96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
Size

361KB
MD5

5404ff313dcc124c2b224a53b424e441
SHA1

c68b7482cb999c6d7ed34fabe8c11aaf5240b9eb
SHA256

96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c
SHA512

513c59d723553450eccff3222fbedb12172f771c64c0b1a29427df72812684a31f259884cbd3106115f81e150754e3222d94d55d45b7dc5ef4e5edf47c3e82c4
SSDEEP

6144:UflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:UflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 56 IoCs

description	pid	Process	procid_target
PID 4140 created 4072	4140	svchost.exe	87
PID 4140 created 4676	4140	svchost.exe	90
PID 4140 created 1816	4140	svchost.exe	95
PID 4140 created 4316	4140	svchost.exe	99
PID 4140 created 3124	4140	svchost.exe	101
PID 4140 created 904	4140	svchost.exe	104
PID 4140 created 3996	4140	svchost.exe	106
PID 4140 created 1432	4140	svchost.exe	109
PID 4140 created 3312	4140	svchost.exe	111
PID 4140 created 1856	4140	svchost.exe	114
PID 4140 created 2736	4140	svchost.exe	116
PID 4140 created 2196	4140	svchost.exe	119
PID 4140 created 788	4140	svchost.exe	121
PID 4140 created 1820	4140	svchost.exe	123
PID 4140 created 1340	4140	svchost.exe	126
PID 4140 created 3736	4140	svchost.exe	128
PID 4140 created 2012	4140	svchost.exe	130
PID 4140 created 1444	4140	svchost.exe	133
PID 4140 created 3800	4140	svchost.exe	135
PID 4140 created 4332	4140	svchost.exe	137
PID 4140 created 3560	4140	svchost.exe	140
PID 4140 created 3676	4140	svchost.exe	142
PID 4140 created 1812	4140	svchost.exe	144
PID 4140 created 1792	4140	svchost.exe	147
PID 4140 created 1432	4140	svchost.exe	149
PID 4140 created 4444	4140	svchost.exe	151
PID 4140 created 1348	4140	svchost.exe	154
PID 4140 created 2000	4140	svchost.exe	156
PID 4140 created 2736	4140	svchost.exe	158
PID 4140 created 3320	4140	svchost.exe	161
PID 4140 created 5020	4140	svchost.exe	163
PID 4140 created 1964	4140	svchost.exe	165
PID 4140 created 2960	4140	svchost.exe	168
PID 4140 created 3988	4140	svchost.exe	170
PID 4140 created 1960	4140	svchost.exe	172
PID 4140 created 2188	4140	svchost.exe	175
PID 4140 created 1756	4140	svchost.exe	177
PID 4140 created 3488	4140	svchost.exe	179
PID 4140 created 4072	4140	svchost.exe	182
PID 4140 created 4308	4140	svchost.exe	184
PID 4140 created 4048	4140	svchost.exe	186
PID 4140 created 4144	4140	svchost.exe	189
PID 4140 created 4316	4140	svchost.exe	191
PID 4140 created 2072	4140	svchost.exe	193
PID 4140 created 2236	4140	svchost.exe	196
PID 4140 created 4152	4140	svchost.exe	198
PID 4140 created 4120	4140	svchost.exe	200
PID 4140 created 3984	4140	svchost.exe	203
PID 4140 created 2728	4140	svchost.exe	205
PID 4140 created 2396	4140	svchost.exe	207
PID 4140 created 2408	4140	svchost.exe	210
PID 4140 created 2152	4140	svchost.exe	212
PID 4140 created 3312	4140	svchost.exe	214
PID 4140 created 1576	4140	svchost.exe	217
PID 4140 created 3708	4140	svchost.exe	219
PID 4140 created 3416	4140	svchost.exe	221

Executes dropped EXE 64 IoCs

pid	Process
5080	lidbvtnlgaysqlid.exe
4072	CreateProcess.exe
4628	igaytqlidb.exe
4676	CreateProcess.exe
1816	CreateProcess.exe
1132	i_igaytqlidb.exe
4316	CreateProcess.exe
2732	icavsnlfdx.exe
3124	CreateProcess.exe
904	CreateProcess.exe
3716	i_icavsnlfdx.exe
3996	CreateProcess.exe
384	faxspkicau.exe
1432	CreateProcess.exe
3312	CreateProcess.exe
3580	i_faxspkicau.exe
1856	CreateProcess.exe
4564	hcxupmhfzx.exe
2736	CreateProcess.exe
2196	CreateProcess.exe
4932	i_hcxupmhfzx.exe
788	CreateProcess.exe
4004	khczukecwu.exe
1820	CreateProcess.exe
1340	CreateProcess.exe
220	i_khczukecwu.exe
3736	CreateProcess.exe
792	omgezwrpjh.exe
2012	CreateProcess.exe
1444	CreateProcess.exe
3436	i_omgezwrpjh.exe
3800	CreateProcess.exe
1312	ojgbztrlje.exe
4332	CreateProcess.exe
3560	CreateProcess.exe
4660	i_ojgbztrlje.exe
3676	CreateProcess.exe
2268	lgaytqljdb.exe
1812	CreateProcess.exe
1792	CreateProcess.exe
1212	i_lgaytqljdb.exe
1432	CreateProcess.exe
1720	idbvtnlfdy.exe
4444	CreateProcess.exe
1348	CreateProcess.exe
3568	i_idbvtnlfdy.exe
2000	CreateProcess.exe
3664	nlfdyvqnig.exe
2736	CreateProcess.exe
3320	CreateProcess.exe
3468	i_nlfdyvqnig.exe
5020	CreateProcess.exe
4824	vpnifaxsqk.exe
1964	CreateProcess.exe
2960	CreateProcess.exe
612	i_vpnifaxsqk.exe
3988	CreateProcess.exe
3060	pkicausmkf.exe
1960	CreateProcess.exe
2188	CreateProcess.exe
116	i_pkicausmkf.exe
1756	CreateProcess.exe
1304	kecwupmhfz.exe
3488	CreateProcess.exe

