e9904a69b324f1bada5b8326637a7a3d7b147475655d016bd8c6c5c504d165cf

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
Size

226KB
MD5

bbba8a3cad3b4542a7fb6cbdd5b7c5c0
SHA1

5e2cee979c0f48033d57ac50d46acf8a0fb42d61
SHA256

e9904a69b324f1bada5b8326637a7a3d7b147475655d016bd8c6c5c504d165cf
SHA512

2cfab9b29a1822ab3942239fc95b7cca6bea230c7f8c5ad0c856c4580257062b42f5b0150839107cc7752fbf530c6317793936bad99cd704213bd8e8142d7686
SSDEEP

3072:+GSyY4L+c2JhX7ypa3rV3dZPFvOAngoRUAFa1nxayHdXkb5kA7:VXY4LK+a3lLNngoqRttA7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2592	CP.exe
2292	gdysqlidxv.exe
2468	CP.exe
2484	CP.exe
2368	i_gdysqlidxv.exe
2724	CP.exe
2744	nicavsnhfz.exe
2784	CP.exe
1360	CP.exe
1772	i_nicavsnhfz.exe
1868	CP.exe
3064	axsmkecxrp.exe
1056	CP.exe
1716	CP.exe
2300	i_axsmkecxrp.exe
2244	CP.exe
2296	xvpkhczusm.exe
2952	CP.exe
1916	CP.exe
852	i_xvpkhczusm.exe
2544	CP.exe
2588	mkecwrpjhb.exe
2608	CP.exe
2292	CP.exe
2512	i_mkecwrpjhb.exe
2892	CP.exe
1628	bzurmgeywr.exe
2556	CP.exe
2760	CP.exe
2600	i_bzurmgeywr.exe
344	CP.exe
1612	rlgeywqljd.exe
2788	CP.exe
2140	CP.exe
1516	i_rlgeywqljd.exe
1436	CP.exe
2128	oigbytnlgd.exe
2108	CP.exe
2100	CP.exe
2976	i_oigbytnlgd.exe
2144	CP.exe
540	dywqlidbvp.exe
668	CP.exe
1496	CP.exe
956	i_dywqlidbvp.exe
2556	CP.exe
2540	qnigavsnkf.exe
2484	CP.exe
2768	CP.exe
1700	i_qnigavsnkf.exe
320	CP.exe
1848	qnicavsfzx.exe
1928	CP.exe
1816	CP.exe
1524	i_qnicavsfzx.exe
1192	CP.exe
2024	hfaxsmkecx.exe
2420	CP.exe
2124	CP.exe
1784	i_hfaxsmkecx.exe
2976	CP.exe
2100	cxvpkhcauo.exe
2104	CP.exe
2232	CP.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2292	gdysqlidxv.exe
2292	gdysqlidxv.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2744	nicavsnhfz.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
3064	axsmkecxrp.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2296	xvpkhczusm.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2588	mkecwrpjhb.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
1628	bzurmgeywr.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
1612	rlgeywqljd.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2128	oigbytnlgd.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
540	dywqlidbvp.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2540	qnigavsnkf.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
1848	qnicavsfzx.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2024	hfaxsmkecx.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2100	cxvpkhcauo.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
564	rpkecwuojh.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
3040	smhezxrlje.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
1644	hbztrmgeyw.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
3008	ztomgeytql.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2112	oigbytnlfd.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2352	oigbvtnlfa.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2744	gavtnlfaxs.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
2768	vpnhfausmk.exe

