af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817

Analysis

max time kernel
152s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
Size

361KB
MD5

fd6e677e34a77ee85aee3df8382bce73
SHA1

e26bf77728ddaa3e2634281d9b7fd6c149353da7
SHA256

af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817
SHA512

ad6e02e2a8eea4716c1827412313021af2ce25cc8948461e9e88e4e0a64c9c7eea3dfd9ba8586ecc35fb50bff8cac9a0e950bcedc5cd6802c4b8ceeedca946cf
SSDEEP

6144:CflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:CflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 51 IoCs

description	pid	Process	procid_target
PID 1828 created 3808	1828	svchost.exe	83
PID 1828 created 2448	1828	svchost.exe	87
PID 1828 created 4876	1828	svchost.exe	90
PID 1828 created 4704	1828	svchost.exe	92
PID 1828 created 4012	1828	svchost.exe	94
PID 1828 created 4448	1828	svchost.exe	97
PID 1828 created 2212	1828	svchost.exe	101
PID 1828 created 3936	1828	svchost.exe	103
PID 1828 created 2012	1828	svchost.exe	106
PID 1828 created 4652	1828	svchost.exe	108
PID 1828 created 3056	1828	svchost.exe	110
PID 1828 created 4492	1828	svchost.exe	113
PID 1828 created 4480	1828	svchost.exe	120
PID 1828 created 3764	1828	svchost.exe	122
PID 1828 created 4624	1828	svchost.exe	126
PID 1828 created 3420	1828	svchost.exe	130
PID 1828 created 2344	1828	svchost.exe	132
PID 1828 created 2408	1828	svchost.exe	135
PID 1828 created 2236	1828	svchost.exe	137
PID 1828 created 3492	1828	svchost.exe	139
PID 1828 created 2128	1828	svchost.exe	142
PID 1828 created 3464	1828	svchost.exe	144
PID 1828 created 2212	1828	svchost.exe	146
PID 1828 created 4692	1828	svchost.exe	149
PID 1828 created 2380	1828	svchost.exe	151
PID 1828 created 1284	1828	svchost.exe	153
PID 1828 created 2620	1828	svchost.exe	156
PID 1828 created 4928	1828	svchost.exe	158
PID 1828 created 2808	1828	svchost.exe	160
PID 1828 created 4600	1828	svchost.exe	163
PID 1828 created 3780	1828	svchost.exe	165
PID 1828 created 2796	1828	svchost.exe	167
PID 1828 created 220	1828	svchost.exe	170
PID 1828 created 3380	1828	svchost.exe	172
PID 1828 created 1924	1828	svchost.exe	174
PID 1828 created 3512	1828	svchost.exe	177
PID 1828 created 4992	1828	svchost.exe	179
PID 1828 created 3580	1828	svchost.exe	181
PID 1828 created 2112	1828	svchost.exe	184
PID 1828 created 3976	1828	svchost.exe	186
PID 1828 created 4276	1828	svchost.exe	188
PID 1828 created 4616	1828	svchost.exe	191
PID 1828 created 3544	1828	svchost.exe	193
PID 1828 created 5008	1828	svchost.exe	195
PID 1828 created 4964	1828	svchost.exe	198
PID 1828 created 2864	1828	svchost.exe	200
PID 1828 created 2128	1828	svchost.exe	202
PID 1828 created 3468	1828	svchost.exe	205
PID 1828 created 1704	1828	svchost.exe	207
PID 1828 created 456	1828	svchost.exe	209
PID 1828 created 4692	1828	svchost.exe	212

Executes dropped EXE 64 IoCs

pid	Process
2004	pkfdxvpnhfaxsqki.exe
3808	CreateProcess.exe
3084	ecxupmhfzx.exe
2448	CreateProcess.exe
4876	CreateProcess.exe
3980	i_ecxupmhfzx.exe
4704	CreateProcess.exe
3976	xrpjhbzurm.exe
4012	CreateProcess.exe
4448	CreateProcess.exe
4344	i_xrpjhbzurm.exe
2212	CreateProcess.exe
4536	zwrpjhbztr.exe
3936	CreateProcess.exe
2012	CreateProcess.exe
4796	i_zwrpjhbztr.exe
4652	CreateProcess.exe
2392	lgeywqoigb.exe
3056	CreateProcess.exe
4492	CreateProcess.exe
1568	i_lgeywqoigb.exe
4480	CreateProcess.exe
308	wqoigaytql.exe
3764	CreateProcess.exe
4624	CreateProcess.exe
4056	i_wqoigaytql.exe
3420	CreateProcess.exe
4208	xvqnigaysq.exe
2344	CreateProcess.exe
2408	CreateProcess.exe
1248	i_xvqnigaysq.exe
2236	CreateProcess.exe
4724	spkicausnk.exe
3492	CreateProcess.exe
2128	CreateProcess.exe
1992	i_spkicausnk.exe
3464	CreateProcess.exe
2044	nhfzxrpkhc.exe
2212	CreateProcess.exe
4692	CreateProcess.exe
1976	i_nhfzxrpkhc.exe
2380	CreateProcess.exe
2404	hbzurmkecw.exe
1284	CreateProcess.exe
2620	CreateProcess.exe
2644	i_hbzurmkecw.exe
4928	CreateProcess.exe
1452	cwuomhezxr.exe
2808	CreateProcess.exe
4600	CreateProcess.exe
3436	i_cwuomhezxr.exe
3780	CreateProcess.exe
1304	rljebwuomg.exe
2796	CreateProcess.exe
220	CreateProcess.exe
4400	i_rljebwuomg.exe
3380	CreateProcess.exe
4760	ljdbvtolgd.exe
1924	CreateProcess.exe
3512	CreateProcess.exe
4592	i_ljdbvtolgd.exe
4992	CreateProcess.exe
996	yvqoigaytq.exe
3580	CreateProcess.exe

