a1d9edc2df07fe26db889e47bdad695300061fd4782042fe3292081277e279b1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
Size

361KB
MD5

036e6998705d1ff722db87ab00e7770d
SHA1

c4d281be25c052b59e354a0ed90c50d4d354bbc3
SHA256

a1d9edc2df07fe26db889e47bdad695300061fd4782042fe3292081277e279b1
SHA512

2b1daf10aa5565ba6bab9161e3e3061cfcf52ede9b2dfcde71e06d1470944e2451c79e72b648418f475e86b102b7f4328a22f02c3de15b02b8899a7c3929e1f9
SSDEEP

6144:2flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:2flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3740	bvtnlgdywqoigayt.exe
448	CreateProcess.exe
4300	igbytqljdb.exe
4964	CreateProcess.exe
2972	CreateProcess.exe
1380	i_igbytqljdb.exe
1140	CreateProcess.exe
2856	kidavsnlfd.exe
3104	CreateProcess.exe
4588	CreateProcess.exe
3760	i_kidavsnlfd.exe
4216	CreateProcess.exe
3644	faxsqkicau.exe
2612	CreateProcess.exe
5012	CreateProcess.exe
4156	i_faxsqkicau.exe
4548	CreateProcess.exe
4876	xrpkhcausm.exe
1868	CreateProcess.exe
3384	CreateProcess.exe
116	i_xrpkhcausm.exe
3972	CreateProcess.exe
4768	xupnhfzxrp.exe
1020	CreateProcess.exe
1052	CreateProcess.exe
716	i_xupnhfzxrp.exe
3324	CreateProcess.exe
1640	rmkecwupmh.exe
2624	CreateProcess.exe
4744	CreateProcess.exe
232	i_rmkecwupmh.exe
1380	CreateProcess.exe
1600	jebwtomgey.exe
2160	CreateProcess.exe
2856	CreateProcess.exe
3780	i_jebwtomgey.exe
224	CreateProcess.exe
3372	bvtolgeywq.exe
3380	CreateProcess.exe
1908	CreateProcess.exe
4144	i_bvtolgeywq.exe
2616	CreateProcess.exe
4112	eywqoigbyt.exe
1840	CreateProcess.exe
4928	CreateProcess.exe
4356	i_eywqoigbyt.exe
2516	CreateProcess.exe
1956	ysqlidavtn.exe
4012	CreateProcess.exe
4344	CreateProcess.exe
3312	i_ysqlidavtn.exe
1844	CreateProcess.exe
2936	vtnlfdxvqn.exe
2312	CreateProcess.exe
4972	CreateProcess.exe
4580	i_vtnlfdxvqn.exe
1060	CreateProcess.exe
3884	spkicausmk.exe
3840	CreateProcess.exe
448	CreateProcess.exe
4400	i_spkicausmk.exe
1640	CreateProcess.exe
3324	xspkhcausm.exe
1040	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xspkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_oigbytrljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faxsqkicau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vtnlfdxvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ysqlidavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rpjhczurmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgaytqlidb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xupnhfzxrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rmkecwupmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bvtolgeywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spkicausmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idavtnlfdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kidavsnlfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_faxsqkicau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xrpkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xupnhfzxrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jebwtomgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jebwtomgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtolgeywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtnlgdywqoigayt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_igbytqljdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysqlidavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_mjebwuomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_lgaytqlidb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rmjeuomgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oigbytrljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmkecwupmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_spkicausmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjebwuomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtnlfdxvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmjeuomgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kidavtnlfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igbytqljdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kidavsnlfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_idavtnlfdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kidavtnlfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xspkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpjhczurmk.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