Gathers network information 2 TTPs 19 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4856	ipconfig.exe
3580	ipconfig.exe
1776	ipconfig.exe
3372	ipconfig.exe
744	ipconfig.exe
3060	ipconfig.exe
1932	ipconfig.exe
3016	ipconfig.exe
2876	ipconfig.exe
5100	ipconfig.exe
4872	ipconfig.exe
2196	ipconfig.exe
4972	ipconfig.exe
216	ipconfig.exe
3920	ipconfig.exe
1260	ipconfig.exe
2620	ipconfig.exe
4676	ipconfig.exe
3716	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377021984"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{38204AEF-74B8-11ED-A0EE-7EA98FCFBA26} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000773"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302b0b0fc508d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0df2e0fc508d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "213797186"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "233641987"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c1145c49908204a8e5c9a97d95db30d00000000020000000000106600000001000020000000d213c1cd2664201761f5015938951f7b2149529f993341113cb80c07bf580f38000000000e8000000002000020000000c92de7f33f5eb0ac6888804a3d512786208f265cde5886fa64fdb7411b45ee59200000003e3eb29fef9ed52b366a1cfa3808da33f037edaf31250422d5240956af60217540000000784c05a2fed8c0566fed4ab52b76c3a63628ef95cc938c4682b34923c9edffdb3e91c4bae92ecf00e90b3b2b1dbd0ec8f4c7e20b078db50e76baec80b4a234f5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "213797186"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c1145c49908204a8e5c9a97d95db30d000000000200000000001066000000010000200000008f5ab81936356c9525339ff4acb1d755c4b9860c1824eb182e45ff980ebcb72a000000000e8000000002000020000000eb4f3d003a45cb4cdff9fbd00b47bb9279227f16bae33e55070d324eb8b4addf2000000056da37fee6cb2d8f8be67b3a1bdf2c2224b63bb66d86d1223dbf956d5234ca72400000000581c2f02ff95ef2e35485acd82f7a02f2ec407df65d87675059d83bdb49a5df37ebad3e1b116bba1e2f648f6c24ca77227e2085c44f1c3194708c775f949a4d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
5080	lidbvtnlgaysqlid.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	iexplore.exe

