exe	129
PID 1960 created 1948	1960	svchost.exe	131
PID 1960 created 5036	1960	svchost.exe	134
PID 1960 created 4224	1960	svchost.exe	136
PID 1960 created 3492	1960	svchost.exe	138
PID 1960 created 380	1960	svchost.exe	141
PID 1960 created 452	1960	svchost.exe	143
PID 1960 created 1452	1960	svchost.exe	145
PID 1960 created 1684	1960	svchost.exe	148
PID 1960 created 3124	1960	svchost.exe	150
PID 1960 created 3412	1960	svchost.exe	152
PID 1960 created 4404	1960	svchost.exe	155
PID 1960 created 5104	1960	svchost.exe	157
PID 1960 created 4724	1960	svchost.exe	159
PID 1960 created 1732	1960	svchost.exe	162
PID 1960 created 3320	1960	svchost.exe	164
PID 1960 created 1012	1960	svchost.exe	166
PID 1960 created 1200	1960	svchost.exe	169
PID 1960 created 4372	1960	svchost.exe	171
PID 1960 created 3840	1960	svchost.exe	173
PID 1960 created 4856	1960	svchost.exe	176
PID 1960 created 2772	1960	svchost.exe	178
PID 1960 created 5020	1960	svchost.exe	180
PID 1960 created 3316	1960	svchost.exe	183
PID 1960 created 908	1960	svchost.exe	185
PID 1960 created 2996	1960	svchost.exe	187
PID 1960 created 1980	1960	svchost.exe	190
PID 1960 created 3512	1960	svchost.exe	192
PID 1960 created 3108	1960	svchost.exe	194
PID 1960 created 428	1960	svchost.exe	197
PID 1960 created 3564	1960	svchost.exe	199
PID 1960 created 2128	1960	svchost.exe	201
PID 1960 created 4088	1960	svchost.exe	204
PID 1960 created 4668	1960	svchost.exe	206
PID 1960 created 1304	1960	svchost.exe	208
PID 1960 created 1076	1960	svchost.exe	211
PID 1960 created 4360	1960	svchost.exe	213
PID 1960 created 3908	1960	svchost.exe	215
PID 1960 created 2596	1960	svchost.exe	218
PID 1960 created 1836	1960	svchost.exe	220
PID 1960 created 828	1960	svchost.exe	222
PID 1960 created 3044	1960	svchost.exe	225

Executes dropped EXE 64 IoCs

pid	Process
2732	wtomgeywrojgbztr.exe
3256	CreateProcess.exe
3360	wqojgbztrl.exe
868	CreateProcess.exe
1676	CreateProcess.exe
176	i_wqojgbztrl.exe
4856	CreateProcess.exe
3600	yvqoigaytq.exe
4480	CreateProcess.exe
3448	CreateProcess.exe
4228	i_yvqoigaytq.exe
4224	CreateProcess.exe
3940	gaysqlidbv.exe
2160	CreateProcess.exe
628	CreateProcess.exe
5108	i_gaysqlidbv.exe
2300	CreateProcess.exe
1260	lfdxvqniga.exe
2108	CreateProcess.exe
4668	CreateProcess.exe
1688	i_lfdxvqniga.exe
3028	CreateProcess.exe
3528	kicausnkfc.exe
1832	CreateProcess.exe
3176	CreateProcess.exe
3320	i_kicausnkfc.exe
4256	CreateProcess.exe
616	khcausmkec.exe
1948	CreateProcess.exe
5036	CreateProcess.exe
4612	i_khcausmkec.exe
4224	CreateProcess.exe
1668	zxrpjhbzur.exe
3492	CreateProcess.exe
380	CreateProcess.exe
4920	i_zxrpjhbzur.exe
452	CreateProcess.exe
2560	gezwrojhbz.exe
1452	CreateProcess.exe
1684	CreateProcess.exe
1144	i_gezwrojhbz.exe
3124	CreateProcess.exe
2388	ljebwtomge.exe
3412	CreateProcess.exe
4404	CreateProcess.exe
528	i_ljebwtomge.exe
5104	CreateProcess.exe
3008	trljdbvtol.exe
4724	CreateProcess.exe
1732	CreateProcess.exe
1840	i_trljdbvtol.exe
3320	CreateProcess.exe
4308	avtnlfdxvq.exe
1012	CreateProcess.exe
1200	CreateProcess.exe
4872	i_avtnlfdxvq.exe
4372	CreateProcess.exe
4700	nlfdxvpnif.exe
3840	CreateProcess.exe
4856	CreateProcess.exe
3952	i_nlfdxvpnif.exe
2772	CreateProcess.exe
1376	xsnkfdxvpn.exe
5020	CreateProcess.exe

Gathers network information 2 TTPs 19 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3956	ipconfig.exe
4860	ipconfig.exe
2380	ipconfig.exe
3096	ipconfig.exe
2200	ipconfig.exe
1128	ipconfig.exe
2540	ipconfig.exe
2324	ipconfig.exe
4952	ipconfig.exe
2844	ipconfig.exe
3872	ipconfig.exe
2844	ipconfig.exe
3416	ipconfig.exe
3156	ipconfig.exe
3552	ipconfig.exe
3592	ipconfig.exe
1788	ipconfig.exe
1908	ipconfig.exe
4080	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "911027434"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "920247741"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997951"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0be9337bffdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997951"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{61AF2E0E-69B2-11ED-B696-FE977829BE37} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "911027434"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084ae7e14c17fb747afc8ee68fe85009600000000020000000000106600000001000020000000d29b80023621ed5a2df8ba2670884eb107a3c24f5f021b691b708a9910d653d3000000000e800000000200002000000008083533630c9a3e45af3dd23454d79a4b4a6bb92874d16d8d9f4ca83e04ce7d200000004a1dc371a70a9b756abaf7d5b7976e8c3324d70576641dea25ce6f55ce3fed9240000000dcfec4f9b91ad8b8755923716ad040d33ed923e7963ae9f6fc778b4ad77d65f14ab57395529e121b33edbfa87b4e0647f0df608cb004807118a8f9043bfc50ea	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997951"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084ae7e14c17fb747afc8ee68fe85009600000000020000000000106600000001000020000000e478ee840a943a5e714491ad3ed49040ee90b9c01169f6d0c58a3b0913344b3e000000000e8000000002000020000000d37bb19dcd4d1c3c411b3f69cbed01fbc2813061d6b63f6e9cda8d718170230a200000006d7f2c2ed2d133f1240fef2cfa8969a8110bbcba22fbda914312a2fc39210e7a400000001d81633547117ffd7ee072f1e4b985738fbdec74fee114f4a4b0e34043d5b29bedda4588fba3c047fd9a215f31ebda57e28358c3763321060c07576e98e803fd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b8b237bffdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375810013"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
2732	wtomgeywrojgbztr.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	iexplore.exe