208	ipconfig.exe
1128	ipconfig.exe
2424	ipconfig.exe
1676	ipconfig.exe
2224	ipconfig.exe
2916	ipconfig.exe
4016	ipconfig.exe
3100	ipconfig.exe
4496	ipconfig.exe
2836	ipconfig.exe
3972	ipconfig.exe
4668	ipconfig.exe
2332	ipconfig.exe
1884	ipconfig.exe
792	ipconfig.exe
1904	ipconfig.exe
4448	ipconfig.exe
2296	ipconfig.exe
3152	ipconfig.exe
3196	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6035015d8513db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134597"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1548180335"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f00000000020000000000106600000001000020000000d45957c22d46c7c26c86c52d2edd0836cf460c41da3a619ee6f95fbfbe21c1c9000000000e8000000002000020000000a99e273a2e19402dac6e584695d6f76c2648e8dc67e95b853d284785cdabc71a200000003f25dcd561d38f4eb71c05c1601da626a56021167f19d145e8c822fd7b4c224140000000373070ced9620bbb35e7d018abf2e8a84b0e8920e80e0e46c5f2334fcddae5fd71e9bfbc6f97fa0b1cfe5bdfaa0c657b2d75d93223bee0ce85cca7fd7873f6c7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87E4F76E-7F78-11EF-939B-5ED96FC588C3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1552086658"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134597"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f000000000200000000001066000000010000200000004334f0cba95e00edfc60586a2b5ff0a810a7e4217ff9dcdc42e729f66675f9cf000000000e8000000002000020000000e7d689a59adba20d2ac99b92162dcfe0b25825289d4c3abfbd802826a7f3a68b200000001144089887b04cb1541c49d17c13ea6018a4071e4a030ab9e26112d8346f17fa4000000040478d6670d9648a3500f380692efe6184c7100288098be27dc0675f089b69b4589f5cb00a0f6ee5ba725fc77765dec7bc4e3a294a5ac6cdcc94a2a2d8a4ca3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1548180335"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434499087"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134597"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7009fa5c8513db01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
3740	bvtnlgdywqoigayt.exe
3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	i_igbytqljdb.exe
Token: SeDebugPrivilege	3760	i_kidavsnlfd.exe
Token: SeDebugPrivilege	4156	i_faxsqkicau.exe
Token: SeDebugPrivilege	116	i_xrpkhcausm.exe
Token: SeDebugPrivilege	716	i_xupnhfzxrp.exe
Token: SeDebugPrivilege	232	i_rmkecwupmh.exe
Token: SeDebugPrivilege	3780	i_jebwtomgey.exe
Token: SeDebugPrivilege	4144	i_bvtolgeywq.exe
Token: SeDebugPrivilege	4356	i_eywqoigbyt.exe
Token: SeDebugPrivilege	3312	i_ysqlidavtn.exe
Token: SeDebugPrivilege	4580	i_vtnlfdxvqn.exe
Token: SeDebugPrivilege	4400	i_spkicausmk.exe
Token: SeDebugPrivilege	1116	i_xspkhcausm.exe
Token: SeDebugPrivilege	1992	i_rpjhczurmk.exe
Token: SeDebugPrivilege	3848	i_mjebwuomge.exe
Token: SeDebugPrivilege	3128	i_rmjeuomgey.exe
Token: SeDebugPrivilege	4352	i_oigbytrljd.exe
Token: SeDebugPrivilege	5016	i_lgaytqlidb.exe
Token: SeDebugPrivilege	900	i_idavtnlfdy.exe
Token: SeDebugPrivilege	1064	i_kidavtnlfd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4380	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4380	iexplore.exe
4380	iexplore.exe
3304	IEXPLORE.EXE
3304	IEXPLORE.EXE
3304	IEXPLORE.EXE
3304	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 3740	3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	82
PID 3884 wrote to memory of 3740	3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	82