Gathers network information 2 TTPs 21 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
764	ipconfig.exe
2276	ipconfig.exe
1860	ipconfig.exe
2508	ipconfig.exe
2108	ipconfig.exe
2732	ipconfig.exe
1732	ipconfig.exe
384	ipconfig.exe
2796	ipconfig.exe
1996	ipconfig.exe
2704	ipconfig.exe
760	ipconfig.exe
2552	ipconfig.exe
2472	ipconfig.exe
2336	ipconfig.exe
888	ipconfig.exe
1308	ipconfig.exe
992	ipconfig.exe
2892	ipconfig.exe
2604	ipconfig.exe
2772	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04dd32cf8a0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000db4edb89a98a13b6cc1d2b97f7aab97aaf7c0290c0a2cab725b8b9a7cff5368e000000000e8000000002000020000000dac687fe1e0d084f145bd86e940d8e066bc54ac211fae70e03d741dded8963ad20000000dc2ced09a633ec2f22ca8334648777d59052fad733d2b60d2c1934a78c9a3ca6400000005b96d2374ce205e2b0c01ed15789cbc8ee4279a7f15a9469352ac8b020cc72f103520495a418b9a55c975d92b39d3da0512cf86082323cf3a31ae03ae215df13	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000fd80fdc9bf5c3728dd707a58215ba5e38f5880d7f79e90b54528f8394896d31d000000000e8000000002000020000000f06f9638b15baf712890f07fa94bdaa62b00ccaf03f5e09e8487191ae6c64b0e90000000a00e86c3d71b0634ab808bec18a0582d80f8d4aefcd7dc723c8a6acb786db09383e3d846783aa891f0d0c2ec57f31e89e0278a302336006b04974eba5a1d13f82b1bb8fc2500115ff33a2b7d4179b7bafd7f6042a93968dbcc60efdd37ae5ab811332612de9c645d3412e47cabbeac8a33a89ccab86c4d367bb011dda503aab2d295b0e179552c9fd194398be8c892d9400000008e0515efbf25e425f55da848e1f2c2944adc75163637e5870f5f54bf27303da2d6edf4009c8f3ae1474558ff3da7d36b523a02cbc58bd1ba85ac6884ceba00f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421300903"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5584DFD1-0CEB-11EF-A1AD-46837A41B3D6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	i_gdysqlidxv.exe
Token: SeDebugPrivilege	1772	i_nicavsnhfz.exe
Token: SeDebugPrivilege	2300	i_axsmkecxrp.exe
Token: SeDebugPrivilege	852	i_xvpkhczusm.exe
Token: SeDebugPrivilege	2512	i_mkecwrpjhb.exe
Token: SeDebugPrivilege	2600	i_bzurmgeywr.exe
Token: SeDebugPrivilege	1516	i_rlgeywqljd.exe
Token: SeDebugPrivilege	2976	i_oigbytnlgd.exe
Token: SeDebugPrivilege	956	i_dywqlidbvp.exe
Token: SeDebugPrivilege	1700	i_qnigavsnkf.exe
Token: SeDebugPrivilege	1524	i_qnicavsfzx.exe
Token: SeDebugPrivilege	1784	i_hfaxsmkecx.exe
Token: SeDebugPrivilege	1504	i_cxvpkhcauo.exe
Token: SeDebugPrivilege	700	i_rpkecwuojh.exe
Token: SeDebugPrivilege	1736	i_smhezxrlje.exe
Token: SeDebugPrivilege	2032	i_hbztrmgeyw.exe
Token: SeDebugPrivilege	2040	i_ztomgeytql.exe
Token: SeDebugPrivilege	2464	i_oigbytnlfd.exe
Token: SeDebugPrivilege	2616	i_oigbvtnlfa.exe
Token: SeDebugPrivilege	2496	i_gavtnlfaxs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2020	iexplore.exe
2020	iexplore.exe
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2020	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	28
PID 2220 wrote to memory of 2020	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	28
PID 2220 wrote to memory of 2020	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	28
PID 2220 wrote to memory of 2020	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	28
PID 2020 wrote to memory of 2968	2020	iexplore.exe	29
PID 2020 wrote to memory of 2968	2020	iexplore.exe	29
PID 2020 wrote to memory of 2968	2020	iexplore.exe	29
PID 2020 wrote to memory of 2968	2020	iexplore.exe	29
PID 2220 wrote to memory of 2592	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	30
PID 2220 wrote to memory of 2592	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	30
PID 2220 wrote to memory of 2592	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	30
PID 2220 wrote to memory of 2592	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	30
PID 2292 wrote to memory of 2468	2292	gdysqlidxv.exe	33
PID 2292 wrote to memory of 2468	2292	gdysqlidxv.exe	33
PID 2292 wrote to memory of 2468	2292	gdysqlidxv.exe	33