Suspicious behavior: LoadsDriver 19 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeTcbPrivilege	1960	svchost.exe
Token: SeTcbPrivilege	1960	svchost.exe
Token: SeDebugPrivilege	176	i_wqojgbztrl.exe
Token: SeDebugPrivilege	4228	i_yvqoigaytq.exe
Token: SeDebugPrivilege	5108	i_gaysqlidbv.exe
Token: SeDebugPrivilege	1688	i_lfdxvqniga.exe
Token: SeDebugPrivilege	3320	i_kicausnkfc.exe
Token: SeDebugPrivilege	4612	i_khcausmkec.exe
Token: SeDebugPrivilege	4920	i_zxrpjhbzur.exe
Token: SeDebugPrivilege	1144	i_gezwrojhbz.exe
Token: SeDebugPrivilege	528	i_ljebwtomge.exe
Token: SeDebugPrivilege	1840	i_trljdbvtol.exe
Token: SeDebugPrivilege	4872	i_avtnlfdxvq.exe
Token: SeDebugPrivilege	3952	i_nlfdxvpnif.exe
Token: SeDebugPrivilege	2728	i_xsnkfdxvpn.exe
Token: SeDebugPrivilege	3820	i_zxrpkhczus.exe
Token: SeDebugPrivilege	2156	i_wrpjhczurm.exe
Token: SeDebugPrivilege	4196	i_omgezwrojh.exe
Token: SeDebugPrivilege	2612	i_bwuomgeywr.exe
Token: SeDebugPrivilege	4716	i_lgdywqoiga.exe
Token: SeDebugPrivilege	3360	i_wqoigaytql.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2180	iexplore.exe
2180	iexplore.exe
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 2732	4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe	81
PID 4208 wrote to memory of 2732	4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe	81
PID 4208 wrote to memory of 2732	4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe	81
PID 4208 wrote to memory of 2180	4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe	82
PID 4208 wrote to memory of 2180	4208	a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe	82
PID 2180 wrote to memory of 4444	2180	iexplore.exe	83
PID 2180 wrote to memory of 4444	2180	iexplore.exe	83
PID 2180 wrote to memory of 4444	2180	iexplore.exe	83
PID 2732 wrote to memory of 3256	2732	wtomgeywrojgbztr.exe	86
PID 2732 wrote to memory of 3256	2732	wtomgeywrojgbztr.exe	86
PID 2732 wrote to memory of 3256	2732	wtomgeywrojgbztr.exe	86
PID 1960 wrote to memory of 3360	1960	svchost.exe	88
PID 1960 wrote to memory of 3360	1960	svchost.exe	88
PID 1960 wrote to memory of 3360	1960	svchost.exe	88
PID 3360 wrote to memory of 868	3360	wqojgbztrl.exe	89
PID 3360 wrote to memory of 868	3360	wqojgbztrl.exe	89
PID 3360 wrote to memory of 868	3360	wqojgbztrl.exe	89
PID 1960 wrote to memory of 3156	1960	svchost.exe	90
PID 1960 wrote to memory of 3156	1960	svchost.exe	90
PID 2732 wrote to memory of 1676	2732	wtomgeywrojgbztr.exe	92
PID 2732 wrote to memory of 1676	2732	wtomgeywrojgbztr.exe	92
PID 2732 wrote to memory of 1676	2732	wtomgeywrojgbztr.exe	92
PID 1960 wrote to memory of 176	1960	svchost.exe	93
PID 1960 wrote to memory of 176	1960	svchost.exe	93
PID 1960 wrote to memory of 176	1960	svchost.exe	93
PID 2732 wrote to memory of 4856	2732	wtomgeywrojgbztr.exe	94
PID 2732 wrote to memory of 4856	2732	wtomgeywrojgbztr.exe	94
PID 2732 wrote to memory of 4856	2732	wtomgeywrojgbztr.exe	94
PID 1960 wrote to memory of 3600	1960	svchost.exe	95
PID 1960 wrote to memory of 3600	1960	svchost.exe	95
PID 1960 wrote to memory of 3600	1960	svchost.exe	95
PID 3600 wrote to memory of 4480	3600	yvqoigaytq.exe	96
PID 3600 wrote to memory of 4480	3600	yvqoigaytq.exe	96
PID 3600 wrote to memory of 4480	3600	yvqoigaytq.exe	96
PID 1960 wrote to memory of 3552	1960	svchost.exe	97
PID 1960 wrote to memory of 3552	1960	svchost.exe	97
PID 2732 wrote to memory of 3448	2732	wtomgeywrojgbztr.exe	99
PID 2732 wrote to memory of 3448	2732	wtomgeywrojgbztr.exe	99
PID 2732 wrote to memory of 3448	2732	wtomgeywrojgbztr.exe	99
PID 1960 wrote to memory of 4228	1960	svchost.exe	100
PID 1960 wrote to memory of 4228	1960	svchost.exe	100
PID 1960 wrote to memory of 4228	1960	svchost.exe	100
PID 2732 wrote to memory of 4224	2732	wtomgeywrojgbztr.exe	101
PID 2732 wrote to memory of 4224	2732	wtomgeywrojgbztr.exe	101
PID 2732 wrote to memory of 4224	2732	wtomgeywrojgbztr.exe	101
PID 1960 wrote to memory of 3940	1960	svchost.exe	102
PID 1960 wrote to memory of 3940	1960	svchost.exe	102
PID 1960 wrote to memory of 3940	1960	svchost.exe	102
PID 3940 wrote to memory of 2160	3940	gaysqlidbv.exe	103
PID 3940 wrote to memory of 2160	3940	gaysqlidbv.exe	103
PID 3940 wrote to memory of 2160	3940	gaysqlidbv.exe	103
PID 1960 wrote to memory of 1128	1960	svchost.exe	104
PID 1960 wrote to memory of 1128	1960	svchost.exe	104
PID 2732 wrote to memory of 628	2732	wtomgeywrojgbztr.exe	106
PID 2732 wrote to memory of 628	2732	wtomgeywrojgbztr.exe	106
PID 2732 wrote to memory of 628	2732	wtomgeywrojgbztr.exe	106
PID 1960 wrote to memory of 5108	1960	svchost.exe	107
PID 1960 wrote to memory of 5108	1960	svchost.exe	107
PID 1960 wrote to memory of 5108	1960	svchost.exe	107
PID 2732 wrote to memory of 2300	2732	wtomgeywrojgbztr.exe	109
PID 2732 wrote to memory of 2300	2732	wtomgeywrojgbztr.exe	109
PID 2732 wrote to memory of 2300	2732	wtomgeywrojgbztr.exe	109
PID 1960 wrote to memory of 1260	1960	svchost.exe	110
PID 1960 wrote to memory of 1260	1960	svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe
"C:\Users\Admin\AppData\Local\Temp\a1c17a517ab0d55b393bed9b9f6c4302cca2472945287ed7fd4c89fe06bdfa58.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Temp\wtomgeywrojgbztr.exe
  C:\Temp\wtomgeywrojgbztr.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqojgbztrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3256
  - - C:\Temp\wqojgbztrl.exe
      C:\Temp\wqojgbztrl.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:868
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqojgbztrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1676
  - - C:\Temp\i_wqojgbztrl.exe
      C:\Temp\i_wqojgbztrl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:176
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Temp\yvqoigaytq.exe
      C:\Temp\yvqoigaytq.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4480
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3552
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3448
  - - C:\Temp\i_yvqoigaytq.exe
      C:\Temp\i_yvqoigaytq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaysqlidbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4224
  - - C:\Temp\gaysqlidbv.exe
      C:\Temp\gaysqlidbv.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2160
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaysqlidbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:628
  - - C:\Temp\i_gaysqlidbv.exe
      C:\Temp\i_gaysqlidbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdxvqniga.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2300
  - - C:\Temp\lfdxvqniga.exe
      C:\Temp\lfdxvqniga.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2108
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdxvqniga.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4668
  - - C:\Temp\i_lfdxvqniga.exe