PID 3884 wrote to memory of 3740	3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	82
PID 3884 wrote to memory of 4380	3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	83
PID 3884 wrote to memory of 4380	3884	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	83
PID 4380 wrote to memory of 3304	4380	iexplore.exe	84
PID 4380 wrote to memory of 3304	4380	iexplore.exe	84
PID 4380 wrote to memory of 3304	4380	iexplore.exe	84
PID 3740 wrote to memory of 448	3740	bvtnlgdywqoigayt.exe	85
PID 3740 wrote to memory of 448	3740	bvtnlgdywqoigayt.exe	85
PID 3740 wrote to memory of 448	3740	bvtnlgdywqoigayt.exe	85
PID 4300 wrote to memory of 4964	4300	igbytqljdb.exe	88
PID 4300 wrote to memory of 4964	4300	igbytqljdb.exe	88
PID 4300 wrote to memory of 4964	4300	igbytqljdb.exe	88
PID 3740 wrote to memory of 2972	3740	bvtnlgdywqoigayt.exe	93
PID 3740 wrote to memory of 2972	3740	bvtnlgdywqoigayt.exe	93
PID 3740 wrote to memory of 2972	3740	bvtnlgdywqoigayt.exe	93
PID 3740 wrote to memory of 1140	3740	bvtnlgdywqoigayt.exe	98
PID 3740 wrote to memory of 1140	3740	bvtnlgdywqoigayt.exe	98
PID 3740 wrote to memory of 1140	3740	bvtnlgdywqoigayt.exe	98
PID 2856 wrote to memory of 3104	2856	kidavsnlfd.exe	100
PID 2856 wrote to memory of 3104	2856	kidavsnlfd.exe	100
PID 2856 wrote to memory of 3104	2856	kidavsnlfd.exe	100
PID 3740 wrote to memory of 4588	3740	bvtnlgdywqoigayt.exe	105
PID 3740 wrote to memory of 4588	3740	bvtnlgdywqoigayt.exe	105
PID 3740 wrote to memory of 4588	3740	bvtnlgdywqoigayt.exe	105
PID 3740 wrote to memory of 4216	3740	bvtnlgdywqoigayt.exe	107
PID 3740 wrote to memory of 4216	3740	bvtnlgdywqoigayt.exe	107
PID 3740 wrote to memory of 4216	3740	bvtnlgdywqoigayt.exe	107
PID 3644 wrote to memory of 2612	3644	faxsqkicau.exe	109
PID 3644 wrote to memory of 2612	3644	faxsqkicau.exe	109
PID 3644 wrote to memory of 2612	3644	faxsqkicau.exe	109
PID 3740 wrote to memory of 5012	3740	bvtnlgdywqoigayt.exe	112
PID 3740 wrote to memory of 5012	3740	bvtnlgdywqoigayt.exe	112
PID 3740 wrote to memory of 5012	3740	bvtnlgdywqoigayt.exe	112
PID 3740 wrote to memory of 4548	3740	bvtnlgdywqoigayt.exe	114
PID 3740 wrote to memory of 4548	3740	bvtnlgdywqoigayt.exe	114
PID 3740 wrote to memory of 4548	3740	bvtnlgdywqoigayt.exe	114
PID 4876 wrote to memory of 1868	4876	xrpkhcausm.exe	116
PID 4876 wrote to memory of 1868	4876	xrpkhcausm.exe	116
PID 4876 wrote to memory of 1868	4876	xrpkhcausm.exe	116
PID 3740 wrote to memory of 3384	3740	bvtnlgdywqoigayt.exe	120
PID 3740 wrote to memory of 3384	3740	bvtnlgdywqoigayt.exe	120
PID 3740 wrote to memory of 3384	3740	bvtnlgdywqoigayt.exe	120
PID 3740 wrote to memory of 3972	3740	bvtnlgdywqoigayt.exe	123
PID 3740 wrote to memory of 3972	3740	bvtnlgdywqoigayt.exe	123
PID 3740 wrote to memory of 3972	3740	bvtnlgdywqoigayt.exe	123
PID 4768 wrote to memory of 1020	4768	xupnhfzxrp.exe	125
PID 4768 wrote to memory of 1020	4768	xupnhfzxrp.exe	125
PID 4768 wrote to memory of 1020	4768	xupnhfzxrp.exe	125
PID 3740 wrote to memory of 1052	3740	bvtnlgdywqoigayt.exe	128
PID 3740 wrote to memory of 1052	3740	bvtnlgdywqoigayt.exe	128
PID 3740 wrote to memory of 1052	3740	bvtnlgdywqoigayt.exe	128
PID 3740 wrote to memory of 3324	3740	bvtnlgdywqoigayt.exe	130
PID 3740 wrote to memory of 3324	3740	bvtnlgdywqoigayt.exe	130
PID 3740 wrote to memory of 3324	3740	bvtnlgdywqoigayt.exe	130
PID 1640 wrote to memory of 2624	1640	rmkecwupmh.exe	132
PID 1640 wrote to memory of 2624	1640	rmkecwupmh.exe	132
PID 1640 wrote to memory of 2624	1640	rmkecwupmh.exe	132
PID 3740 wrote to memory of 4744	3740	bvtnlgdywqoigayt.exe	135
PID 3740 wrote to memory of 4744	3740	bvtnlgdywqoigayt.exe	135
PID 3740 wrote to memory of 4744	3740	bvtnlgdywqoigayt.exe	135
PID 3740 wrote to memory of 1380	3740	bvtnlgdywqoigayt.exe	137
PID 3740 wrote to memory of 1380	3740	bvtnlgdywqoigayt.exe	137