Suspicious behavior: LoadsDriver 19 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTcbPrivilege	4140	svchost.exe
Token: SeTcbPrivilege	4140	svchost.exe
Token: SeDebugPrivilege	1132	i_igaytqlidb.exe
Token: SeDebugPrivilege	3716	i_icavsnlfdx.exe
Token: SeDebugPrivilege	3580	i_faxspkicau.exe
Token: SeDebugPrivilege	4932	i_hcxupmhfzx.exe
Token: SeDebugPrivilege	220	i_khczukecwu.exe
Token: SeDebugPrivilege	3436	i_omgezwrpjh.exe
Token: SeDebugPrivilege	4660	i_ojgbztrlje.exe
Token: SeDebugPrivilege	1212	i_lgaytqljdb.exe
Token: SeDebugPrivilege	3568	i_idbvtnlfdy.exe
Token: SeDebugPrivilege	3468	i_nlfdyvqnig.exe
Token: SeDebugPrivilege	612	i_vpnifaxsqk.exe
Token: SeDebugPrivilege	116	i_pkicausmkf.exe
Token: SeDebugPrivilege	4312	i_kecwupmhfz.exe
Token: SeDebugPrivilege	880	i_wuomhezpjh.exe
Token: SeDebugPrivilege	2416	i_geywqojgbz.exe
Token: SeDebugPrivilege	3752	i_gaytqljdbv.exe
Token: SeDebugPrivilege	3952	i_oigaysqlid.exe
Token: SeDebugPrivilege	4456	i_nifaxsqkic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3508	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3508	iexplore.exe
3508	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 5080	4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	81
PID 4376 wrote to memory of 5080	4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	81
PID 4376 wrote to memory of 5080	4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	81
PID 4376 wrote to memory of 3508	4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	82
PID 4376 wrote to memory of 3508	4376	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	82
PID 3508 wrote to memory of 2376	3508	iexplore.exe	83
PID 3508 wrote to memory of 2376	3508	iexplore.exe	83
PID 3508 wrote to memory of 2376	3508	iexplore.exe	83
PID 5080 wrote to memory of 4072	5080	lidbvtnlgaysqlid.exe	87
PID 5080 wrote to memory of 4072	5080	lidbvtnlgaysqlid.exe	87
PID 5080 wrote to memory of 4072	5080	lidbvtnlgaysqlid.exe	87
PID 4140 wrote to memory of 4628	4140	svchost.exe	89
PID 4140 wrote to memory of 4628	4140	svchost.exe	89
PID 4140 wrote to memory of 4628	4140	svchost.exe	89
PID 4628 wrote to memory of 4676	4628	igaytqlidb.exe	90
PID 4628 wrote to memory of 4676	4628	igaytqlidb.exe	90
PID 4628 wrote to memory of 4676	4628	igaytqlidb.exe	90
PID 4140 wrote to memory of 744	4140	svchost.exe	91
PID 4140 wrote to memory of 744	4140	svchost.exe	91
PID 5080 wrote to memory of 1816	5080	lidbvtnlgaysqlid.exe	95
PID 5080 wrote to memory of 1816	5080	lidbvtnlgaysqlid.exe	95
PID 5080 wrote to memory of 1816	5080	lidbvtnlgaysqlid.exe	95
PID 4140 wrote to memory of 1132	4140	svchost.exe	96
PID 4140 wrote to memory of 1132	4140	svchost.exe	96
PID 4140 wrote to memory of 1132	4140	svchost.exe	96
PID 5080 wrote to memory of 4316	5080	lidbvtnlgaysqlid.exe	99
PID 5080 wrote to memory of 4316	5080	lidbvtnlgaysqlid.exe	99
PID 5080 wrote to memory of 4316	5080	lidbvtnlgaysqlid.exe	99
PID 4140 wrote to memory of 2732	4140	svchost.exe	100
PID 4140 wrote to memory of 2732	4140	svchost.exe	100
PID 4140 wrote to memory of 2732	4140	svchost.exe	100
PID 2732 wrote to memory of 3124	2732	icavsnlfdx.exe	101
PID 2732 wrote to memory of 3124	2732	icavsnlfdx.exe	101
PID 2732 wrote to memory of 3124	2732	icavsnlfdx.exe	101
PID 4140 wrote to memory of 1260	4140	svchost.exe	102
PID 4140 wrote to memory of 1260	4140	svchost.exe	102
PID 5080 wrote to memory of 904	5080	lidbvtnlgaysqlid.exe	104
PID 5080 wrote to memory of 904	5080	lidbvtnlgaysqlid.exe	104
PID 5080 wrote to memory of 904	5080	lidbvtnlgaysqlid.exe	104
PID 4140 wrote to memory of 3716	4140	svchost.exe	105
PID 4140 wrote to memory of 3716	4140	svchost.exe	105
PID 4140 wrote to memory of 3716	4140	svchost.exe	105
PID 5080 wrote to memory of 3996	5080	lidbvtnlgaysqlid.exe	106
PID 5080 wrote to memory of 3996	5080	lidbvtnlgaysqlid.exe	106
PID 5080 wrote to memory of 3996	5080	lidbvtnlgaysqlid.exe	106
PID 4140 wrote to memory of 384	4140	svchost.exe	107
PID 4140 wrote to memory of 384	4140	svchost.exe	107
PID 4140 wrote to memory of 384	4140	svchost.exe	107
PID 384 wrote to memory of 1432	384	faxspkicau.exe	109
PID 384 wrote to memory of 1432	384	faxspkicau.exe	109
PID 384 wrote to memory of 1432	384	faxspkicau.exe	109
PID 4140 wrote to memory of 4856	4140	svchost.exe	108
PID 4140 wrote to memory of 4856	4140	svchost.exe	108
PID 5080 wrote to memory of 3312	5080	lidbvtnlgaysqlid.exe	111
PID 5080 wrote to memory of 3312	5080	lidbvtnlgaysqlid.exe	111
PID 5080 wrote to memory of 3312	5080	lidbvtnlgaysqlid.exe	111
PID 4140 wrote to memory of 3580	4140	svchost.exe	112
PID 4140 wrote to memory of 3580	4140	svchost.exe	112
PID 4140 wrote to memory of 3580	4140	svchost.exe	112
PID 5080 wrote to memory of 1856	5080	lidbvtnlgaysqlid.exe	114
PID 5080 wrote to memory of 1856	5080	lidbvtnlgaysqlid.exe	114
PID 5080 wrote to memory of 1856	5080	lidbvtnlgaysqlid.exe	114
PID 4140 wrote to memory of 4564	4140	svchost.exe	115
PID 4140 wrote to memory of 4564	4140	svchost.exe	115