Gathers network information 2 TTPs 17 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2392	ipconfig.exe
4040	ipconfig.exe
2408	ipconfig.exe
4864	ipconfig.exe
1756	ipconfig.exe
4308	ipconfig.exe
3936	ipconfig.exe
5020	ipconfig.exe
2920	ipconfig.exe
3632	ipconfig.exe
4228	ipconfig.exe
1756	ipconfig.exe
4528	ipconfig.exe
4112	ipconfig.exe
4192	ipconfig.exe
4112	ipconfig.exe
3272	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022d50c7fb87f4d49ac617655187eac8200000000020000000000106600000001000020000000943b8cda60043694ae9754eb5c9d8c91211814c5594de8dd1c409bf03654c017000000000e800000000200002000000052061cda521437972c72ef9998b3423ea256d64cc508654e0a90fb5aaf7c56b0200000006576dba18e5b2f8beceb64adb8af5e36ad8ec9c2ca1c7506d4785cf2dbb0617840000000b025b7c58a1c23b6e565ef56f6d582ed8692d0fb897ca9333a5d9eda8a75f0b1c27fe2161612c62fb3384a24383a47b1710619b3d29b7c6037305f16478758e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d010a08f1e05d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2001666785"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022d50c7fb87f4d49ac617655187eac82000000000200000000001066000000010000200000009ad60fc63353ee388ef8f0b90a495b196d6148c030bb4a478016d2407820875f000000000e8000000002000020000000900dee7603001514273c94a051288df801d449baa95f3285fb2326b62156c38f20000000e86f9619c738adb9e029fc4548596a42a986a129fdfbd24c6f8c7b2298dd7b9a40000000ad363990fd5122cbe68823818d286538127793fcde3b828d2df2feaa1323f80799a8d3096d724dd23d79ccd1cae0265b58d96a9093f5d5a3f2b73c42ca5f8006	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999838"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06e6f901e05d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A0773024-7111-11ED-AECB-DA88DC7FA106} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2174011135"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999838"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376620594"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2001666785"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
2004	pkfdxvpnhfaxsqki.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe

Suspicious behavior: LoadsDriver 18 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeTcbPrivilege	1828	svchost.exe
Token: SeTcbPrivilege	1828	svchost.exe
Token: SeDebugPrivilege	3980	i_ecxupmhfzx.exe
Token: SeDebugPrivilege	4344	i_xrpjhbzurm.exe
Token: SeDebugPrivilege	4796	i_zwrpjhbztr.exe
Token: SeDebugPrivilege	1568	i_lgeywqoigb.exe
Token: SeDebugPrivilege	4056	i_wqoigaytql.exe
Token: SeDebugPrivilege	1248	i_xvqnigaysq.exe
Token: SeDebugPrivilege	1992	i_spkicausnk.exe
Token: SeDebugPrivilege	1976	i_nhfzxrpkhc.exe
Token: SeDebugPrivilege	2644	i_hbzurmkecw.exe
Token: SeDebugPrivilege	3436	i_cwuomhezxr.exe
Token: SeDebugPrivilege	4400	i_rljebwuomg.exe
Token: SeDebugPrivilege	4592	i_ljdbvtolgd.exe
Token: SeDebugPrivilege	2480	i_yvqoigaytq.exe
Token: SeDebugPrivilege	4448	i_lfdxvqniga.exe
Token: SeDebugPrivilege	2928	i_vsnkfdxvpn.exe
Token: SeDebugPrivilege	3372	i_xupnhfzxsp.exe
Token: SeDebugPrivilege	1644	i_hcausmkecx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2764	iexplore.exe
2764	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2004	3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe	81
PID 3472 wrote to memory of 2004	3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe	81
PID 3472 wrote to memory of 2004	3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe	81
PID 3472 wrote to memory of 2764	3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe	82
PID 3472 wrote to memory of 2764	3472	af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe	82
PID 2004 wrote to memory of 3808	2004	pkfdxvpnhfaxsqki.exe	83
PID 2004 wrote to memory of 3808	2004	pkfdxvpnhfaxsqki.exe	83
PID 2004 wrote to memory of 3808	2004	pkfdxvpnhfaxsqki.exe	83
PID 2764 wrote to memory of 1624	2764	iexplore.exe	84
PID 2764 wrote to memory of 1624	2764	iexplore.exe	84
PID 2764 wrote to memory of 1624	2764	iexplore.exe	84
PID 1828 wrote to memory of 3084	1828	svchost.exe	86
PID 1828 wrote to memory of 3084	1828	svchost.exe	86
PID 1828 wrote to memory of 3084	1828	svchost.exe	86
PID 3084 wrote to memory of 2448	3084	ecxupmhfzx.exe	87
PID 3084 wrote to memory of 2448	3084	ecxupmhfzx.exe	87
PID 3084 wrote to memory of 2448	3084	ecxupmhfzx.exe	87
PID 1828 wrote to memory of 4192	1828	svchost.exe	88
PID 1828 wrote to memory of 4192	1828	svchost.exe	88
PID 2004 wrote to memory of 4876	2004	pkfdxvpnhfaxsqki.exe	90
PID 2004 wrote to memory of 4876	2004	pkfdxvpnhfaxsqki.exe	90
PID 2004 wrote to memory of 4876	2004	pkfdxvpnhfaxsqki.exe	90
PID 1828 wrote to memory of 3980	1828	svchost.exe	91
PID 1828 wrote to memory of 3980	1828	svchost.exe	91
PID 1828 wrote to memory of 3980	1828	svchost.exe	91
PID 2004 wrote to memory of 4704	2004	pkfdxvpnhfaxsqki.exe	92
PID 2004 wrote to memory of 4704	2004	pkfdxvpnhfaxsqki.exe	92
PID 2004 wrote to memory of 4704	2004	pkfdxvpnhfaxsqki.exe	92
PID 1828 wrote to memory of 3976	1828	svchost.exe	93
PID 1828 wrote to memory of 3976	1828	svchost.exe	93
PID 1828 wrote to memory of 3976	1828	svchost.exe	93
PID 3976 wrote to memory of 4012	3976	xrpjhbzurm.exe	94
PID 3976 wrote to memory of 4012	3976	xrpjhbzurm.exe	94
PID 3976 wrote to memory of 4012	3976	xrpjhbzurm.exe	94
PID 1828 wrote to memory of 2408	1828	svchost.exe	95
PID 1828 wrote to memory of 2408	1828	svchost.exe	95
PID 2004 wrote to memory of 4448	2004	pkfdxvpnhfaxsqki.exe	97
PID 2004 wrote to memory of 4448	2004	pkfdxvpnhfaxsqki.exe	97
PID 2004 wrote to memory of 4448	2004	pkfdxvpnhfaxsqki.exe	97
PID 1828 wrote to memory of 4344	1828	svchost.exe	98
PID 1828 wrote to memory of 4344	1828	svchost.exe	98
PID 1828 wrote to memory of 4344	1828	svchost.exe	98
PID 2004 wrote to memory of 2212	2004	pkfdxvpnhfaxsqki.exe	101
PID 2004 wrote to memory of 2212	2004	pkfdxvpnhfaxsqki.exe	101
PID 2004 wrote to memory of 2212	2004	pkfdxvpnhfaxsqki.exe	101
PID 1828 wrote to memory of 4536	1828	svchost.exe	102
PID 1828 wrote to memory of 4536	1828	svchost.exe	102
PID 1828 wrote to memory of 4536	1828	svchost.exe	102
PID 4536 wrote to memory of 3936	4536	zwrpjhbztr.exe	103
PID 4536 wrote to memory of 3936	4536	zwrpjhbztr.exe	103
PID 4536 wrote to memory of 3936	4536	zwrpjhbztr.exe	103
PID 1828 wrote to memory of 4864	1828	svchost.exe	104
PID 1828 wrote to memory of 4864	1828	svchost.exe	104
PID 2004 wrote to memory of 2012	2004	pkfdxvpnhfaxsqki.exe	106
PID 2004 wrote to memory of 2012	2004	pkfdxvpnhfaxsqki.exe	106
PID 2004 wrote to memory of 2012	2004	pkfdxvpnhfaxsqki.exe	106
PID 1828 wrote to memory of 4796	1828	svchost.exe	107
PID 1828 wrote to memory of 4796	1828	svchost.exe	107
PID 1828 wrote to memory of 4796	1828	svchost.exe	107
PID 2004 wrote to memory of 4652	2004	pkfdxvpnhfaxsqki.exe	108
PID 2004 wrote to memory of 4652	2004	pkfdxvpnhfaxsqki.exe	108
PID 2004 wrote to memory of 4652	2004	pkfdxvpnhfaxsqki.exe	108
PID 1828 wrote to memory of 2392	1828	svchost.exe	109
PID 1828 wrote to memory of 2392	1828	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
"C:\Users\Admin\AppData\Local\Temp\af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Temp\pkfdxvpnhfaxsqki.exe
  C:\Temp\pkfdxvpnhfaxsqki.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecxupmhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3808
  - - C:\Temp\ecxupmhfzx.exe
      C:\Temp\ecxupmhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2448
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecxupmhfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4876
  - - C:\Temp\i_ecxupmhfzx.exe
      C:\Temp\i_ecxupmhfzx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3980
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjhbzurm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4704
  - - C:\Temp\xrpjhbzurm.exe
      C:\Temp\xrpjhbzurm.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4012
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjhbzurm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4448
  - - C:\Temp\i_xrpjhbzurm.exe
      C:\Temp\i_xrpjhbzurm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zwrpjhbztr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2212
  - - C:\Temp\zwrpjhbztr.exe
      C:\Temp\zwrpjhbztr.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3936
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zwrpjhbztr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2012
  - - C:\Temp\i_zwrpjhbztr.exe
      C:\Temp\i_zwrpjhbztr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgeywqoigb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4652
  - - C:\Temp\lgeywqoigb.exe
      C:\Temp\lgeywqoigb.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2392
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3056
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgeywqoigb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4492
  - - C:\Temp\i_lgeywqoigb.exe
      C:\Temp\i_lgeywqoigb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqoigaytql.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4480
  - - C:\Temp\wqoigaytql.exe
      C:\Temp\wqoigaytql.exe ups_run
      4⤵
      Executes dropped EXE
      PID:308
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3764
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqoigaytql.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4624
  - - C:\Temp\i_wqoigaytql.exe
      C:\Temp\i_wqoigaytql.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvqnigaysq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3420
  - - C:\Temp\xvqnigaysq.exe
      C:\Temp\xvqnigaysq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4208
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2344
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvqnigaysq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2408
  - - C:\Temp\i_xvqnigaysq.exe
      C:\Temp\i_xvqnigaysq.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\spkicausnk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2236
  - - C:\Temp\spkicausnk.exe
      C:\Temp\spkicausnk.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4724
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_spkicausnk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2128
  - - C:\Temp\i_spkicausnk.exe
      C:\Temp\i_spkicausnk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxrpkhc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3464
  - - C:\Temp\nhfzxrpkhc.exe
      C:\Temp\nhfzxrpkhc.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2044
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2212
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3272
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxrpkhc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4692
  - - C:\Temp\i_nhfzxrpkhc.exe
      C:\Temp\i_nhfzxrpkhc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hbzurmkecw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2380
  - - C:\Temp\hbzurmkecw.exe
      C:\Temp\hbzurmkecw.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2404
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1284
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hbzurmkecw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Temp\i_hbzurmkecw.exe
      C:\Temp\i_hbzurmkecw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwuomhezxr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4928
  - - C:\Temp\cwuomhezxr.exe
      C:\Temp\cwuomhezxr.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1452
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2808
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4528
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwuomhezxr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4600
  - - C:\Temp\i_cwuomhezxr.exe
      C:\Temp\i_cwuomhezxr.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3436
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljebwuomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3780
  - - C:\Temp\rljebwuomg.exe
      C:\Temp\rljebwuomg.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1304
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljebwuomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:220
  - - C:\Temp\i_rljebwuomg.exe
      C:\Temp\i_rljebwuomg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbvtolgd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3380
  - - C:\Temp\ljdbvtolgd.exe
      C:\Temp\ljdbvtolgd.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4760
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1924
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbvtolgd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3512
  - - C:\Temp\i_ljdbvtolgd.exe
      C:\Temp\i_ljdbvtolgd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4992
  - - C:\Temp\yvqoigaytq.exe
      C:\Temp\yvqoigaytq.exe ups_run
      4⤵
      Executes dropped EXE
      PID:996
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3580
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
    3⤵
    PID:2112
  - - C:\Temp\i_yvqoigaytq.exe
      C:\Temp\i_yvqoigaytq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdxvqniga.exe ups_run
    3⤵
    PID:3976
  - - C:\Temp\lfdxvqniga.exe
      C:\Temp\lfdxvqniga.exe ups_run
      4⤵
      PID:1500
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4276
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdxvqniga.exe ups_ins
    3⤵
    PID:4616
  - - C:\Temp\i_lfdxvqniga.exe
      C:\Temp\i_lfdxvqniga.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vsnkfdxvpn.exe ups_run
    3⤵
    PID:3544
  - - C:\Temp\vsnkfdxvpn.exe
      C:\Temp\vsnkfdxvpn.exe ups_run
      4⤵
      PID:3740
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5008
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vsnkfdxvpn.exe ups_ins
    3⤵
    PID:4964
  - - C:\Temp\i_vsnkfdxvpn.exe
      C:\Temp\i_vsnkfdxvpn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzxsp.exe ups_run
    3⤵
    PID:2864
  - - C:\Temp\xupnhfzxsp.exe
      C:\Temp\xupnhfzxsp.exe ups_run
      4⤵
      PID:1992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2128
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzxsp.exe ups_ins
    3⤵
    PID:3468
  - - C:\Temp\i_xupnhfzxsp.exe
      C:\Temp\i_xupnhfzxsp.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hcausmkecx.exe ups_run
    3⤵
    PID:1704
  - - C:\Temp\hcausmkecx.exe
      C:\Temp\hcausmkecx.exe ups_run
      4⤵
      PID:1276
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:456
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hcausmkecx.exe ups_ins
    3⤵
    PID:4692
  - - C:\Temp\i_hcausmkecx.exe
      C:\Temp\i_hcausmkecx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
C:\Temp\ecxupmhfzx.exe