      C:\Temp\i_lfdxvqniga.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicausnkfc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3028
  - - C:\Temp\kicausnkfc.exe
      C:\Temp\kicausnkfc.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1832
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicausnkfc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3176
  - - C:\Temp\i_kicausnkfc.exe
      C:\Temp\i_kicausnkfc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\khcausmkec.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4256
  - - C:\Temp\khcausmkec.exe
      C:\Temp\khcausmkec.exe ups_run
      4⤵
      Executes dropped EXE
      PID:616
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1948
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_khcausmkec.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5036
  - - C:\Temp\i_khcausmkec.exe
      C:\Temp\i_khcausmkec.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxrpjhbzur.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4224
  - - C:\Temp\zxrpjhbzur.exe
      C:\Temp\zxrpjhbzur.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1668
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxrpjhbzur.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:380
  - - C:\Temp\i_zxrpjhbzur.exe
      C:\Temp\i_zxrpjhbzur.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gezwrojhbz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:452
  - - C:\Temp\gezwrojhbz.exe
      C:\Temp\gezwrojhbz.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2560
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1452
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2324
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gezwrojhbz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1684
  - - C:\Temp\i_gezwrojhbz.exe
      C:\Temp\i_gezwrojhbz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1144
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljebwtomge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3124
  - - C:\Temp\ljebwtomge.exe
      C:\Temp\ljebwtomge.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2388
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3412
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3956
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljebwtomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4404
  - - C:\Temp\i_ljebwtomge.exe
      C:\Temp\i_ljebwtomge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trljdbvtol.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5104
  - - C:\Temp\trljdbvtol.exe
      C:\Temp\trljdbvtol.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3008
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4860
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trljdbvtol.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1732
  - - C:\Temp\i_trljdbvtol.exe
      C:\Temp\i_trljdbvtol.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avtnlfdxvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3320
  - - C:\Temp\avtnlfdxvq.exe
      C:\Temp\avtnlfdxvq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4308
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1012
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avtnlfdxvq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1200
  - - C:\Temp\i_avtnlfdxvq.exe
      C:\Temp\i_avtnlfdxvq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdxvpnif.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4372
  - - C:\Temp\nlfdxvpnif.exe
      C:\Temp\nlfdxvpnif.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4700
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3840
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4952
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdxvpnif.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Temp\i_nlfdxvpnif.exe
      C:\Temp\i_nlfdxvpnif.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsnkfdxvpn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2772
  - - C:\Temp\xsnkfdxvpn.exe
      C:\Temp\xsnkfdxvpn.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1376
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsnkfdxvpn.exe ups_ins
    3⤵
    PID:3316
  - - C:\Temp\i_xsnkfdxvpn.exe
      C:\Temp\i_xsnkfdxvpn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxrpkhczus.exe ups_run
    3⤵
    PID:908
  - - C:\Temp\zxrpkhczus.exe
      C:\Temp\zxrpkhczus.exe ups_run
      4⤵
      PID:3940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2996
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxrpkhczus.exe ups_ins
    3⤵
    PID:1980
  - - C:\Temp\i_zxrpkhczus.exe
      C:\Temp\i_zxrpkhczus.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3820
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrpjhczurm.exe ups_run
    3⤵
    PID:3512
  - - C:\Temp\wrpjhczurm.exe
      C:\Temp\wrpjhczurm.exe ups_run
      4⤵
      PID:628
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3108
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrpjhczurm.exe ups_ins
    3⤵
    PID:428
  - - C:\Temp\i_wrpjhczurm.exe
      C:\Temp\i_wrpjhczurm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\omgezwrojh.exe ups_run
    3⤵
    PID:3564
  - - C:\Temp\omgezwrojh.exe
      C:\Temp\omgezwrojh.exe ups_run
      4⤵
      PID:1472
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2128
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_omgezwrojh.exe ups_ins
    3⤵
    PID:4088
  - - C:\Temp\i_omgezwrojh.exe
      C:\Temp\i_omgezwrojh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4196
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwuomgeywr.exe ups_run
    3⤵
    PID:4668
  - - C:\Temp\bwuomgeywr.exe
      C:\Temp\bwuomgeywr.exe ups_run
      4⤵
      PID:4980
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwuomgeywr.exe ups_ins
    3⤵
    PID:1076
  - - C:\Temp\i_bwuomgeywr.exe
      C:\Temp\i_bwuomgeywr.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgdywqoiga.exe ups_run
    3⤵
    PID:4360
  - - C:\Temp\lgdywqoiga.exe
      C:\Temp\lgdywqoiga.exe ups_run
      4⤵
      PID:5116
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3908
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgdywqoiga.exe ups_ins
    3⤵
    PID:2596
  - - C:\Temp\i_lgdywqoiga.exe
      C:\Temp\i_lgdywqoiga.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqoigaytql.exe ups_run
    3⤵
    PID:1836
  - - C:\Temp\wqoigaytql.exe
      C:\Temp\wqoigaytql.exe ups_run
      4⤵
      PID:1852
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:828
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2200
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqoigaytql.exe ups_ins
    3⤵
    PID:3044
  - - C:\Temp\i_wqoigaytql.exe
      C:\Temp\i_wqoigaytql.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3360
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
C:\Temp\gaysqlidbv.exe