PID 2292 wrote to memory of 2468	2292	gdysqlidxv.exe	33
PID 2220 wrote to memory of 2484	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	36
PID 2220 wrote to memory of 2484	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	36
PID 2220 wrote to memory of 2484	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	36
PID 2220 wrote to memory of 2484	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	36
PID 2220 wrote to memory of 2724	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	38
PID 2220 wrote to memory of 2724	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	38
PID 2220 wrote to memory of 2724	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	38
PID 2220 wrote to memory of 2724	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	38
PID 2744 wrote to memory of 2784	2744	nicavsnhfz.exe	40
PID 2744 wrote to memory of 2784	2744	nicavsnhfz.exe	40
PID 2744 wrote to memory of 2784	2744	nicavsnhfz.exe	40
PID 2744 wrote to memory of 2784	2744	nicavsnhfz.exe	40
PID 2220 wrote to memory of 1360	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	43
PID 2220 wrote to memory of 1360	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	43
PID 2220 wrote to memory of 1360	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	43
PID 2220 wrote to memory of 1360	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	43
PID 2220 wrote to memory of 1868	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	45
PID 2220 wrote to memory of 1868	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	45
PID 2220 wrote to memory of 1868	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	45
PID 2220 wrote to memory of 1868	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	45
PID 3064 wrote to memory of 1056	3064	axsmkecxrp.exe	47
PID 3064 wrote to memory of 1056	3064	axsmkecxrp.exe	47
PID 3064 wrote to memory of 1056	3064	axsmkecxrp.exe	47
PID 3064 wrote to memory of 1056	3064	axsmkecxrp.exe	47
PID 2220 wrote to memory of 1716	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	50
PID 2220 wrote to memory of 1716	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	50
PID 2220 wrote to memory of 1716	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	50
PID 2220 wrote to memory of 1716	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	50
PID 2220 wrote to memory of 2244	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	52
PID 2220 wrote to memory of 2244	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	52
PID 2220 wrote to memory of 2244	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	52
PID 2220 wrote to memory of 2244	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	52
PID 2296 wrote to memory of 2952	2296	xvpkhczusm.exe	54
PID 2296 wrote to memory of 2952	2296	xvpkhczusm.exe	54
PID 2296 wrote to memory of 2952	2296	xvpkhczusm.exe	54
PID 2296 wrote to memory of 2952	2296	xvpkhczusm.exe	54
PID 2220 wrote to memory of 1916	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	57
PID 2220 wrote to memory of 1916	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	57
PID 2220 wrote to memory of 1916	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	57
PID 2220 wrote to memory of 1916	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	57
PID 2220 wrote to memory of 2544	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	59
PID 2220 wrote to memory of 2544	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	59
PID 2220 wrote to memory of 2544	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	59
PID 2220 wrote to memory of 2544	2220	bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe	59
PID 2588 wrote to memory of 2608	2588	mkecwrpjhb.exe	61
PID 2588 wrote to memory of 2608	2588	mkecwrpjhb.exe	61
PID 2588 wrote to memory of 2608	2588	mkecwrpjhb.exe	61
PID 2588 wrote to memory of 2608	2588	mkecwrpjhb.exe	61