Filesize
361KB

MD5
a5e5ab050cc0417a5325b55ac23091b0

SHA1
9b2af9bc1279fcea2936f032a89711bee228119c

SHA256
9afc111c9218ab5bf707f5855f6dcfc14c50ae479ece959b19dd6590e2b3ce66

SHA512
a78faff2ee5bffa9f29579c0d91351bc3b96fcb346250be2b214d6b3bd2f4c3c5d94f7ba6258d9247b70fa96b89ecd38ef5c8a3912d7f9d50963926e135c764b

Download Submit
C:\Temp\ecxupmhfzx.exe

Filesize
361KB

MD5
a5e5ab050cc0417a5325b55ac23091b0

SHA1
9b2af9bc1279fcea2936f032a89711bee228119c

SHA256
9afc111c9218ab5bf707f5855f6dcfc14c50ae479ece959b19dd6590e2b3ce66

SHA512
a78faff2ee5bffa9f29579c0d91351bc3b96fcb346250be2b214d6b3bd2f4c3c5d94f7ba6258d9247b70fa96b89ecd38ef5c8a3912d7f9d50963926e135c764b

Download Submit
C:\Temp\hbzurmkecw.exe

Filesize
361KB

MD5
680d36119a48c7974f3bb8f9151588f7

SHA1
77b3ef62efa987a6af1ddf5544dc7cf0f8e4b997

SHA256
2c25e66c9909378fc58adbd62ceba3a6e752dad141b3cde2c3f3e25417c8a9c7

SHA512
5ebe4381068d4a3e745ad328622cbe36c0288cf66dc476427e0a2a65c7c4ef88746442f23637da8de0e8f1490a6e9365951b5a026a595145c2a0809a4354428e

Download Submit
C:\Temp\hbzurmkecw.exe

Filesize
361KB

MD5
680d36119a48c7974f3bb8f9151588f7

SHA1
77b3ef62efa987a6af1ddf5544dc7cf0f8e4b997

SHA256
2c25e66c9909378fc58adbd62ceba3a6e752dad141b3cde2c3f3e25417c8a9c7

SHA512
5ebe4381068d4a3e745ad328622cbe36c0288cf66dc476427e0a2a65c7c4ef88746442f23637da8de0e8f1490a6e9365951b5a026a595145c2a0809a4354428e

Download Submit
C:\Temp\i_ecxupmhfzx.exe

Filesize
361KB

MD5
08946e8629c88993d956e1ba132995b7

SHA1
f1a8e18cacc3dd77483659f9f384ca872e64f7f5

SHA256
ed4f97fdfde8ba2c35922ba136561bbbd1c2287629ee23593bbb4466a569e51a

SHA512
9b0c2c4d8718d27b96fbc10311a4f4850421d0d33b513d3c12001d67ebcc6bfa21360db08b41a5da85c1294d927acc22dc62bbcc355aa46c52717a7734128ca1