Filesize
361KB

MD5
04e7067be5cec431e399034dfe05dad6

SHA1
581a46718447f98a6c0cbfe39efb41ec16246ce4

SHA256
d1805fd691be2591b113b9667329131852fc3387047c4a03dfcadfe1f775b7ce

SHA512
34a330190545ae1e38f16e5e9d7746eef3240477c12f5da7af203b3c5801f47b914ea8d3ac6af61ad6330534916ccae07d01493356c112171a5da482f5c3796a

Download Submit
C:\Temp\gaysqlidbv.exe

Filesize
361KB

MD5
04e7067be5cec431e399034dfe05dad6

SHA1
581a46718447f98a6c0cbfe39efb41ec16246ce4

SHA256
d1805fd691be2591b113b9667329131852fc3387047c4a03dfcadfe1f775b7ce

SHA512
34a330190545ae1e38f16e5e9d7746eef3240477c12f5da7af203b3c5801f47b914ea8d3ac6af61ad6330534916ccae07d01493356c112171a5da482f5c3796a

Download Submit
C:\Temp\gezwrojhbz.exe

Filesize
361KB

MD5
c5c0e5b861ea0350b6760c8e9768d34d

SHA1
20506c4f868555ffb7833253f711443477eeb5e3

SHA256
c46242607a7118c5fde60e2a62267359136f24ef950bb1d2875628c401256278

SHA512
77b7368cd8e9abfbb862d630b4fd52f7e45ac1a74734fa541ab23d0c2b37ca43f65cf803a9c608cac373a7165ee4b62fe0febd97ecfa796914fbd8f8160bacaa

Download Submit
C:\Temp\gezwrojhbz.exe

Filesize
361KB

MD5
c5c0e5b861ea0350b6760c8e9768d34d

SHA1
20506c4f868555ffb7833253f711443477eeb5e3

SHA256
c46242607a7118c5fde60e2a62267359136f24ef950bb1d2875628c401256278

SHA512
77b7368cd8e9abfbb862d630b4fd52f7e45ac1a74734fa541ab23d0c2b37ca43f65cf803a9c608cac373a7165ee4b62fe0febd97ecfa796914fbd8f8160bacaa

Download Submit
C:\Temp\i_gaysqlidbv.exe

Filesize
361KB

MD5
b16bafbd17a0b4364ebb050f866c80f3

SHA1
935ec1d5fbf9f558e810be886b0acda3607826e5

SHA256
6ae386995ed828cbeee5ef2a9d6c0e1851b55243d12d3f3f51109e20f38c8250

SHA512
dc480b10d5d051cab5bb076225ebe843999375de2ef059876ca6be9d0c9f0fb5e74dd18a9f6465dae68ded446d628856f88157f12dedfb1ef7ecaa483ac0e157