C:\Users\Admin\AppData\Local\Temp\96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
"C:\Users\Admin\AppData\Local\Temp\96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Temp\lidbvtnlgaysqlid.exe
  C:\Temp\lidbvtnlgaysqlid.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igaytqlidb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4072
  - - C:\Temp\igaytqlidb.exe
      C:\Temp\igaytqlidb.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4676
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:744
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igaytqlidb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1816
  - - C:\Temp\i_igaytqlidb.exe
      C:\Temp\i_igaytqlidb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1132
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnlfdx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4316
  - - C:\Temp\icavsnlfdx.exe
      C:\Temp\icavsnlfdx.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3124
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1260
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnlfdx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:904
  - - C:\Temp\i_icavsnlfdx.exe
      C:\Temp\i_icavsnlfdx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\faxspkicau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3996
  - - C:\Temp\faxspkicau.exe
      C:\Temp\faxspkicau.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_faxspkicau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3312
  - - C:\Temp\i_faxspkicau.exe
      C:\Temp\i_faxspkicau.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hcxupmhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1856
  - - C:\Temp\hcxupmhfzx.exe
      C:\Temp\hcxupmhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4564
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2620
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hcxupmhfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2196
  - - C:\Temp\i_hcxupmhfzx.exe
      C:\Temp\i_hcxupmhfzx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\khczukecwu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:788
  - - C:\Temp\khczukecwu.exe
      C:\Temp\khczukecwu.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4004
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1820
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3060
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_khczukecwu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1340
  - - C:\Temp\i_khczukecwu.exe
      C:\Temp\i_khczukecwu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:220
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\omgezwrpjh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3736
  - - C:\Temp\omgezwrpjh.exe
      C:\Temp\omgezwrpjh.exe ups_run
      4⤵
      Executes dropped EXE
      PID:792
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2012
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_omgezwrpjh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1444
  - - C:\Temp\i_omgezwrpjh.exe
      C:\Temp\i_omgezwrpjh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3436
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojgbztrlje.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3800
  - - C:\Temp\ojgbztrlje.exe
      C:\Temp\ojgbztrlje.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1312
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4332
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2876
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojgbztrlje.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3560
  - - C:\Temp\i_ojgbztrlje.exe
      C:\Temp\i_ojgbztrlje.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgaytqljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3676
  - - C:\Temp\lgaytqljdb.exe
      C:\Temp\lgaytqljdb.exe ups_run
      4⤵
      Executes dropped EXE
      PID:2268
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1812
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgaytqljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1792
  - - C:\Temp\i_lgaytqljdb.exe
      C:\Temp\i_lgaytqljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idbvtnlfdy.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1432
  - - C:\Temp\idbvtnlfdy.exe
      C:\Temp\idbvtnlfdy.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1720
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idbvtnlfdy.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1348
  - - C:\Temp\i_idbvtnlfdy.exe
      C:\Temp\i_idbvtnlfdy.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdyvqnig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2000
  - - C:\Temp\nlfdyvqnig.exe
      C:\Temp\nlfdyvqnig.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3664
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5100
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdyvqnig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3320
  - - C:\Temp\i_nlfdyvqnig.exe
      C:\Temp\i_nlfdyvqnig.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifaxsqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5020
  - - C:\Temp\vpnifaxsqk.exe
      C:\Temp\vpnifaxsqk.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4824
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2196
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifaxsqk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2960
  - - C:\Temp\i_vpnifaxsqk.exe
      C:\Temp\i_vpnifaxsqk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkicausmkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3988
  - - C:\Temp\pkicausmkf.exe
      C:\Temp\pkicausmkf.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1960
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkicausmkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2188
  - - C:\Temp\i_pkicausmkf.exe
      C:\Temp\i_pkicausmkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecwupmhfz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1756
  - - C:\Temp\kecwupmhfz.exe
      C:\Temp\kecwupmhfz.exe ups_run
      4⤵
      Executes dropped EXE
      PID:1304
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3488
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecwupmhfz.exe ups_ins
    3⤵
    PID:4072
  - - C:\Temp\i_kecwupmhfz.exe
      C:\Temp\i_kecwupmhfz.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wuomhezpjh.exe ups_run
    3⤵
    PID:4308
  - - C:\Temp\wuomhezpjh.exe
      C:\Temp\wuomhezpjh.exe ups_run
      4⤵
      PID:2488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4048
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wuomhezpjh.exe ups_ins
    3⤵
    PID:4144
  - - C:\Temp\i_wuomhezpjh.exe
      C:\Temp\i_wuomhezpjh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:880
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqojgbz.exe ups_run
    3⤵
    PID:4316
  - - C:\Temp\geywqojgbz.exe
      C:\Temp\geywqojgbz.exe ups_run
      4⤵
      PID:1260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2072
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqojgbz.exe ups_ins
    3⤵
    PID:2236
  - - C:\Temp\i_geywqojgbz.exe
      C:\Temp\i_geywqojgbz.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaytqljdbv.exe ups_run
    3⤵
    PID:4152
  - - C:\Temp\gaytqljdbv.exe
      C:\Temp\gaytqljdbv.exe ups_run
      4⤵
      PID:3188
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4120
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1776
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaytqljdbv.exe ups_ins
    3⤵
    PID:3984
  - - C:\Temp\i_gaytqljdbv.exe
      C:\Temp\i_gaytqljdbv.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigaysqlid.exe ups_run
    3⤵
    PID:2728
  - - C:\Temp\oigaysqlid.exe
      C:\Temp\oigaysqlid.exe ups_run
      4⤵
      PID:3716
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2396
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigaysqlid.exe ups_ins
    3⤵
    PID:2408
  - - C:\Temp\i_oigaysqlid.exe
      C:\Temp\i_oigaysqlid.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nifaxsqkic.exe ups_run
    3⤵
    PID:2152
  - - C:\Temp\nifaxsqkic.exe
      C:\Temp\nifaxsqkic.exe ups_run
      4⤵
      PID:2984
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3312
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nifaxsqkic.exe ups_ins
    3⤵
    PID:1576
  - - C:\Temp\i_nifaxsqkic.exe
      C:\Temp\i_nifaxsqkic.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnlfdx.exe ups_run
    3⤵
    PID:3708
  - - C:\Temp\icavsnlfdx.exe
      C:\Temp\icavsnlfdx.exe ups_run
      4⤵
      PID:1404
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3416
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4872
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit
C:\Temp\faxspkicau.exe