Download Submit
C:\Temp\i_ecxupmhfzx.exe

Filesize
361KB

MD5
08946e8629c88993d956e1ba132995b7

SHA1
f1a8e18cacc3dd77483659f9f384ca872e64f7f5

SHA256
ed4f97fdfde8ba2c35922ba136561bbbd1c2287629ee23593bbb4466a569e51a

SHA512
9b0c2c4d8718d27b96fbc10311a4f4850421d0d33b513d3c12001d67ebcc6bfa21360db08b41a5da85c1294d927acc22dc62bbcc355aa46c52717a7734128ca1

Download Submit
C:\Temp\i_lgeywqoigb.exe

Filesize
361KB

MD5
d1a75681d1c89be1a181ad4f6100a9f8

SHA1
52b8957705c722a24f11b22ca97a7a79d1ac6a3f

SHA256
72509747282417138abf07f3ca81fb690acece96d100cbbb53d1d642d48b53f0

SHA512
a7ebdba0129b045d7c8913e6b65ece402156a53475b5022170e782e5ef7575ea77dd7d455ab63a950303cff1de1bfa1281a8248deee630c57f014211b24af867

Download Submit
C:\Temp\i_lgeywqoigb.exe

Filesize
361KB

MD5
d1a75681d1c89be1a181ad4f6100a9f8

SHA1
52b8957705c722a24f11b22ca97a7a79d1ac6a3f

SHA256
72509747282417138abf07f3ca81fb690acece96d100cbbb53d1d642d48b53f0

SHA512
a7ebdba0129b045d7c8913e6b65ece402156a53475b5022170e782e5ef7575ea77dd7d455ab63a950303cff1de1bfa1281a8248deee630c57f014211b24af867

Download Submit
C:\Temp\i_nhfzxrpkhc.exe

Filesize
361KB

MD5
6aa8241fd290ddec7afe2d1e0b3f9332

SHA1
9775f37dfaadd507b4ea72bd1d04e65cde3b2233

SHA256
047b5ab02d48a2ae5c715285ee0ea84ba8500581ed623442f67a5df5bf228400

SHA512
52800cc5b64dbc2d286d32807da4df5ed22eb355105fd770f41f6386ea7a1dab5a103c49956b678cff528a9bec2abeb2f8b32c69aa42ab2c5513cf498ac086d3

Download Submit
C:\Temp\i_nhfzxrpkhc.exe

Filesize
361KB

MD5
6aa8241fd290ddec7afe2d1e0b3f9332

SHA1
9775f37dfaadd507b4ea72bd1d04e65cde3b2233

SHA256
047b5ab02d48a2ae5c715285ee0ea84ba8500581ed623442f67a5df5bf228400

SHA512
52800cc5b64dbc2d286d32807da4df5ed22eb355105fd770f41f6386ea7a1dab5a103c49956b678cff528a9bec2abeb2f8b32c69aa42ab2c5513cf498ac086d3

Download Submit
C:\Temp\i_spkicausnk.exe

Filesize
361KB

MD5
2c0aed5d35b9a14944a3cb403da2fe81

SHA1
0edcfaeabf84c50223a8353e5488e16cfef75cef

SHA256
12a3485c9ed6b768f018eeed7bd50d0d9d0407255945d94fb909b5687e5809f1

SHA512
aade1cdf0a266e1fd5da9197940f3c04f23091b774484cb3bd540104e899e9d3307c0841ad0d770065766e7a8103e897d6c89418e08dacd4190829852c0043e0

Download Submit
C:\Temp\i_spkicausnk.exe

Filesize
361KB

MD5
2c0aed5d35b9a14944a3cb403da2fe81

SHA1
0edcfaeabf84c50223a8353e5488e16cfef75cef

SHA256
12a3485c9ed6b768f018eeed7bd50d0d9d0407255945d94fb909b5687e5809f1

SHA512
aade1cdf0a266e1fd5da9197940f3c04f23091b774484cb3bd540104e899e9d3307c0841ad0d770065766e7a8103e897d6c89418e08dacd4190829852c0043e0

Download Submit
C:\Temp\i_wqoigaytql.exe

Filesize
361KB

MD5
3d5fccb1cfd3717ad0fe4fe7a2f1e0b6

SHA1
8821cdaf058159c7ab95bccb6ce8bdc9618f3555

SHA256
3dc61f10fcfabb82fc10a747d53950ff843e95c1ba0ce850c3713ff3e67e2e26

SHA512
e44c78346cc063aaeeaf89f09f1d321960ceaa97dc520a52785aeaf3425172b992b29cd73d03c3fd9aeec4e3e813ff1a19ad660395969561372dce5d15a47424

Download Submit
C:\Temp\i_wqoigaytql.exe

Filesize
361KB

MD5
3d5fccb1cfd3717ad0fe4fe7a2f1e0b6

SHA1
8821cdaf058159c7ab95bccb6ce8bdc9618f3555

SHA256
3dc61f10fcfabb82fc10a747d53950ff843e95c1ba0ce850c3713ff3e67e2e26

SHA512
e44c78346cc063aaeeaf89f09f1d321960ceaa97dc520a52785aeaf3425172b992b29cd73d03c3fd9aeec4e3e813ff1a19ad660395969561372dce5d15a47424

Download Submit
C:\Temp\i_xrpjhbzurm.exe

Filesize
361KB

MD5
6bc10cb231973f12473d0e72498867ce

SHA1
43fd70d23427d7a84917c4af952bdd8547a565b7

SHA256
0d89563dbdf799b0af856e2d1e657a85569f9434110bfdd0d0f50cf9f02012bb

SHA512
cb96bfab59f83a1928283cdfcfba23322e948476b787732b31ec00add31e86757afa81cbbfa85019a6bcd32e1a2ef40018953ae097d2446ec2999f7bae3e1c54

Download Submit
C:\Temp\i_xrpjhbzurm.exe

Filesize
361KB

MD5
6bc10cb231973f12473d0e72498867ce

SHA1
43fd70d23427d7a84917c4af952bdd8547a565b7

SHA256
0d89563dbdf799b0af856e2d1e657a85569f9434110bfdd0d0f50cf9f02012bb

SHA512
cb96bfab59f83a1928283cdfcfba23322e948476b787732b31ec00add31e86757afa81cbbfa85019a6bcd32e1a2ef40018953ae097d2446ec2999f7bae3e1c54