C:\Users\Admin\AppData\Local\Temp\bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bbba8a3cad3b4542a7fb6cbdd5b7c5c0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2968
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\gdysqlidxv.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2592
- - C:\Temp\gdysqlidxv.exe
    C:\Temp\gdysqlidxv.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2468
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2604
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_gdysqlidxv.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2484
- - C:\Temp\i_gdysqlidxv.exe
    C:\Temp\i_gdysqlidxv.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\nicavsnhfz.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2724
- - C:\Temp\nicavsnhfz.exe
    C:\Temp\nicavsnhfz.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2784
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2772
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_nicavsnhfz.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1360
- - C:\Temp\i_nicavsnhfz.exe
    C:\Temp\i_nicavsnhfz.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\axsmkecxrp.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1868
- - C:\Temp\axsmkecxrp.exe
    C:\Temp\axsmkecxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1056
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:760
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_axsmkecxrp.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1716
- - C:\Temp\i_axsmkecxrp.exe
    C:\Temp\i_axsmkecxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\xvpkhczusm.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2244
- - C:\Temp\xvpkhczusm.exe
    C:\Temp\xvpkhczusm.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2952
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:888
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_xvpkhczusm.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1916
- - C:\Temp\i_xvpkhczusm.exe
    C:\Temp\i_xvpkhczusm.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\mkecwrpjhb.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2544
- - C:\Temp\mkecwrpjhb.exe
    C:\Temp\mkecwrpjhb.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2608
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2552
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_mkecwrpjhb.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2292
- - C:\Temp\i_mkecwrpjhb.exe
    C:\Temp\i_mkecwrpjhb.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bzurmgeywr.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2892
- - C:\Temp\bzurmgeywr.exe
    C:\Temp\bzurmgeywr.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1628
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2556
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2732
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bzurmgeywr.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Temp\i_bzurmgeywr.exe
    C:\Temp\i_bzurmgeywr.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\rlgeywqljd.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:344
- - C:\Temp\rlgeywqljd.exe
    C:\Temp\rlgeywqljd.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1612
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2788
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2508
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_rlgeywqljd.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2140
- - C:\Temp\i_rlgeywqljd.exe
    C:\Temp\i_rlgeywqljd.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\oigbytnlgd.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1436
- - C:\Temp\oigbytnlgd.exe
    C:\Temp\oigbytnlgd.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2128
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2108
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1732
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_oigbytnlgd.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2100
- - C:\Temp\i_oigbytnlgd.exe
    C:\Temp\i_oigbytnlgd.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\dywqlidbvp.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2144
- - C:\Temp\dywqlidbvp.exe
    C:\Temp\dywqlidbvp.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:540
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:668
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:384
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_dywqlidbvp.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1496
- - C:\Temp\i_dywqlidbvp.exe
    C:\Temp\i_dywqlidbvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qnigavsnkf.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2556
- - C:\Temp\qnigavsnkf.exe
    C:\Temp\qnigavsnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2540
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2484
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2796
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qnigavsnkf.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2768
- - C:\Temp\i_qnigavsnkf.exe
    C:\Temp\i_qnigavsnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\qnicavsfzx.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:320
- - C:\Temp\qnicavsfzx.exe
    C:\Temp\qnicavsfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1848
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1928
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:764
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_qnicavsfzx.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1816
- - C:\Temp\i_qnicavsfzx.exe
    C:\Temp\i_qnicavsfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hfaxsmkecx.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1192
- - C:\Temp\hfaxsmkecx.exe
    C:\Temp\hfaxsmkecx.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2024
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2420
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2108
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hfaxsmkecx.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2124
- - C:\Temp\i_hfaxsmkecx.exe
    C:\Temp\i_hfaxsmkecx.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\cxvpkhcauo.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2976
- - C:\Temp\cxvpkhcauo.exe
    C:\Temp\cxvpkhcauo.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2100
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2104
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2276
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_cxvpkhcauo.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2232
- - C:\Temp\i_cxvpkhcauo.exe
    C:\Temp\i_cxvpkhcauo.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\rpkecwuojh.exe ups_run
  2⤵
  PID:1856
- - C:\Temp\rpkecwuojh.exe
    C:\Temp\rpkecwuojh.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:564
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2864
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1860
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_rpkecwuojh.exe ups_ins
  2⤵
  PID:2408
- - C:\Temp\i_rpkecwuojh.exe
    C:\Temp\i_rpkecwuojh.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\smhezxrlje.exe ups_run
  2⤵
  PID:1768
- - C:\Temp\smhezxrlje.exe
    C:\Temp\smhezxrlje.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:3040
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1756
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1996
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_smhezxrlje.exe ups_ins
  2⤵
  PID:1048
- - C:\Temp\i_smhezxrlje.exe
    C:\Temp\i_smhezxrlje.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hbztrmgeyw.exe ups_run
  2⤵
  PID:1664
- - C:\Temp\hbztrmgeyw.exe
    C:\Temp\hbztrmgeyw.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:1644
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:588
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1308
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hbztrmgeyw.exe ups_ins
  2⤵
  PID:2000
- - C:\Temp\i_hbztrmgeyw.exe
    C:\Temp\i_hbztrmgeyw.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ztomgeytql.exe ups_run
  2⤵
  PID:2804
- - C:\Temp\ztomgeytql.exe
    C:\Temp\ztomgeytql.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:3008
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1792
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:992
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ztomgeytql.exe ups_ins
  2⤵
  PID:3016
- - C:\Temp\i_ztomgeytql.exe
    C:\Temp\i_ztomgeytql.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\oigbytnlfd.exe ups_run
  2⤵
  PID:1188
- - C:\Temp\oigbytnlfd.exe
    C:\Temp\oigbytnlfd.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2112
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2628
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2704
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_oigbytnlfd.exe ups_ins
  2⤵
  PID:2692
- - C:\Temp\i_oigbytnlfd.exe
    C:\Temp\i_oigbytnlfd.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\oigbvtnlfa.exe ups_run
  2⤵
  PID:2468
- - C:\Temp\oigbvtnlfa.exe
    C:\Temp\oigbvtnlfa.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2352
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2492
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2472
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_oigbvtnlfa.exe ups_ins
  2⤵
  PID:2448
- - C:\Temp\i_oigbvtnlfa.exe
    C:\Temp\i_oigbvtnlfa.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\gavtnlfaxs.exe ups_run
  2⤵
  PID:2240
- - C:\Temp\gavtnlfaxs.exe
    C:\Temp\gavtnlfaxs.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2744
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2992
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2892
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_gavtnlfaxs.exe ups_ins
  2⤵
  PID:2700
- - C:\Temp\i_gavtnlfaxs.exe
    C:\Temp\i_gavtnlfaxs.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\vpnhfausmk.exe ups_run
  2⤵
  PID:1700
- - C:\Temp\vpnhfausmk.exe
    C:\Temp\vpnhfausmk.exe ups_run
    3⤵
    - Loads dropped DLL
    PID:2768
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1720
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\axsmkecxrp.exe