Filesize
361KB

MD5
72a68ef7a8ca46ea0236cd9a34b5c56a

SHA1
1dba08043bb1340f9ab1e72fc0a79101681246e9

SHA256
afaee19a0c1cf071c0605b3b6a81a5ab24cf67c0f3f02ff068204eefc365d7a6

SHA512
93cf637c144c586a3e0b33e6c7f54105b842b17cb65ba26a9b08f4894425736c922fb09b4f32c67ec6fae3d1e1955cc89467f133cb9729d7ab22a94cb169417b

Download Submit
C:\Temp\faxspkicau.exe

Filesize
361KB

MD5
72a68ef7a8ca46ea0236cd9a34b5c56a

SHA1
1dba08043bb1340f9ab1e72fc0a79101681246e9

SHA256
afaee19a0c1cf071c0605b3b6a81a5ab24cf67c0f3f02ff068204eefc365d7a6

SHA512
93cf637c144c586a3e0b33e6c7f54105b842b17cb65ba26a9b08f4894425736c922fb09b4f32c67ec6fae3d1e1955cc89467f133cb9729d7ab22a94cb169417b

Download Submit
C:\Temp\hcxupmhfzx.exe

Filesize
361KB

MD5
03fd0f2ebe3fbe15aca8ea62a4e1f612

SHA1
56943532f5aae2ad89faaa0018fcbba78dac430e

SHA256
89f5bdba352886cb2cdd96ebd37565d1c967cb5394ffa7392043200fe215cf59

SHA512
a6c995c19f8bf2e5d919085d6cc5cec5e030562d0b18f349d555fc62fccb140e968e476243ce44e53e5c10edb512ab09ea42224ebe8d1fdb1e209aae0de9bc1d

Download Submit
C:\Temp\hcxupmhfzx.exe

Filesize
361KB

MD5
03fd0f2ebe3fbe15aca8ea62a4e1f612

SHA1
56943532f5aae2ad89faaa0018fcbba78dac430e

SHA256
89f5bdba352886cb2cdd96ebd37565d1c967cb5394ffa7392043200fe215cf59

SHA512
a6c995c19f8bf2e5d919085d6cc5cec5e030562d0b18f349d555fc62fccb140e968e476243ce44e53e5c10edb512ab09ea42224ebe8d1fdb1e209aae0de9bc1d

Download Submit
C:\Temp\i_faxspkicau.exe

Filesize
361KB

MD5
5ba14a9763d985cfac6c4487797a57cf

SHA1
405d1a03f32581add3e7758dca0ee2c5d401f87e

SHA256
1d7a9d094274fe7eaba7aae1e3e7287dc2d9895bf7cc7215eba8e4de4a3a743f

SHA512
d5639f806c190b1d5321e3b15a007b69dc9099f21155f706aedae05622dce41343e93f70ed7338f55544cec4969cacee1a73cc107c92dfe6285701f425ece386

Download Submit
C:\Temp\i_faxspkicau.exe

Filesize
361KB

MD5
5ba14a9763d985cfac6c4487797a57cf

SHA1
405d1a03f32581add3e7758dca0ee2c5d401f87e

SHA256
1d7a9d094274fe7eaba7aae1e3e7287dc2d9895bf7cc7215eba8e4de4a3a743f

SHA512
d5639f806c190b1d5321e3b15a007b69dc9099f21155f706aedae05622dce41343e93f70ed7338f55544cec4969cacee1a73cc107c92dfe6285701f425ece386

Download Submit
C:\Temp\i_hcxupmhfzx.exe

Filesize
361KB

MD5
b8a4ea155f90a8f0a4802c986556c1b9

SHA1
6b9e687cf2059d6467568c706a3ab5819414f06f

SHA256
b0dd1de6965545caae17a78539a3b5435dba29a0dcaeb8348a2bfd128cb851ae

SHA512
6cf550bd49030d3ba1cd567649c6748fdc86eae23bfa1c9c5de54a0cf5b981f8dfbe71c8fe3136c3b4cc4061504a5e7deeaf3720335e67bdd7c5face3fee235b

Download Submit
C:\Temp\i_hcxupmhfzx.exe

Filesize
361KB

MD5
b8a4ea155f90a8f0a4802c986556c1b9

SHA1
6b9e687cf2059d6467568c706a3ab5819414f06f

SHA256
b0dd1de6965545caae17a78539a3b5435dba29a0dcaeb8348a2bfd128cb851ae

SHA512
6cf550bd49030d3ba1cd567649c6748fdc86eae23bfa1c9c5de54a0cf5b981f8dfbe71c8fe3136c3b4cc4061504a5e7deeaf3720335e67bdd7c5face3fee235b

Download Submit
C:\Temp\i_icavsnlfdx.exe

Filesize
361KB

MD5
7eb21f96d19a601d97133badc6564fed

SHA1
346c7a90a87b63151ccf82c1d8f05eee1bbb411c

SHA256
5a6eff21a29db9ff54ec5b9c908070303a0455fee8dcef6744468ab38f35d077

SHA512
77ca295e5815294bbb8dfb4d056b634ef2b78d9b8d2b4913107d5b73582dc69335e975b33102801bb54f373ded70a9457653af6dbd4397c429060413fbb1ad12