Download Submit
C:\Temp\i_xvqnigaysq.exe

Filesize
361KB

MD5
7aa6bb4c4d634c550c73fb02a5744544

SHA1
e9df0f1eac4458dc238b348044ec3d2af4934ab0

SHA256
035c342222f825d78a85688d7417d23613b218273bbbee2e12a768bbc73df472

SHA512
12ae80fe16bd9c9858dadad6d440c2e6e3a3d5e3cba33292fb01d1dbf7596c1138a2f3285e8a464da802f5233929594c2f0d2a0030b836961e604543e5c94478

Download Submit
C:\Temp\i_xvqnigaysq.exe

Filesize
361KB

MD5
7aa6bb4c4d634c550c73fb02a5744544

SHA1
e9df0f1eac4458dc238b348044ec3d2af4934ab0

SHA256
035c342222f825d78a85688d7417d23613b218273bbbee2e12a768bbc73df472

SHA512
12ae80fe16bd9c9858dadad6d440c2e6e3a3d5e3cba33292fb01d1dbf7596c1138a2f3285e8a464da802f5233929594c2f0d2a0030b836961e604543e5c94478

Download Submit
C:\Temp\i_zwrpjhbztr.exe

Filesize
361KB

MD5
60663ed03306c0fc97b4f99ed8144f6f

SHA1
129ac5bcd4f520377831fd621ed4ae9f0588f750

SHA256
fbe9a25014126ccabd77f13779062d9e0511acc5eb53bd950bbd842f1afc90a8

SHA512
a481c3bd298db0734f4ff0b4b571bf278c7feeaa117b368bc07f1d63ffb99e90ab172ead83ed3f516588779576f4a6be96cec8878398d584d1fc68cf297f7925

Download Submit
C:\Temp\i_zwrpjhbztr.exe

Filesize
361KB

MD5
60663ed03306c0fc97b4f99ed8144f6f

SHA1
129ac5bcd4f520377831fd621ed4ae9f0588f750

SHA256
fbe9a25014126ccabd77f13779062d9e0511acc5eb53bd950bbd842f1afc90a8

SHA512
a481c3bd298db0734f4ff0b4b571bf278c7feeaa117b368bc07f1d63ffb99e90ab172ead83ed3f516588779576f4a6be96cec8878398d584d1fc68cf297f7925

Download Submit
C:\Temp\lgeywqoigb.exe

Filesize
361KB

MD5
1a1fd44bc02c96fde5eee47b3ded129d

SHA1
acda2032d83464a4069b52f8c20a6b16a6d29b94

SHA256
f24641a0a40e4bad5fea53cb372ed483e1ec9c5e965a7ca62e3964a9c54a03e4

SHA512
fe8d66658a5ac25b6ec7cdca24532a675f4147082a992a12f07e6455ee44e586931b3f5e9767674930fa79cabff9bf3f424edcea38f001084d1914ae9772dc35

Download Submit
C:\Temp\lgeywqoigb.exe

Filesize
361KB

MD5
1a1fd44bc02c96fde5eee47b3ded129d

SHA1
acda2032d83464a4069b52f8c20a6b16a6d29b94

SHA256
f24641a0a40e4bad5fea53cb372ed483e1ec9c5e965a7ca62e3964a9c54a03e4

SHA512
fe8d66658a5ac25b6ec7cdca24532a675f4147082a992a12f07e6455ee44e586931b3f5e9767674930fa79cabff9bf3f424edcea38f001084d1914ae9772dc35

Download Submit
C:\Temp\nhfzxrpkhc.exe

Filesize
361KB

MD5
aba59170724a67a88b5b559ba00a8914

SHA1
4ce911305d7cc468735a6fa2bf06b82fa2d52e7c

SHA256
bfd4c9ca725063f5c822431bbbd7f1cf44c2c62c21aeb2fed13d3de76804160c

SHA512
a57d606b7aade5ce09920f7c67df1cdd2ff04a4c177551e57bf3eeeaec0796fece990a0e27c6b201d5669a3282ded46622a9f28c20031a7375c46af8ae1d48dc

Download Submit
C:\Temp\nhfzxrpkhc.exe

Filesize
361KB

MD5
aba59170724a67a88b5b559ba00a8914

SHA1
4ce911305d7cc468735a6fa2bf06b82fa2d52e7c

SHA256
bfd4c9ca725063f5c822431bbbd7f1cf44c2c62c21aeb2fed13d3de76804160c

SHA512
a57d606b7aade5ce09920f7c67df1cdd2ff04a4c177551e57bf3eeeaec0796fece990a0e27c6b201d5669a3282ded46622a9f28c20031a7375c46af8ae1d48dc

Download Submit
C:\Temp\pkfdxvpnhfaxsqki.exe

Filesize
361KB

MD5
bfb421fd4ade743c57a10ea79a3141bf

SHA1
2edd3ee74cd749bdef9edd2efa9d8c5b87c2f540

SHA256
31f9effaf36c3add2c96ffdf45508f17044da13dabbef7f01bc29a527622bde3

SHA512
eabff66ee45314c7e1b2197284800afb28064ea29b56b278e0d974506f246765729f17df22d2bc3d75164e91dd06c6c62abdbabf1871f6f0615da063e295fb81

Download Submit
C:\Temp\pkfdxvpnhfaxsqki.exe

Filesize
361KB

MD5
bfb421fd4ade743c57a10ea79a3141bf

SHA1
2edd3ee74cd749bdef9edd2efa9d8c5b87c2f540

SHA256
31f9effaf36c3add2c96ffdf45508f17044da13dabbef7f01bc29a527622bde3

SHA512
eabff66ee45314c7e1b2197284800afb28064ea29b56b278e0d974506f246765729f17df22d2bc3d75164e91dd06c6c62abdbabf1871f6f0615da063e295fb81