Download Submit
C:\Temp\i_gaysqlidbv.exe

Filesize
361KB

MD5
b16bafbd17a0b4364ebb050f866c80f3

SHA1
935ec1d5fbf9f558e810be886b0acda3607826e5

SHA256
6ae386995ed828cbeee5ef2a9d6c0e1851b55243d12d3f3f51109e20f38c8250

SHA512
dc480b10d5d051cab5bb076225ebe843999375de2ef059876ca6be9d0c9f0fb5e74dd18a9f6465dae68ded446d628856f88157f12dedfb1ef7ecaa483ac0e157

Download Submit
C:\Temp\i_gezwrojhbz.exe

Filesize
361KB

MD5
e8aa6a378ef211101932aafcfcb5e8f2

SHA1
2965b7486039a175d951385e88e43a6842b42304

SHA256
61c439d6a69ed40a0e1fdf9605ab894dab09cd5ecf070e75c6d74a65de2e1baf

SHA512
d7d28cd3473e93886282ac0465381495f0c63c0facbdd41bdf39faa7675ce396fe7b7e5073f387f34dc158ef3538803c6cc52e7784ec80447c73bcefca79b429

Download Submit
C:\Temp\i_gezwrojhbz.exe

Filesize
361KB

MD5
e8aa6a378ef211101932aafcfcb5e8f2

SHA1
2965b7486039a175d951385e88e43a6842b42304

SHA256
61c439d6a69ed40a0e1fdf9605ab894dab09cd5ecf070e75c6d74a65de2e1baf

SHA512
d7d28cd3473e93886282ac0465381495f0c63c0facbdd41bdf39faa7675ce396fe7b7e5073f387f34dc158ef3538803c6cc52e7784ec80447c73bcefca79b429

Download Submit
C:\Temp\i_khcausmkec.exe

Filesize
361KB

MD5
c13904130cd79e1b7aa8e0542b43e85f

SHA1
c99cf28800b4aa1ba066b64f676f1b6228c733fe

SHA256
59377815ed6fbf86dd9260a0249c6b5d55d8eda983e17f0eda18ae991b994c5e

SHA512
5aa018d306ffae1d72f1bbef9733873b8aac992c8f25a63ac6a1d88050962eb2388884e79eff787fc41be6621707cf39bff05a358c26a21d768a40e91b0eac0a

Download Submit
C:\Temp\i_khcausmkec.exe

Filesize
361KB

MD5
c13904130cd79e1b7aa8e0542b43e85f

SHA1
c99cf28800b4aa1ba066b64f676f1b6228c733fe

SHA256
59377815ed6fbf86dd9260a0249c6b5d55d8eda983e17f0eda18ae991b994c5e

SHA512
5aa018d306ffae1d72f1bbef9733873b8aac992c8f25a63ac6a1d88050962eb2388884e79eff787fc41be6621707cf39bff05a358c26a21d768a40e91b0eac0a

Download Submit
C:\Temp\i_kicausnkfc.exe

Filesize
361KB

MD5
7e2b2a8ae97bd483ac59f7081bb5a39f

SHA1
a7875b5372dffc339a92c6412cd389f99ff0ca33

SHA256
146d94f8ead19a4e82410dafed29404eef7f9c5b022806e398b30e68ad38bc4e

SHA512
a440e4e5965e99f352fd433ec5788170022c6af8d727bdf5c82cf2eb119fa4d1e4feaed0f46e9755f0129bbb516075b2915db6a62bb3a16980da9815e21f0261

Download Submit
C:\Temp\i_kicausnkfc.exe

Filesize
361KB

MD5
7e2b2a8ae97bd483ac59f7081bb5a39f

SHA1
a7875b5372dffc339a92c6412cd389f99ff0ca33

SHA256
146d94f8ead19a4e82410dafed29404eef7f9c5b022806e398b30e68ad38bc4e

SHA512
a440e4e5965e99f352fd433ec5788170022c6af8d727bdf5c82cf2eb119fa4d1e4feaed0f46e9755f0129bbb516075b2915db6a62bb3a16980da9815e21f0261

Download Submit
C:\Temp\i_lfdxvqniga.exe

Filesize
361KB

MD5
ba53976f24eef125654ad544966cd8c5

SHA1
e9e3f6c40ec005f3a9bfa9abed379ce030a61835

SHA256
2c48b19edc76de7aba86b9b5df4cc901ff74b1423562a147a59d576d2d93fd81

SHA512
0cd45d2e61efc20c8aa3f04077916f759c32dc5d2e9f61e3d7f295f1bed4d38a87e8f4089f4a20458bd7c0998b2861d887ec5f98a2d69a7997f651c8012b73a2

Download Submit
C:\Temp\i_lfdxvqniga.exe

Filesize
361KB

MD5
ba53976f24eef125654ad544966cd8c5

SHA1
e9e3f6c40ec005f3a9bfa9abed379ce030a61835

SHA256
2c48b19edc76de7aba86b9b5df4cc901ff74b1423562a147a59d576d2d93fd81

SHA512
0cd45d2e61efc20c8aa3f04077916f759c32dc5d2e9f61e3d7f295f1bed4d38a87e8f4089f4a20458bd7c0998b2861d887ec5f98a2d69a7997f651c8012b73a2

Download Submit
C:\Temp\i_wqojgbztrl.exe

Filesize
361KB

MD5
c18025cc1b13a718fba534314ed2ff0c

SHA1
5f4f161197165e0cfd11bcabe0b9c0d6b25dc52f

SHA256
d44b5ae44ea9c55281a57305929748cf1f4d0a3c4deac001f0fb4cde9167cc36

SHA512
79d58d878a8f9129f136ad3a69f0476c4c8a3839f29226c70b126fcc43d36a696d35cb1d5ba3ae611949501c4a617978b1e21fbf86e8a79f63f74da30f12c1ab