Download Submit
C:\Temp\i_icavsnlfdx.exe

Filesize
361KB

MD5
7eb21f96d19a601d97133badc6564fed

SHA1
346c7a90a87b63151ccf82c1d8f05eee1bbb411c

SHA256
5a6eff21a29db9ff54ec5b9c908070303a0455fee8dcef6744468ab38f35d077

SHA512
77ca295e5815294bbb8dfb4d056b634ef2b78d9b8d2b4913107d5b73582dc69335e975b33102801bb54f373ded70a9457653af6dbd4397c429060413fbb1ad12

Download Submit
C:\Temp\i_igaytqlidb.exe

Filesize
361KB

MD5
a6e3931b75839fab4a686d43772d43a3

SHA1
39f8a389966f71aa7732f1ad81db30755b0bf0db

SHA256
86d58eb5e3e19adb27a5aa5dfcc240390f1c3d00bb89839996f3bd279a061e74

SHA512
64b33128adfceb844e1d08a21c0529f6cacfc47b624550fb460fb0d6738378c171a1cef8d267ec77ea83b62ebd61af3c5a36301681831a32fd07d266aa8ae819

Download Submit
C:\Temp\i_igaytqlidb.exe

Filesize
361KB

MD5
a6e3931b75839fab4a686d43772d43a3

SHA1
39f8a389966f71aa7732f1ad81db30755b0bf0db

SHA256
86d58eb5e3e19adb27a5aa5dfcc240390f1c3d00bb89839996f3bd279a061e74

SHA512
64b33128adfceb844e1d08a21c0529f6cacfc47b624550fb460fb0d6738378c171a1cef8d267ec77ea83b62ebd61af3c5a36301681831a32fd07d266aa8ae819

Download Submit
C:\Temp\i_khczukecwu.exe

Filesize
361KB

MD5
32d4af9961ad483db52aabf8f5345ad3

SHA1
ced1008cf2d8f373ff783b121cef4412328b72d7

SHA256
de62ae0432702d561066a8998093db7d15337c58be54564cc8a503315300486b

SHA512
0763eae8b1a650c63d464a70ddd4711aee4487fd62dc2615a84fb669eb4a63d5afdd9276a0a3eaea11293b3e5aaaef893416416cec8c71b4ccb4546d0ac73fa1

Download Submit
C:\Temp\i_khczukecwu.exe

Filesize
361KB

MD5
32d4af9961ad483db52aabf8f5345ad3

SHA1
ced1008cf2d8f373ff783b121cef4412328b72d7

SHA256
de62ae0432702d561066a8998093db7d15337c58be54564cc8a503315300486b

SHA512
0763eae8b1a650c63d464a70ddd4711aee4487fd62dc2615a84fb669eb4a63d5afdd9276a0a3eaea11293b3e5aaaef893416416cec8c71b4ccb4546d0ac73fa1

Download Submit
C:\Temp\i_lgaytqljdb.exe

Filesize
361KB

MD5
c63c91dcb3289775a46cfea6523b74cb

SHA1
c290594fa6f9828c5b75be6c1f99caaa44ccd663

SHA256
8c2cfe7a69940589a083b1ac44759a6bca5ea72db6622c1981eef7d5e9713052

SHA512
b9b0bec2c943e55fac6cb184c58858261eaccfe0c00d2340a8b622657909a5106a998052209fc0cfb9a91539608e64cef4cb89ed04810f537771008cfbadc928

Download Submit
C:\Temp\i_lgaytqljdb.exe

Filesize
361KB

MD5
c63c91dcb3289775a46cfea6523b74cb

SHA1
c290594fa6f9828c5b75be6c1f99caaa44ccd663

SHA256
8c2cfe7a69940589a083b1ac44759a6bca5ea72db6622c1981eef7d5e9713052

SHA512
b9b0bec2c943e55fac6cb184c58858261eaccfe0c00d2340a8b622657909a5106a998052209fc0cfb9a91539608e64cef4cb89ed04810f537771008cfbadc928

Download Submit
C:\Temp\i_ojgbztrlje.exe

Filesize
361KB

MD5
6fd8f6825475734ce8040014a35c6968

SHA1
dfbe8db11c221521c2e7a10ce7ca878e021aac53

SHA256
7ee93966dc31c1f502e2e822b99d73661def9c6ca8e229a5ec4ae2e13eb191fb

SHA512
320adb0ba1c134dccbf0c6c6e16b4d8eea54191f8dd62ddc4c8e14e8e844a572e145f1b163a55d3974157d5e6826cb79833ba1ed2fd9482659f36914e1a6a4b4

Download Submit
C:\Temp\i_ojgbztrlje.exe

Filesize
361KB

MD5
6fd8f6825475734ce8040014a35c6968

SHA1
dfbe8db11c221521c2e7a10ce7ca878e021aac53

SHA256
7ee93966dc31c1f502e2e822b99d73661def9c6ca8e229a5ec4ae2e13eb191fb

SHA512
320adb0ba1c134dccbf0c6c6e16b4d8eea54191f8dd62ddc4c8e14e8e844a572e145f1b163a55d3974157d5e6826cb79833ba1ed2fd9482659f36914e1a6a4b4

Download Submit
C:\Temp\i_omgezwrpjh.exe

Filesize
361KB

MD5
1e47aa6402674e6fd2579388a66a35bd

SHA1
041c33abb94a30dc30d173802e4b581a82d82cba

SHA256
3fa338f2523536d736646ad4ad55a0db172a5a425eb249a79fe1a951419deab1

SHA512
c39d505f8899d3587922833fdecdce357f85966a36db13586732333e620b0b27e4c80f739f8dd0c439df180e404af9c3369de1f48d2bc80af7fec7127a05afc0