Filesize
226KB

MD5
dacbcb960f43d04473ef185a50b43e1a

SHA1
399cb7211718c8ea6c8fdd0de13ee0bbd1c42c25

SHA256
1b872884f42b4d8a4652b6ef0b3b46480be50e4ea68ec082ef8f00fee8f38adb

SHA512
5f20662d45d2b50db4c8a0e5b671405a75ce31d3c612250feb13f50d7462715b2e57bbc2f37124febd99e15e08214aacd807c0ebff8ed08f73152d61ce5f7989

Download Submit
C:\Temp\bzurmgeywr.exe

Filesize
226KB

MD5
d1b554e00b67aff95978fb77e65b4941

SHA1
de8b0fbb89ccb4e077ea23105721ca4b7c3cfccf

SHA256
86414e7c33cc2edeba5e3048e6d47336f2483f8756e5626ebf90a63585bd2020

SHA512
277add74f9a5484db0969dc2e00dd19bdb3419fd1c2d2fe16ced3bd6de05e6870305cb9c78b30e1b974bb10d7d6cea32e9c6db34e1cf20db087e5f763c9220f8

Download Submit
C:\Temp\gdysqlidxv.exe

Filesize
226KB

MD5
bd716af08c753512abae20714306a629

SHA1
d5bef247325f77be0691f5c727767a8d04b7ae7c

SHA256
baa4630e56c6daddda50957e27beb4003d84ecc35e39624693ebaf9e0cf7c8de

SHA512
453db888c34e8dcbf4497920179df74fdeb86af711889d959a681fe391e90ae52b277e847ce921cc9f64912a2f5a25069516a60669c243152b2b6f8174f92001

Download Submit
C:\Temp\i_axsmkecxrp.exe

Filesize
226KB

MD5
b9569b8a9ea4af5773da77378a7c547a

SHA1
0cc5b62ee030f5a7966a243b60e28014c21dedfc

SHA256
6ede8980c7b0d5f01833918ee4bf0d773ac80310e2b309554e7b8f06517bd325

SHA512
56450eb2549b3186d4f82f87b8a7267d895c88aacf86e6117eccfbaac75ac03dda4372475142636f8edd9164707ade838fdde523d3a96f919ade1cdc74da27f4

Download Submit
C:\Temp\i_bzurmgeywr.exe

Filesize
226KB

MD5
5bda997140a9b1d3de78c1528bc0f806

SHA1
252cbff0f158f903d970a8d78d30a662eceda69f

SHA256
607431a3ab42c4b3138226e852281081c4f6afc8d2faf38e78ad0352c76a9d4c

SHA512
acf3a7e9b4f4f39d48ae7eb1895a669e57cd0f8381475cf479e1e9dc866847f2a952159e55d2389f70405230a988b03a9fd8c9836c81e86ad338d9d25536dd8f

Download Submit
C:\Temp\i_gdysqlidxv.exe

Filesize
226KB

MD5
895c514ed8d1c502d12dc081ea2fc2aa

SHA1
6769095a3c56732e84dff129a8546d649cd9af54

SHA256
335dd84712e5b78dc9078f1b5b137406611c8d977da0a0fa421039825eb5a9fc

SHA512
9e1852fcdf06655255d777dcb646431fd2f48c2ffc9fc6a15cbedd33b61ddf3408a3db81bdc019db7d85632e9a5a856dd6a5fdca0057b14ffd8e00f70f02c49e

Download Submit
C:\Temp\i_mkecwrpjhb.exe

Filesize
226KB

MD5
ee97445abefb357d1f74244c55af58a5

SHA1
e69e4353735b6b600028ec69d0553b753b27081c

SHA256
508a6ced25501199088475d755c6a177d57f0e793fdf97e258f459e1e6e589a6

SHA512
a01384becd4cf435e04f3de9a316dd1e28d9167b6bc864d3b1067277c4654572d7605195d18e2c48d4e84c8ba39b36141467efd07fc5be667b682b70ca1478c1

Download Submit
C:\Temp\i_nicavsnhfz.exe

Filesize
226KB

MD5
59f747be12b97efe73ec6964c2439e89

SHA1
91dbf8ea52022200cf9dde8fb5b2e397b39bf86e

SHA256
39f649148b0b7c2c4ceb450a803cf4803377b51e15cf7005af641caadc0ec870

SHA512
c31e083d8266bda647cbb98fa86aa4759f0c84e5f54acacdf59274a2b70df9816e97885286e6e2934f440380954057a0aaf78063bba3258c5cc1f1b7f6984499