C:\Users\Admin\AppData\Local\Temp\036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Temp\bvtnlgdywqoigayt.exe
  C:\Temp\bvtnlgdywqoigayt.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\igbytqljdb.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:448
  - - C:\Temp\igbytqljdb.exe
      C:\Temp\igbytqljdb.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_igbytqljdb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2972
  - - C:\Temp\i_igbytqljdb.exe
      C:\Temp\i_igbytqljdb.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kidavsnlfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1140
  - - C:\Temp\kidavsnlfd.exe
      C:\Temp\kidavsnlfd.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3104
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kidavsnlfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4588
  - - C:\Temp\i_kidavsnlfd.exe
      C:\Temp\i_kidavsnlfd.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\faxsqkicau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4216
  - - C:\Temp\faxsqkicau.exe
      C:\Temp\faxsqkicau.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2612
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_faxsqkicau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5012
  - - C:\Temp\i_faxsqkicau.exe
      C:\Temp\i_faxsqkicau.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcausm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4548
  - - C:\Temp\xrpkhcausm.exe
      C:\Temp\xrpkhcausm.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1868
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcausm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3384
  - - C:\Temp\i_xrpkhcausm.exe
      C:\Temp\i_xrpkhcausm.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3972
  - - C:\Temp\xupnhfzxrp.exe
      C:\Temp\xupnhfzxrp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3100
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1052
  - - C:\Temp\i_xupnhfzxrp.exe
      C:\Temp\i_xupnhfzxrp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmkecwupmh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3324
  - - C:\Temp\rmkecwupmh.exe
      C:\Temp\rmkecwupmh.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2624
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:208
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmkecwupmh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4744
  - - C:\Temp\i_rmkecwupmh.exe
      C:\Temp\i_rmkecwupmh.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:232
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jebwtomgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1380
  - - C:\Temp\jebwtomgey.exe
      C:\Temp\jebwtomgey.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2160
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jebwtomgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2856
  - - C:\Temp\i_jebwtomgey.exe
      C:\Temp\i_jebwtomgey.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtolgeywq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:224
  - - C:\Temp\bvtolgeywq.exe
      C:\Temp\bvtolgeywq.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3372
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3380
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtolgeywq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1908
  - - C:\Temp\i_bvtolgeywq.exe
      C:\Temp\i_bvtolgeywq.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4144
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2616
  - - C:\Temp\eywqoigbyt.exe
      C:\Temp\eywqoigbyt.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4112
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1840
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4928
  - - C:\Temp\i_eywqoigbyt.exe
      C:\Temp\i_eywqoigbyt.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysqlidavtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2516
  - - C:\Temp\ysqlidavtn.exe
      C:\Temp\ysqlidavtn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1956
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4012
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2424
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysqlidavtn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4344
  - - C:\Temp\i_ysqlidavtn.exe
      C:\Temp\i_ysqlidavtn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3312