Download Submit
C:\Temp\spkicausnk.exe

Filesize
361KB

MD5
f1289d127fe33e5ccb3c93b99ed1798d

SHA1
5f383500ced9cbb62df46e0f1cd0ba1905fed899

SHA256
adac16042db05094774b4ff7461406175249068c78e5456d3cc7d024e9e34950

SHA512
ce233553c3b1edcbef3e764bc8995187f6687ab0a9847c9d16940336172f59edea7d12b65a7afe51a0bcaebdf0424a6a31b3096eb561d96befca59113772bbfc

Download Submit
C:\Temp\spkicausnk.exe

Filesize
361KB

MD5
f1289d127fe33e5ccb3c93b99ed1798d

SHA1
5f383500ced9cbb62df46e0f1cd0ba1905fed899

SHA256
adac16042db05094774b4ff7461406175249068c78e5456d3cc7d024e9e34950

SHA512
ce233553c3b1edcbef3e764bc8995187f6687ab0a9847c9d16940336172f59edea7d12b65a7afe51a0bcaebdf0424a6a31b3096eb561d96befca59113772bbfc

Download Submit
C:\Temp\wqoigaytql.exe

Filesize
361KB

MD5
75e005653fd65341a415b5e8ccf6d659

SHA1
06acb0c5d91d9727feb7b6151fbcd9771d982d17

SHA256
8e098eb5eed080a6658d5e0305185c1ce7e72550376e18356e0b068f5c9ea0fc

SHA512
fd1f07a274d8e13c80c19fa6a3868891bd53a55387344e1c876139fe446a5aed5d548cd297f09e370a2b9bc8a920d4ee78fa24b976ad41df1e173d201da08c47

Download Submit
C:\Temp\wqoigaytql.exe

Filesize
361KB

MD5
75e005653fd65341a415b5e8ccf6d659

SHA1
06acb0c5d91d9727feb7b6151fbcd9771d982d17

SHA256
8e098eb5eed080a6658d5e0305185c1ce7e72550376e18356e0b068f5c9ea0fc

SHA512
fd1f07a274d8e13c80c19fa6a3868891bd53a55387344e1c876139fe446a5aed5d548cd297f09e370a2b9bc8a920d4ee78fa24b976ad41df1e173d201da08c47

Download Submit
C:\Temp\xrpjhbzurm.exe

Filesize
361KB

MD5
abaebe7de2960793d2ccd2963a2b1ab2

SHA1
96dbf8356ee28b2d89c1dc5ff4ad3f9808c923aa

SHA256
9bc56986d563da45260187766ad24f7f9b976fa28ca58d9850e6098b06e3ad36

SHA512
a0bf4449661ba580c05930a2dab5b0824105ab24aa468e7cb917711d40a30a3257f147de205456501d8ae2c84c7b65b6699997fd5dd61554981bee3022fefffd

Download Submit
C:\Temp\xrpjhbzurm.exe

Filesize
361KB

MD5
abaebe7de2960793d2ccd2963a2b1ab2

SHA1
96dbf8356ee28b2d89c1dc5ff4ad3f9808c923aa

SHA256
9bc56986d563da45260187766ad24f7f9b976fa28ca58d9850e6098b06e3ad36

SHA512
a0bf4449661ba580c05930a2dab5b0824105ab24aa468e7cb917711d40a30a3257f147de205456501d8ae2c84c7b65b6699997fd5dd61554981bee3022fefffd

Download Submit
C:\Temp\xvqnigaysq.exe

Filesize
361KB

MD5
fcac4f7a5366a0f41572c8b852b9f8fd

SHA1
b2253575e223aa3c8b5c47e06878083713d5aacd

SHA256
516ec599cb830d9f24d473be4922815c9a952d6d17c0a6be064bfa0151172f61

SHA512
0286b85c8460eaf6861ea3271ed1212a3bc8c3a8aaaba5088482c252da8bb6978bb6ea1c25c7b30e19fc0d446bf1100078e08f79b5d6b7c582f24021d5843272

Download Submit
C:\Temp\xvqnigaysq.exe

Filesize
361KB

MD5
fcac4f7a5366a0f41572c8b852b9f8fd

SHA1
b2253575e223aa3c8b5c47e06878083713d5aacd

SHA256
516ec599cb830d9f24d473be4922815c9a952d6d17c0a6be064bfa0151172f61

SHA512
0286b85c8460eaf6861ea3271ed1212a3bc8c3a8aaaba5088482c252da8bb6978bb6ea1c25c7b30e19fc0d446bf1100078e08f79b5d6b7c582f24021d5843272

Download Submit
C:\Temp\zwrpjhbztr.exe

Filesize
361KB

MD5
eb5bddaa51983795c1e014673684672b

SHA1
b965f2ce605b46325ac36181afd1ca594eb7e8de

SHA256
a466443ae2831d2f20a4c722f6f231f2ed349a1ce99ed440582314803ff8110f

SHA512
a32295e287dd08d9c887dfb030b972569a4f9aebe7eb8c10ec0912d4885f01567c4e751f6ab65019545bab333b0eeac06b1642ba0865e6ccaee0bbb1cf4d23e8

Download Submit
C:\Temp\zwrpjhbztr.exe

Filesize
361KB

MD5
eb5bddaa51983795c1e014673684672b

SHA1
b965f2ce605b46325ac36181afd1ca594eb7e8de

SHA256
a466443ae2831d2f20a4c722f6f231f2ed349a1ce99ed440582314803ff8110f

SHA512
a32295e287dd08d9c887dfb030b972569a4f9aebe7eb8c10ec0912d4885f01567c4e751f6ab65019545bab333b0eeac06b1642ba0865e6ccaee0bbb1cf4d23e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2385a464e17980d978246b6b59a60697