Download Submit
C:\Temp\i_rlgeywqljd.exe

Filesize
226KB

MD5
b7502e93ce4b7485dc39250fe7c2c683

SHA1
03e1a7e54d56691955d0f50f0b9eb5a297701707

SHA256
940fdbbaf67c9b9e88d9c92052935f9da06461c18ac9cf7ca0517217ff472069

SHA512
3b55b077d3ecae118e1f021c2991abb65d09673884a5e8f1037f9e195998e114440ebf4e7d30651091d82d8c94870eff28b9bb5c9c69f4e10bf3adfcc5112ed3

Download Submit
C:\Temp\i_xvpkhczusm.exe

Filesize
226KB

MD5
329e48f841dd373162d9b8cde1135d06

SHA1
ec25f6ad8c9b502d0bd265e477989b6255ea1be3

SHA256
09910ad05631158da7707cf77372bf429b921f828a0b35a7ea0ce5cad4ac61da

SHA512
7344fc16b1c28678485dd98b6585ce4a10d864c39f91e2e75ec4128a42753d01e89e8912c95365998b263d6c6f0bea3a9827e6ceb8e9482f5d089223f3b18c09

Download Submit
C:\Temp\mkecwrpjhb.exe

Filesize
226KB

MD5
36fb54314f4c2c53e730f5aee718e702

SHA1
aa7d6d21ec1cf88ec015eb72e2d8d9bb1f8629f9

SHA256
384b5ce93c917829a37a5a3d487ee45264506eaf95a5fd660419702b3294fb87

SHA512
806fd3c185064f2293434f47fd535565533d9955c57f15a7febbff4df83fe7a7610730137354644c7291a910662024b472e0b0d0d5e53173613bca5bb6227950

Download Submit
C:\Temp\nicavsnhfz.exe

Filesize
226KB

MD5
ecbce22375bc2c41a312ffccfe0c5b20

SHA1
426b11ad37a20ca4086277ddccad1823b447daa7

SHA256
1e2e5f73671fd9ba247558e8e772f22a1b531eaf6278ce31d8f8277914b8b565

SHA512
d151e720bd322e2a5cbf02d2bcf3ecf7341596a356e407d1ed96c8b9c7f6ec15b1bf11d8aea950b142ecf742822f551f35dba1c3366b79336752b9f4079e071f

Download Submit
C:\Temp\oigbytnlgd.exe

Filesize
226KB

MD5
b0e4c5225db70e027d71966da56394b6

SHA1
b23cea14cad7e0585c0fc83e2810cd78f61cb3e0

SHA256
c76d64f61bae6fdc16a7391e4d764f9b03bf70786f86ed5d9cd14016edf9ecb3

SHA512
f386aa9cf48c316ae91c0858e4e7f66bd339d9d379c498ab08dba02fe85784f0b32674ae2b4bbb9d04c27bdd3d82fb23879d7bfcc59bb54834029728a947ef31

Download Submit
C:\Temp\rlgeywqljd.exe

Filesize
226KB

MD5
1e515b2569c67e9b3ad3b910b7a2c827

SHA1
be8afa106f833d52e9e5457cb3f8f39fc8b9de15

SHA256
761edfa8399c6f4e4bd9b69402aa2896b365400d53d545428b92aaec28e67706

SHA512
d6530334ff9c0ced521b08cb66564cc093d365533ed2ced1d8b207e23a76bb0b4c37b8808fd30920e24e3f34109e54cb8e41447a9f7b3bd15d8d80dd5301fa9a

Download Submit
C:\Temp\xvpkhczusm.exe

Filesize
226KB

MD5
3f89c4c04cf136b516b985883aca983c

SHA1
7a672fd40ee324deedc3d67006e1bded59c8b13e

SHA256
2b32d71288765cdf884d72ffc0c1e5a40fb8aef8645ad2d205070399e43cef5d

SHA512
e9ecd3e3a6f5e1eaa3bf8eaed9b8f59a009104fd8d91bb2fb6c2ce9052e836ac4c599c7179c7c891882f3363c14a80310e27f95bbd9e8c175e0097b9636145c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7e41a3ccb988a50209bef1fa0b072b0