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfdxvqn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1844
  - - C:\Temp\vtnlfdxvqn.exe
      C:\Temp\vtnlfdxvqn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2936
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2312
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdxvqn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4972
  - - C:\Temp\i_vtnlfdxvqn.exe
      C:\Temp\i_vtnlfdxvqn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\spkicausmk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1060
  - - C:\Temp\spkicausmk.exe
      C:\Temp\spkicausmk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3884
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3840
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_spkicausmk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:448
  - - C:\Temp\i_spkicausmk.exe
      C:\Temp\i_spkicausmk.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkhcausm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1640
  - - C:\Temp\xspkhcausm.exe
      C:\Temp\xspkhcausm.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3324
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3196
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkhcausm.exe ups_ins
    3⤵
    PID:4756
  - - C:\Temp\i_xspkhcausm.exe
      C:\Temp\i_xspkhcausm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhczurmk.exe ups_run
    3⤵
    PID:620
  - - C:\Temp\rpjhczurmk.exe
      C:\Temp\rpjhczurmk.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4944
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhczurmk.exe ups_ins
    3⤵
    PID:4644
  - - C:\Temp\i_rpjhczurmk.exe
      C:\Temp\i_rpjhczurmk.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mjebwuomge.exe ups_run
    3⤵
    PID:1520
  - - C:\Temp\mjebwuomge.exe
      C:\Temp\mjebwuomge.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:648
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2648
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1904
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mjebwuomge.exe ups_ins
    3⤵
    PID:408
  - - C:\Temp\i_mjebwuomge.exe
      C:\Temp\i_mjebwuomge.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3848
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmjeuomgey.exe ups_run
    3⤵
    PID:1768
  - - C:\Temp\rmjeuomgey.exe
      C:\Temp\rmjeuomgey.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4144
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2224
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmjeuomgey.exe ups_ins
    3⤵
    PID:5084
  - - C:\Temp\i_rmjeuomgey.exe
      C:\Temp\i_rmjeuomgey.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbytrljd.exe ups_run
    3⤵
    PID:4112
  - - C:\Temp\oigbytrljd.exe
      C:\Temp\oigbytrljd.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5096
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4448
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbytrljd.exe ups_ins
    3⤵
    PID:4376
  - - C:\Temp\i_oigbytrljd.exe
      C:\Temp\i_oigbytrljd.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgaytqlidb.exe ups_run
    3⤵
    PID:3612
  - - C:\Temp\lgaytqlidb.exe
      C:\Temp\lgaytqlidb.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4584
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2836
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgaytqlidb.exe ups_ins
    3⤵
    PID:1996
  - - C:\Temp\i_lgaytqlidb.exe
      C:\Temp\i_lgaytqlidb.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idavtnlfdy.exe ups_run
    3⤵
    PID:2564
  - - C:\Temp\idavtnlfdy.exe
      C:\Temp\idavtnlfdy.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3764
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idavtnlfdy.exe ups_ins
    3⤵
    PID:2428
  - - C:\Temp\i_idavtnlfdy.exe
      C:\Temp\i_idavtnlfdy.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kidavtnlfd.exe ups_run
    3⤵
    PID:4768
  - - C:\Temp\kidavtnlfd.exe
      C:\Temp\kidavtnlfd.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4972
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kidavtnlfd.exe ups_ins
    3⤵
    PID:3152
  - - C:\Temp\i_kidavtnlfd.exe
      C:\Temp\i_kidavtnlfd.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4380 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
4b73b82604398a51128b899e3e8bdb87