Download Submit
C:\Temp\i_omgezwrpjh.exe

Filesize
361KB

MD5
1e47aa6402674e6fd2579388a66a35bd

SHA1
041c33abb94a30dc30d173802e4b581a82d82cba

SHA256
3fa338f2523536d736646ad4ad55a0db172a5a425eb249a79fe1a951419deab1

SHA512
c39d505f8899d3587922833fdecdce357f85966a36db13586732333e620b0b27e4c80f739f8dd0c439df180e404af9c3369de1f48d2bc80af7fec7127a05afc0

Download Submit
C:\Temp\icavsnlfdx.exe

Filesize
361KB

MD5
7c0df7416ee98a8e3b642df3dfd01aff

SHA1
f93a3e54dd058d0454f1f5109284db0ff4787b88

SHA256
90d7ba6329d9790a3b91e48a7a686fc7fd001b7f9ef61f815785e50ece33dd42

SHA512
e56223f449d48eb9edf2d69ee6dd9b38a7f5094f3e2fc21cb8e34e653e02980ad848557b8dfaef40242bc271690bcdba67d4892b9010c6ad590aec49144424b8

Download Submit
C:\Temp\icavsnlfdx.exe

Filesize
361KB

MD5
7c0df7416ee98a8e3b642df3dfd01aff

SHA1
f93a3e54dd058d0454f1f5109284db0ff4787b88

SHA256
90d7ba6329d9790a3b91e48a7a686fc7fd001b7f9ef61f815785e50ece33dd42

SHA512
e56223f449d48eb9edf2d69ee6dd9b38a7f5094f3e2fc21cb8e34e653e02980ad848557b8dfaef40242bc271690bcdba67d4892b9010c6ad590aec49144424b8

Download Submit
C:\Temp\idbvtnlfdy.exe

Filesize
361KB

MD5
8c185d2ed0358a2ce4f8865482f78ee2

SHA1
8322c51f5bfaeab000c2f0e68c02f324ca9a4368

SHA256
5e54a1599dda084b2994d2d7c12767bb41841d94cd70e193569c7ce9b1bbd5cc

SHA512
f30329c46f35dbf626d30446eeb1af833124d9dee64ff85d8ab435f5a42d97bf95e811bf56442216b6a54f49ec171152ccecec874999edb0890e34740eed17f4

Download Submit
C:\Temp\idbvtnlfdy.exe

Filesize
361KB

MD5
8c185d2ed0358a2ce4f8865482f78ee2

SHA1
8322c51f5bfaeab000c2f0e68c02f324ca9a4368

SHA256
5e54a1599dda084b2994d2d7c12767bb41841d94cd70e193569c7ce9b1bbd5cc

SHA512
f30329c46f35dbf626d30446eeb1af833124d9dee64ff85d8ab435f5a42d97bf95e811bf56442216b6a54f49ec171152ccecec874999edb0890e34740eed17f4

Download Submit
C:\Temp\igaytqlidb.exe

Filesize
361KB

MD5
f6dffddc32c1d22cd265b5e3265bde3a

SHA1
a30cd25f70e2308192c8056bb4180798d68c2c09

SHA256
8f50561d9bacaa2b0501e2fafa8e4b6fb4adfcc15195588e83b5985dafbb603b

SHA512
b52ccd39f96481b45558d576ca742ce52bfc57ffe18cf0bbb5e9d52c0aaf7e6d8de3c15f57f5058f7461c3b79c69f0d829a577e07c153a0f78b5d04f51615f31

Download Submit
C:\Temp\igaytqlidb.exe

Filesize
361KB

MD5
f6dffddc32c1d22cd265b5e3265bde3a

SHA1
a30cd25f70e2308192c8056bb4180798d68c2c09

SHA256
8f50561d9bacaa2b0501e2fafa8e4b6fb4adfcc15195588e83b5985dafbb603b

SHA512
b52ccd39f96481b45558d576ca742ce52bfc57ffe18cf0bbb5e9d52c0aaf7e6d8de3c15f57f5058f7461c3b79c69f0d829a577e07c153a0f78b5d04f51615f31

Download Submit
C:\Temp\khczukecwu.exe

Filesize
361KB

MD5
f29cb12412f8755c9bbd76fdeb140aa9

SHA1
63301a76851794d958c633bcacda050f75375f6e

SHA256
aa46e8d5716cd7cd686b4098f97313308df1d100ed8cf6ba13383ae685751996

SHA512
02fa41c401212f0730662b32559c9f8bc550f91a39d5aa9a77096f0c726aa36266ea217e0d2b68bf633cafda33c080ec211da8cf8fbb7120037bbe3421eeee0d

Download Submit
C:\Temp\khczukecwu.exe

Filesize
361KB

MD5
f29cb12412f8755c9bbd76fdeb140aa9

SHA1
63301a76851794d958c633bcacda050f75375f6e

SHA256
aa46e8d5716cd7cd686b4098f97313308df1d100ed8cf6ba13383ae685751996

SHA512
02fa41c401212f0730662b32559c9f8bc550f91a39d5aa9a77096f0c726aa36266ea217e0d2b68bf633cafda33c080ec211da8cf8fbb7120037bbe3421eeee0d