SHA1
93758070c79e4999224477584b967bd2a3e0ded6

SHA256
df4a4ad79a7b6097385f842ee4b39b9bbde8765fa163f5967b2f6ae6f953fc24

SHA512
e7cccaaf6d210d1c3f0be3525888be91a6393024bb1e178c2d97f8f0c3564ac542f4c0000a66c57ae1ef830fa946791b0f7f3db9fa16fe2c2b49dca5093fc7fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
179c8e651db1c73749dc5afffb0de1e8

SHA1
6f089e4f47a959e6d00c9284e89f475cb313533d

SHA256
23739f86652fe302a80030819f6756aceecdbcc7c519343124ec2afd38689ea5

SHA512
73f26bc44a0bc3712c529eb4066c745402fea6163cc807e5675ca83e4758d8eaedb4f060897c556be7730cc68f92c551412456d329633ef985f17afe85ef046d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdccfc2ea6049e9ef75d010d675b5c2f

SHA1
1b838d4a1aea78481ac980fe7a3fa8a4ec0ba632

SHA256
4d8c651cca01762aeca5a95cd93916928f38c536da7f60731a23ddff1b1d7e61

SHA512
8e263b2a933f0ae81aef747ec05de86a32d991be7e9c791c1daa51a7543f2a47dbca4253da232d31f4e2ea689e5af8eaaa57f22d0d6ecc108a966bb35014f089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
435fd78c1d005354e97e69c132921733

SHA1
c2231b2faffe795160f8cb8db86425e24d8c343f

SHA256
d72a8dc15dc72601ba7e989e39577d10ab2738bd031ec8f28e3432e60517f93e

SHA512
c39a5c3531aa9787d3a57ae17cb58cfa811d534e5682361a2b1a2a9593c93ca4aeb5a2eaaf09c1ba1ff5f4795fe52a1beca333142104fde92e161fe8843b862e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a82a61341b599cdc5db85b6378e7bc8

SHA1
b545cc5edf23677cecc8315866ed51103c7859d2

SHA256
b2b7707cfbd21fc95e2ec9d565dfa8796d684f6d19acce64515077beb7685cd6

SHA512
90590fa1c229ddcf5c60431724dc886a07520636a7ee17010bb6b10f8bf85563170f8f5a9c599b1bbbd1c33767b2d70ffcbd8676cd358d1647a25aeedb254f04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b3a61aebf176afeff4761ba56215e2e

SHA1
ff546adce784ea804eebe2ae0196dede861fc3c5

SHA256
9b4804a68edb55c71f156763b2fa4f477ecb5701fe86f9469700f7530917ea08

SHA512
0f122818d8f9b35851d255c4745caf2bcd5378957fadf3dadbc1b21f2cdd987b4e085c29db9c4c2e6eba61afd21f94c1c02f63a51662e8044995657ff3eea0d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63d5d2f7ff5c6c4df4a2a898e0d089c8

SHA1
05aa619be144f8349be9fcf3bb6b2ac4d32fb7e0

SHA256
724b796dfd17c6c6908d799933e867db20d78b3a27f4f03b0418dbd8f1e04fab

SHA512
04ec28d7b4ec59f5187502072c00cdc25fd147e0e240008623aaeac4d6f1965ff5d76e99a297212b6fb016618dae3bc6578a89736e468b9ed7e84e69e65cf6c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6bf4c9c1469558bf601ee1f6a629ac6

SHA1
2b81f36be52f842e4f4c88b8f84d2a534951e5d8

SHA256
c0a78e3d75793899b95e5ec3701a3b3ab26bc4e9a712ce05466e4f6202c6b2dd

SHA512
f50d812c7d9785f8f24c047db5809e9270cc91ee96626b1ca43272df0b7bab8972c17dba3b984d8d89acb0963c36d51595e9a18a5df0fc03c9cb918739150338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97615331fb02e41f6da2890b69bb7a5c

SHA1
5543e270d57f234244904ff49899bc76d604c1fe

SHA256
b1d2eec3f65a29b36ca092427295864561b796d1480a17a5690cee9ed691623e

SHA512
4b86944ad2f06b99716ba353a31197bc85957c8179a37b20e4e8b29e6291f26acb295dc3e8dfd752d07246f20d01bcf3bf335320e6623d5d329ad89110d3334c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3f23bafe27eb8cab5556c03abcbb36c

SHA1
ca66f434f45b446661a024f26ff88748b82f82ec

SHA256
1fbd9b211bdf8ad1e220c6088c5642f510894d4343e4f0a65137b1d20dde3a6e

SHA512
ccda7f6d3a542224f73708d9f7eb1b24631079e00f390ad10c58c80271274160884ccfa0c1ada9fdb3459833b34b88d449fd878b049d213978f47585a223302b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
375e60deaec0cb1ba1f6a984ac91a3a3