Download Submit
C:\Temp\i_wqojgbztrl.exe

Filesize
361KB

MD5
c18025cc1b13a718fba534314ed2ff0c

SHA1
5f4f161197165e0cfd11bcabe0b9c0d6b25dc52f

SHA256
d44b5ae44ea9c55281a57305929748cf1f4d0a3c4deac001f0fb4cde9167cc36

SHA512
79d58d878a8f9129f136ad3a69f0476c4c8a3839f29226c70b126fcc43d36a696d35cb1d5ba3ae611949501c4a617978b1e21fbf86e8a79f63f74da30f12c1ab

Download Submit
C:\Temp\i_yvqoigaytq.exe

Filesize
361KB

MD5
08fba26c9cd2fa391a6470a58fb3b7fa

SHA1
0b4b763e9f92f07ed1a51ae1a17cfb7f89c8a089

SHA256
a4950db5e6583b134a15526a64d91888d32378a47a26296784dd157e4c971609

SHA512
65f64a261d3cfaaf9cc2d3413ed0ad4a6b030f11dbbafeeb8990fd16ceef0f8b39e60626eda249cc1c7391913d7597a2a836bd252747c1e37455afb82abcf88f

Download Submit
C:\Temp\i_yvqoigaytq.exe

Filesize
361KB

MD5
08fba26c9cd2fa391a6470a58fb3b7fa

SHA1
0b4b763e9f92f07ed1a51ae1a17cfb7f89c8a089

SHA256
a4950db5e6583b134a15526a64d91888d32378a47a26296784dd157e4c971609

SHA512
65f64a261d3cfaaf9cc2d3413ed0ad4a6b030f11dbbafeeb8990fd16ceef0f8b39e60626eda249cc1c7391913d7597a2a836bd252747c1e37455afb82abcf88f

Download Submit
C:\Temp\i_zxrpjhbzur.exe

Filesize
361KB

MD5
6a45549fbd998f80d1475142e89b55e7

SHA1
7322bceb6dd15b1772e0dc1a6c05968be7a6fcc3

SHA256
3073b672ae5f3a3650be6798e95ef25eb4de8e907a94833dcdf8e31b2453d10b

SHA512
1779c708338f19f900ecae46dbb7f88998e548473dda8408ea595fee78808d3bb88e49ff1a164203e7fb71ffdbc02721e8fc214ae289178fe0b607c3c1793846

Download Submit
C:\Temp\i_zxrpjhbzur.exe

Filesize
361KB

MD5
6a45549fbd998f80d1475142e89b55e7

SHA1
7322bceb6dd15b1772e0dc1a6c05968be7a6fcc3

SHA256
3073b672ae5f3a3650be6798e95ef25eb4de8e907a94833dcdf8e31b2453d10b

SHA512
1779c708338f19f900ecae46dbb7f88998e548473dda8408ea595fee78808d3bb88e49ff1a164203e7fb71ffdbc02721e8fc214ae289178fe0b607c3c1793846

Download Submit
C:\Temp\khcausmkec.exe

Filesize
361KB

MD5
bc197b7cfe74a0d981009399da035701

SHA1
d6ec8f527c93a9d516b7348fbcf281a320f67857

SHA256
fe0cb5ac57455763b5b5baf45413a0a54ebcc2e7a64feb6e3f38bedc8aa92521

SHA512
d8f95ce26a779faacb199a6ba3caf756e6c7e00ae800a8ed1704557adcd7a7780fe950f23329ad46fd222bd82bc2d17f39e8d28ea3130a4457a824258c7d6432

Download Submit
C:\Temp\khcausmkec.exe

Filesize
361KB

MD5
bc197b7cfe74a0d981009399da035701

SHA1
d6ec8f527c93a9d516b7348fbcf281a320f67857

SHA256
fe0cb5ac57455763b5b5baf45413a0a54ebcc2e7a64feb6e3f38bedc8aa92521

SHA512
d8f95ce26a779faacb199a6ba3caf756e6c7e00ae800a8ed1704557adcd7a7780fe950f23329ad46fd222bd82bc2d17f39e8d28ea3130a4457a824258c7d6432

Download Submit
C:\Temp\kicausnkfc.exe

Filesize
361KB

MD5
dc353481cc9ae68595b63a39a9f6e87c

SHA1
ebe98cd7df3fb7ecb2b39d33349389bfc548d7b0

SHA256
e731159da8c20157ee8c7f4fd7bc6e40a7b09f52db6377c818bb05169f5ae400

SHA512
5f915d320ce626124d363ac2f128cfecc595797836e042275597e0aaa5c9aa98ea28e3c2bc7567a1140337c108158a16fabb8b057ed85f16732c550fa1bc404c

Download Submit
C:\Temp\kicausnkfc.exe

Filesize
361KB

MD5
dc353481cc9ae68595b63a39a9f6e87c

SHA1
ebe98cd7df3fb7ecb2b39d33349389bfc548d7b0

SHA256
e731159da8c20157ee8c7f4fd7bc6e40a7b09f52db6377c818bb05169f5ae400

SHA512
5f915d320ce626124d363ac2f128cfecc595797836e042275597e0aaa5c9aa98ea28e3c2bc7567a1140337c108158a16fabb8b057ed85f16732c550fa1bc404c

Download Submit
C:\Temp\lfdxvqniga.exe

Filesize
361KB

MD5
35fc3a0381ffd526b348fe5b28a4e771

SHA1
f7612d7411a212692c115c5b6d1200876c58f1c4

SHA256
60f1b2a82da5e57ea2d7840ba3e1c858f551ab6f56217d55ad5aa1cca1285fe9

SHA512
f2af02aea41b1b2c07665177d3a028cdb8d8f9a0b804838d073515a3194607ea01eac706156c13a7225c78556e3440e99aca0e9163755f30113f244fe9e23dee