SHA1
ee57c16c00972abbea042066dbdd769fdb89571b

SHA256
88dabd9b9c2183dd69b01146358783b0dc0e24faf044331be565cfd26e1dee2a

SHA512
d85eaa2a9a0a4523eb87bd43bbe995d8658dce705024c316de12c9f9be0277ded1646a6667bd47eed337e2b790aab9760ddf2e501242c42f3d66f40c23042d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8e34cf2b00058ce17848507979b9e34a

SHA1
6a239c332b5d3a85dab957f9dfad3756748c546a

SHA256
b588cb2b40e786c1873ab13f35c784d56ee0f326d57826ebee60cfbe4625e88a

SHA512
f49d17d162f059f386ca90af06287ffaeb1e48f84b05e82dc26ceddc8a08bedd1c065515d7eeee45dae5d1302720320660729de88a7efcf6d65b7d27054c9184

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
0a9510eacfdab55f3ac6cfd5aedcd726

SHA1
86b29d0df53bdadb5573211c3499f1dcd7baaf7c

SHA256
f5837f865914b665c4affab9d0608fe90587e426e5e09905b4f90a655f5add50

SHA512
6ed97d65fbd6b70e6ef6f0fca0ad26a5d87f9dcbf4d92218d811797b7f038f9ad065c1805b682665abca2d52e1cc1cdb81db8fd1bb1545e5ab961788c0e6fe28

Download Submit
memory/308-190-0x0000000000000000-mapping.dmp

Download
memory/1248-213-0x0000000000000000-mapping.dmp

Download
memory/1284-247-0x0000000000000000-mapping.dmp

Download
memory/1304-258-0x0000000000000000-mapping.dmp

Download
memory/1452-252-0x0000000000000000-mapping.dmp

Download
memory/1568-185-0x0000000000000000-mapping.dmp

Download
memory/1756-223-0x0000000000000000-mapping.dmp

Download
memory/1976-239-0x0000000000000000-mapping.dmp

Download
memory/1992-226-0x0000000000000000-mapping.dmp

Download
memory/2004-132-0x0000000000000000-mapping.dmp

Download
memory/2012-170-0x0000000000000000-mapping.dmp

Download
memory/2044-231-0x0000000000000000-mapping.dmp

Download
memory/2128-224-0x0000000000000000-mapping.dmp

Download
memory/2212-162-0x0000000000000000-mapping.dmp

Download
memory/2212-234-0x0000000000000000-mapping.dmp

Download
memory/2236-216-0x0000000000000000-mapping.dmp

Download
memory/2344-206-0x0000000000000000-mapping.dmp

Download
memory/2380-242-0x0000000000000000-mapping.dmp

Download
memory/2392-248-0x0000000000000000-mapping.dmp

Download
memory/2392-177-0x0000000000000000-mapping.dmp

Download
memory/2404-244-0x0000000000000000-mapping.dmp

Download
memory/2408-156-0x0000000000000000-mapping.dmp

Download
memory/2408-211-0x0000000000000000-mapping.dmp

Download
memory/2448-141-0x0000000000000000-mapping.dmp

Download
memory/2620-249-0x0000000000000000-mapping.dmp

Download
memory/2644-250-0x0000000000000000-mapping.dmp

Download
memory/2796-259-0x0000000000000000-mapping.dmp

Download
memory/2808-253-0x0000000000000000-mapping.dmp

Download
memory/2920-195-0x0000000000000000-mapping.dmp

Download
memory/3056-180-0x0000000000000000-mapping.dmp

Download
memory/3084-138-0x0000000000000000-mapping.dmp

Download
memory/3272-236-0x0000000000000000-mapping.dmp

Download
memory/3420-201-0x0000000000000000-mapping.dmp

Download
memory/3436-256-0x0000000000000000-mapping.dmp

Download
memory/3464-229-0x0000000000000000-mapping.dmp

Download
memory/3492-221-0x0000000000000000-mapping.dmp

Download
memory/3764-193-0x0000000000000000-mapping.dmp

Download
memory/3780-257-0x0000000000000000-mapping.dmp

Download
memory/3808-135-0x0000000000000000-mapping.dmp

Download
memory/3936-167-0x0000000000000000-mapping.dmp

Download
memory/3976-151-0x0000000000000000-mapping.dmp

Download
memory/3980-146-0x0000000000000000-mapping.dmp

Download
memory/4012-154-0x0000000000000000-mapping.dmp

Download
memory/4056-198-0x0000000000000000-mapping.dmp

Download
memory/4112-208-0x0000000000000000-mapping.dmp

Download
memory/4192-143-0x0000000000000000-mapping.dmp

Download
memory/4208-203-0x0000000000000000-mapping.dmp

Download
memory/4344-159-0x0000000000000000-mapping.dmp

Download
memory/4448-157-0x0000000000000000-mapping.dmp

Download
memory/4480-188-0x0000000000000000-mapping.dmp

Download
memory/4492-183-0x0000000000000000-mapping.dmp

Download
memory/4528-254-0x0000000000000000-mapping.dmp

Download
memory/4536-164-0x0000000000000000-mapping.dmp

Download
memory/4600-255-0x0000000000000000-mapping.dmp

Download
memory/4624-196-0x0000000000000000-mapping.dmp

Download
memory/4652-175-0x0000000000000000-mapping.dmp

Download
memory/4692-237-0x0000000000000000-mapping.dmp

Download
memory/4704-149-0x0000000000000000-mapping.dmp

Download
memory/4724-218-0x0000000000000000-mapping.dmp

Download
memory/4796-172-0x0000000000000000-mapping.dmp

Download
memory/4864-169-0x0000000000000000-mapping.dmp

Download
memory/4876-144-0x0000000000000000-mapping.dmp

Download
memory/4928-251-0x0000000000000000-mapping.dmp

Download
memory/5020-182-0x0000000000000000-mapping.dmp

Download