SHA1
98505c3f4a9a63dc384fd7f076eb94521149d4ee

SHA256
9c6337ea52f6308cdd9831469e28d9ecc2529d37c2eb8960ee254af1af4b3487

SHA512
60d8b91ce5b18abc93f803284d66f4573895c960f3c255bd136b9469f25ae4cd4242b56f67877dd35e7a7ce89ca0cd22b680dfcd0e04872b88fc433347e46bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4501f5b0357f944a182df919dfa9ad6b

SHA1
9d9a858739f394c2f6dbb18faf3974bba9a1edc2

SHA256
a9f844d37f27bfe5dca8dd5df1aeaacb791fd150a47e416502eb8691f93ee49f

SHA512
290e8628dff65ab148f98f39df27c4892c33108aaa9baab34d74f161295b9f3c0c7c9747d8c3dce44f519f21f8d7f4959880f28b7af09b2e803a36f9051eda21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a79bbe65155e64414239ae4258d29b56

SHA1
5659771dd96cb92440d350e784b44086b480b945

SHA256
fd5fd70494efde9eec33dcd3ff5c39bcaa51dcd5dd93d5ca6417026f07aff1a4

SHA512
8ac12baef3c4ffef06c85640c0109118a7dc0c56e3b327d0dc2df67858af3f3f8e92fdff686205a8978277c00d37f0dec699162d1d921cffe664c4e2e8a34d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
475f585ba56fae843fd0ba78454eefe7

SHA1
a8d7ea82820a263cc13eaba2bb72d7cda6cebd5b

SHA256
4dde2742faea67c4ba66dd573479db1a126097e652c95150b89a76e7f3e95526

SHA512
493525282bff87334ac1d7c6d46e002d63d70254651b0941b3d7476b0897f3d6f55554395e7684ae3fcb379cf3fddbc0bd8f510a15e5a6d84dfa7f9eb7f07ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b0aed9ee4aa728a8c84cd21260d2e4d

SHA1
358b12f78609d45cab3b022c3ccce093a2948d9b

SHA256
61a12a91217466e46ea41ca2c08e97f967c32e99b15f2f3d092982b227b3d952

SHA512
efc1d1be58ac59a14e8408ba3c04646da345f1f6df74dcc6f73001b71c39365b7d9d552f3a9b105306300038aa69478d1cbca41d8c9a207821798c3b1e445b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f9679db645bae127f402bb8a22757f8

SHA1
cb05d91e31f7e6159af9c5e15cf235aaf474c7fc

SHA256
4fb6ff6d07282c4ada6955ba00d5cc0dce1583c795dad08e1c60ad7f5f61e897

SHA512
d4810782cc3d181d6d395ef07aea93f176ac8a26c0ad79f2faf02642d035c47bc018a6e70887ecb70a63ffd8780f6de257e02885dd8ba019642e4bcde11aed09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bc0f85df45df219a0c7f13e3ea2363d

SHA1
0c2357388102b3b7ba05c53a236a727ab8355671

SHA256
dcc4a63e0a8b1431a9e6e8111bd1a1184b9e8673a61e01a3b897e07c671ed299

SHA512
ccabd28e4c945aa1fa0eb1fc48916dc8e3c44430f37c5dfaf463ef99a6ab39ae9351dbb056e6322a7dff0191f145b7f535d52dfd47194c4c73c00bfdfa2494d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07082f0e6db862aab5d4c37d98ddb9c0

SHA1
a93c2f55d4907604e657b23cdeae3a2441fe2539

SHA256
f1f1dea05f501f92538a135825cd891c92e93eb7bf759de1786a26e96b2703a3

SHA512
9ce25e44ca2f4f0dff6ee7b7cc913022d8d14c730b0ce13db3621d3b8d3057b0b91e27937a98bc576256bbf004f9de19abd3ea4e8121efa91b2e337886ac565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34E7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35CA.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Temp\CP.exe

Filesize
4KB

MD5
0da87487a46ac0b219dfc10ebb7dbc09

SHA1
a58ed225df243160327f19f2d03ccb60693c562b

SHA256
88d1f04b969503b4d87d7c986ed8f2f830a9f85073fbea644e380692ab3d997c

SHA512
cbcae2c33b3e87e76b34a228115178a587797620e0047704d3d50ad39ea453b32a544bbc6c229347ee3e658d3dcc656c46fe42e90d3210383ad5c76852e198f4

Download Submit