Download Submit
C:\Temp\lgaytqljdb.exe

Filesize
361KB

MD5
17cb9548aa6b069329f213f02a521ef6

SHA1
dc0539b20a502c27a2b1aff808428bcaab4e53b8

SHA256
b271107a23cb78cd661aa47e9793906fd08f8eda93fd5d871ba17b9a69b997d7

SHA512
e96b9acbb4e105c2b048bca3f37bf0d3206bb46f9a0073ad697784b63019b3f954406abce6b2166e9fc58f569068d8dd11e6e1bd00db4e4769267ba09c41cbd8

Download Submit
C:\Temp\lgaytqljdb.exe

Filesize
361KB

MD5
17cb9548aa6b069329f213f02a521ef6

SHA1
dc0539b20a502c27a2b1aff808428bcaab4e53b8

SHA256
b271107a23cb78cd661aa47e9793906fd08f8eda93fd5d871ba17b9a69b997d7

SHA512
e96b9acbb4e105c2b048bca3f37bf0d3206bb46f9a0073ad697784b63019b3f954406abce6b2166e9fc58f569068d8dd11e6e1bd00db4e4769267ba09c41cbd8

Download Submit
C:\Temp\lidbvtnlgaysqlid.exe

Filesize
361KB

MD5
9127be00f8b13ba6a2edd288e79a45c8

SHA1
c3038c8c6f327579f06ff8e02ecfbbb5cd0202d1

SHA256
071754d6c6078d2c227f83492c09be28dfec80db1134b57fe8d019238a8e2be7

SHA512
4163861a5707c406299e9ee5512a324d63d35868442b9f2692d5dffa4afc168bd083246bcbd9b1ba828d0189a7759a4440727e5552833a04c80077b7c3914729

Download Submit
C:\Temp\lidbvtnlgaysqlid.exe

Filesize
361KB

MD5
9127be00f8b13ba6a2edd288e79a45c8

SHA1
c3038c8c6f327579f06ff8e02ecfbbb5cd0202d1

SHA256
071754d6c6078d2c227f83492c09be28dfec80db1134b57fe8d019238a8e2be7

SHA512
4163861a5707c406299e9ee5512a324d63d35868442b9f2692d5dffa4afc168bd083246bcbd9b1ba828d0189a7759a4440727e5552833a04c80077b7c3914729

Download Submit
C:\Temp\ojgbztrlje.exe

Filesize
361KB

MD5
45a4092b1c89700a11f1420686ee8136

SHA1
bea01d8ce1214c836406f4085f0d0f321a596dde

SHA256
6660e7748cfd36447a286934727d9fba5985b7d89718c9e2f8c86750c3164adb

SHA512
4885cddf7c7eff3e1ecf0946be9980e1a584c22405dba729f5eac5491e1d1e863db989112523b3207d63d7cc2aa8c18b68971e23ecd90120e3ea8fc548e8d6d7

Download Submit
C:\Temp\ojgbztrlje.exe

Filesize
361KB

MD5
45a4092b1c89700a11f1420686ee8136

SHA1
bea01d8ce1214c836406f4085f0d0f321a596dde

SHA256
6660e7748cfd36447a286934727d9fba5985b7d89718c9e2f8c86750c3164adb

SHA512
4885cddf7c7eff3e1ecf0946be9980e1a584c22405dba729f5eac5491e1d1e863db989112523b3207d63d7cc2aa8c18b68971e23ecd90120e3ea8fc548e8d6d7

Download Submit
C:\Temp\omgezwrpjh.exe

Filesize
361KB

MD5
d549c42b9a2117dfeba5bace881024de

SHA1
cc47a7f7db34fa7c729eb2958c169cde25bedbab

SHA256
fae86b743d9a81129e50a1ebefe2cadf27b9f851aaed7881648be21fcc64a743

SHA512
34feda28bc0eefa3708c1a1409972492235893e036a616c66a745879dda53f0a1cf6fc5d600f7166698c8df0392a2340e7b6655558d45163d4321e2298cabc14

Download Submit
C:\Temp\omgezwrpjh.exe

Filesize
361KB

MD5
d549c42b9a2117dfeba5bace881024de

SHA1
cc47a7f7db34fa7c729eb2958c169cde25bedbab

SHA256
fae86b743d9a81129e50a1ebefe2cadf27b9f851aaed7881648be21fcc64a743

SHA512
34feda28bc0eefa3708c1a1409972492235893e036a616c66a745879dda53f0a1cf6fc5d600f7166698c8df0392a2340e7b6655558d45163d4321e2298cabc14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
74b00267b871be3a3cc9098b9306cbaf

SHA1
5ed7c0b4eee6af9132751fe2959d149843613fcb

SHA256
de1372af81f93e38497f9808cc92b26fd55f2d87b7dc61d9c1341601904efae9

SHA512
f1aad8915d65d5ff88bd6730ab694a22f5117aefeaab40c66547df6f49ec36550b5c15438d556b2b2a10e4114352b40786f5af1b1c0d008674d9119e217ca199

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
a4ca987be2750c6eb59999ae0d4ccaf5

SHA1
2c90790101594bab4e19e0854b8948916f03e8d1

SHA256
8dd599c3d7a5f07eb687c69fa08676e4b1cf674df5af53a23f860cab1387717e

SHA512
417da0bcd887e434140c57cf9f853345897864f6f39cec7933133144026426d809b828360d5479c94128f29dc05afc0516a1ee32c54efe8d68e335a85ce7154f

Download Submit