Download Submit
C:\Temp\lfdxvqniga.exe

Filesize
361KB

MD5
35fc3a0381ffd526b348fe5b28a4e771

SHA1
f7612d7411a212692c115c5b6d1200876c58f1c4

SHA256
60f1b2a82da5e57ea2d7840ba3e1c858f551ab6f56217d55ad5aa1cca1285fe9

SHA512
f2af02aea41b1b2c07665177d3a028cdb8d8f9a0b804838d073515a3194607ea01eac706156c13a7225c78556e3440e99aca0e9163755f30113f244fe9e23dee

Download Submit
C:\Temp\ljebwtomge.exe

Filesize
361KB

MD5
69061c2cc1718c8cfbb46a11b1d92b7b

SHA1
0e6ab1c5a9251ef95758dace03276de0fec12f6c

SHA256
53a50c012c60b1e40ab6b319c29571bbc313bdf258fa54ee89cc15aef94c7398

SHA512
ac228ae60d8e9ca0d3068b60fcf7e0e3998d89bea9b5e23c84ad2c44551115320be07b9dcdae50cecd46dfe60d4899bf63f548a7a13da19f17b9bde1acff95fa

Download Submit
C:\Temp\wqojgbztrl.exe

Filesize
361KB

MD5
ff1980b8819ca97bff6baabb4e445e70

SHA1
a7ae42bd5f9068d1a438bca7d03c7da93b71b1aa

SHA256
4e1cd902da31a8f63e41b0f1e9741980393bf89e4c6505a404f074d5e638485c

SHA512
932df1898e3c7703b6a7b5802bfc53976c281655949442637c271d349cb4f2a25a7033ccc7d15bc761e582c931c9737356d4efb67cdd52ea94a25125e860922e

Download Submit
C:\Temp\wqojgbztrl.exe

Filesize
361KB

MD5
ff1980b8819ca97bff6baabb4e445e70

SHA1
a7ae42bd5f9068d1a438bca7d03c7da93b71b1aa

SHA256
4e1cd902da31a8f63e41b0f1e9741980393bf89e4c6505a404f074d5e638485c

SHA512
932df1898e3c7703b6a7b5802bfc53976c281655949442637c271d349cb4f2a25a7033ccc7d15bc761e582c931c9737356d4efb67cdd52ea94a25125e860922e

Download Submit
C:\Temp\wtomgeywrojgbztr.exe

Filesize
361KB

MD5
4362d79cc7870c5742e8b2cae832241f

SHA1
03ebf211869ddcd0a0a0afad17d69cede711759f

SHA256
f97b8780a767039120eb801b788516b18aae52c052f299960286e185fbbb6be2

SHA512
1da1ec87be03474a34bbce047fd075cbea7822730dd2052f302106c3c8362b3aecb1092b72a361c7370e9719de11c9fd9c9430f33bb4fdf87e5c382f8e963b36

Download Submit
C:\Temp\wtomgeywrojgbztr.exe

Filesize
361KB

MD5
4362d79cc7870c5742e8b2cae832241f

SHA1
03ebf211869ddcd0a0a0afad17d69cede711759f

SHA256
f97b8780a767039120eb801b788516b18aae52c052f299960286e185fbbb6be2

SHA512
1da1ec87be03474a34bbce047fd075cbea7822730dd2052f302106c3c8362b3aecb1092b72a361c7370e9719de11c9fd9c9430f33bb4fdf87e5c382f8e963b36

Download Submit
C:\Temp\yvqoigaytq.exe

Filesize
361KB

MD5
55695c8991d6c1cfc73e798733acec01

SHA1
8af318c242c7b43179f6e8a63d29a19cbeabedcd

SHA256
19cfd6a8c496e0fcf9a9af1a9d05c89540c4713a558f51453209918b67608d9c

SHA512
87ae1088d7e69094f2d4bb94286e2237cbeef1bb49d158b65c6093b43a0d04bb7ab69f7a6559b9ed4c5450af532363882f14fea850ab323eed75643b720663ea

Download Submit
C:\Temp\yvqoigaytq.exe

Filesize
361KB

MD5
55695c8991d6c1cfc73e798733acec01

SHA1
8af318c242c7b43179f6e8a63d29a19cbeabedcd

SHA256
19cfd6a8c496e0fcf9a9af1a9d05c89540c4713a558f51453209918b67608d9c

SHA512
87ae1088d7e69094f2d4bb94286e2237cbeef1bb49d158b65c6093b43a0d04bb7ab69f7a6559b9ed4c5450af532363882f14fea850ab323eed75643b720663ea

Download Submit
C:\Temp\zxrpjhbzur.exe

Filesize
361KB

MD5
b35bd0600440a5e31a5d6637b5607eb8

SHA1
8f31e76f03a7d83ff94c43794d650df5caa39817

SHA256
e47259df1f303d592e973ecc4008aa391a063d128639cc8bf7ee4a1c5d15e543

SHA512
12addf307820c00a9c74ca8417fdf897b6d970cdaaa1eb692e8a251c0b1cb4a8e65aacfcb54a49e50ca98f62d9fa51d21f1a993389951a10803afb5583b26250

Download Submit
C:\Temp\zxrpjhbzur.exe

Filesize
361KB

MD5
b35bd0600440a5e31a5d6637b5607eb8

SHA1
8f31e76f03a7d83ff94c43794d650df5caa39817

SHA256
e47259df1f303d592e973ecc4008aa391a063d128639cc8bf7ee4a1c5d15e543

SHA512
12addf307820c00a9c74ca8417fdf897b6d970cdaaa1eb692e8a251c0b1cb4a8e65aacfcb54a49e50ca98f62d9fa51d21f1a993389951a10803afb5583b26250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
cb295ed32b0acd9eac87bcc961fb315a

SHA1
a580f2d38c9d1611e25b6aaa3d79b54eb34d3ebe

SHA256
980abeaa872503211925db8acf8bdcdff0bc3c6deb2182fd698f6a444d2625be

SHA512
974f48bdfb8ea90a49cfa25cacc98c9a145702f4e4967dd6ffddd5eaee6144189499682e80b342708e04f812006314b04e5715492170d0f63c7b0530e9cd399a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
74a9484242b2a4097ae28bf0eb1f544f

SHA1
f8d591cdc8da78fb0c691c4cd2bcbb4b198149e6

SHA256
328b58bb15d09c7f88ddc4c3d2b29ba64e14ca7049053b4e00d7ebd24cceadfd

SHA512
a86e2af566f5119f926a20dde2fd36b32da6570e72f6fdf85857e1e1baa417892442721c5ff02d56f4adc26e43fa482944e54b3280bca27bf93ac331c396a741

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
96fe70555ad016cd6f33df15616d51d0

SHA1
5a66e6699a6010548aea22962863d87c16d3205d

SHA256
9812481ebbe126eb517158a1c507fef81500f0b3b8f574d056be0b2f29805631

SHA512
e55d2f45566b330dc09554932d5af6c7132ba6408f38c0805530c33f5349e1bdb2826ac2e84c71fedd3da5a629fcdfe618ce72812d4805a0ac51d837b1251d22

Download Submit
memory/176-146-0x0000000000000000-mapping.dmp

Download
memory/380-224-0x0000000000000000-mapping.dmp

Download
memory/452-229-0x0000000000000000-mapping.dmp

Download
memory/528-249-0x0000000000000000-mapping.dmp

Download
memory/616-205-0x0000000000000000-mapping.dmp

Download
memory/628-170-0x0000000000000000-mapping.dmp

Download
memory/868-141-0x0000000000000000-mapping.dmp

Download
memory/1012-258-0x0000000000000000-mapping.dmp

Download
memory/1128-169-0x0000000000000000-mapping.dmp

Download
memory/1144-239-0x0000000000000000-mapping.dmp

Download
memory/1260-177-0x0000000000000000-mapping.dmp

Download
memory/1452-234-0x0000000000000000-mapping.dmp

Download
memory/1668-218-0x0000000000000000-mapping.dmp

Download
memory/1676-144-0x0000000000000000-mapping.dmp

Download
memory/1684-237-0x0000000000000000-mapping.dmp

Download
memory/1688-185-0x0000000000000000-mapping.dmp

Download
memory/1732-254-0x0000000000000000-mapping.dmp

Download
memory/1788-210-0x0000000000000000-mapping.dmp

Download
memory/1832-195-0x0000000000000000-mapping.dmp

Download
memory/1840-255-0x0000000000000000-mapping.dmp

Download
memory/1948-208-0x0000000000000000-mapping.dmp

Download
memory/2108-180-0x0000000000000000-mapping.dmp

Download
memory/2160-167-0x0000000000000000-mapping.dmp

Download
memory/2300-175-0x0000000000000000-mapping.dmp

Download
memory/2324-236-0x0000000000000000-mapping.dmp

Download
memory/2380-259-0x0000000000000000-mapping.dmp

Download
memory/2388-244-0x0000000000000000-mapping.dmp

Download
memory/2540-197-0x0000000000000000-mapping.dmp

Download
memory/2560-231-0x0000000000000000-mapping.dmp

Download
memory/2732-132-0x0000000000000000-mapping.dmp

Download
memory/2844-223-0x0000000000000000-mapping.dmp

Download
memory/3008-251-0x0000000000000000-mapping.dmp

Download
memory/3028-190-0x0000000000000000-mapping.dmp

Download
memory/3124-242-0x0000000000000000-mapping.dmp

Download
memory/3156-143-0x0000000000000000-mapping.dmp

Download
memory/3176-198-0x0000000000000000-mapping.dmp

Download
memory/3256-135-0x0000000000000000-mapping.dmp

Download
memory/3320-256-0x0000000000000000-mapping.dmp

Download
memory/3320-200-0x0000000000000000-mapping.dmp

Download
memory/3360-138-0x0000000000000000-mapping.dmp

Download
memory/3448-157-0x0000000000000000-mapping.dmp

Download
memory/3492-221-0x0000000000000000-mapping.dmp

Download
memory/3528-192-0x0000000000000000-mapping.dmp

Download
memory/3552-156-0x0000000000000000-mapping.dmp

Download
memory/3592-182-0x0000000000000000-mapping.dmp

Download
memory/3600-151-0x0000000000000000-mapping.dmp

Download
memory/3940-164-0x0000000000000000-mapping.dmp

Download
memory/3956-247-0x0000000000000000-mapping.dmp

Download
memory/4224-216-0x0000000000000000-mapping.dmp

Download
memory/4224-162-0x0000000000000000-mapping.dmp

Download
memory/4228-159-0x0000000000000000-mapping.dmp

Download
memory/4256-203-0x0000000000000000-mapping.dmp

Download
memory/4308-257-0x0000000000000000-mapping.dmp

Download
memory/4404-248-0x0000000000000000-mapping.dmp

Download
memory/4480-154-0x0000000000000000-mapping.dmp

Download
memory/4612-213-0x0000000000000000-mapping.dmp

Download
memory/4668-183-0x0000000000000000-mapping.dmp

Download
memory/4724-252-0x0000000000000000-mapping.dmp

Download
memory/4856-149-0x0000000000000000-mapping.dmp

Download
memory/4860-253-0x0000000000000000-mapping.dmp

Download
memory/4920-226-0x0000000000000000-mapping.dmp

Download
memory/5036-211-0x0000000000000000-mapping.dmp

Download
memory/5104-250-0x0000000000000000-mapping.dmp

Download
memory/5108-172-0x0000000000000000-mapping.dmp

Download