SHA1
9493716e84856e599c72b0eeaade47537f8a4e92

SHA256
e1bca7c7589ce8ab7b8d3a8353fa417372fd3fee26d338d665bc3b877c91d485

SHA512
d576f5affc52b34329c8cb262327f05db76124d14528cf6ebad3c337b1927286188dfde4c6bb5c5f9f6a55d83fc2cfd73e56785a02087ca9c5ca304645448d78

Download Submit
C:\Temp\bvtnlgdywqoigayt.exe

Filesize
361KB

MD5
86e85c2f7f575ecd18aa438513a361be

SHA1
8b6040ed0b2957b084aab1bc10cb56a173955baf

SHA256
7069374b839c26edfe2286f3de62371d2d5138eb7a9810c2eb86009d37e8c43f

SHA512
c616506d68c52eced5089b54874f556eb55844dca275afb0d72e4969a58776ef7bd16e9103cb4b4de3191386f1d10ffba08c17a33b6bcaee4275ac390360b0e4

Download Submit
C:\Temp\bvtolgeywq.exe

Filesize
361KB

MD5
25e99473bc6e5b500cc779642c98110a

SHA1
ac1f42dcb0f4d574384fc23ab6907ad959f0b723

SHA256
abdeebcc92d3a1f9e94dabc60fe9bd3cb38f6ddb5a38e37d5963e5b7b3ff2957

SHA512
7a1fb8e30b17fb16da8bbea293b9d6d8543c7385ded135b5403226bd38e4ec41b43506f18f4ab366177c29df0ddfb02bdfd390dc9cfa76b51dd0fcf0823b7232

Download Submit
C:\Temp\eywqoigbyt.exe

Filesize
361KB

MD5
e6d23d44dcc6e2e594ef1c9325da5b7c

SHA1
32ac720a3e139b735dcb6f4fa8085299a572af23

SHA256
1feb3348aeaad19fbab4ad478024bbf514436f66709ef4c09cfc30bfa1435a81

SHA512
ba4aebdef2be48ac7857e3e19dcb0e3f0a05d1f8d10b9cbe45ac82a8379dc743bedc2ab1998ce16766de0319a17b0809d9851447caa6e76a1632e1a2a72e6908

Download Submit
C:\Temp\faxsqkicau.exe

Filesize
361KB

MD5
735e0468356e2355bcea9c6625731766

SHA1
5e9dfc622c28bbd5a7cf884ca4f3a19a9d10c4bf

SHA256
e1f0303c35adca4c6cbce1e5b11a5ae9b7ead15c229bc5bb1094cbf6cbcb22cb

SHA512
8df082bd931e04a52928e36b6c10a5496249a7471ed60a8b552f012d43bf4c21e04b545097c4a7fc45231ae5e21584bf7a7d93b70b0bed0069abd3fd3c9de239

Download Submit
C:\Temp\i_bvtolgeywq.exe

Filesize
361KB

MD5
ee96888d488ff72c68d41c139ef8be5d

SHA1
e83202e5c283867093df9406c2520fc4e7b7af86

SHA256
098522e1cad149670b2504ccd625f82be2640068d4c9decb156f3447f8201037

SHA512
43f1db69b0873e964ef32d52466804aa8b44e176673c781a827f58047692c58a8a2efc665a4c8da4de0155165bd07dc93eef0a0ac730d1c0ced0c9ed6949b1c1

Download Submit
C:\Temp\i_faxsqkicau.exe

Filesize
361KB

MD5
e07fecb35b7c59e00a9c409b8aaec74b

SHA1
51198d571947aec6e4ec8c6f698abcdb744438de

SHA256
b02d278aa2a02468bf70a3b3e726da8e55bff16a6c2529053e65d2cedb208948

SHA512
c96bc4ffa350c3a78c8778ff5c8ed26ec89d387e6148848e1812409b7a814b0477035e32bbe2155e0ac2f76910281c5d3e3d185ae98e2239a29dfccdc207a542

Download Submit
C:\Temp\i_igbytqljdb.exe

Filesize
361KB

MD5
efc40608d1959a80abefe112058f44da

SHA1
12357e27b8e9a4c8f39d021c8aca2b2e5f713b69

SHA256
10af890f9ca0073c7eb478ae1a1caec0529a57743e7dfb9593e4ca95bc2764fe

SHA512
6526ac8fec36b047132637fad884d74d778a2d169c097bd54438436f8ff0834f367d8bca36224a8e3d86a0c408749623f977945485e08efaff576633736a3344

Download Submit
C:\Temp\i_jebwtomgey.exe

Filesize
361KB

MD5
176a0443c0f5db86ca2506d88246b9be

SHA1
b473207262785310c19ce4fc2ad25c3d5a7a6f3b

SHA256
5bb787af458bc7cc2ecec666a585c991ef3c85208418a02a519bae137d7dd6d1

SHA512
7bc79d4d86dc8f408aa0677061cc84fcc23566614e53d75e24fdd5699dd9987bb3bd0a3f4f1256240643190a14e22fc719bf6d2bd9a14f8bfa9ac0b71a5c89c3

Download Submit
C:\Temp\i_kidavsnlfd.exe

Filesize
361KB

MD5
64de7cb16cde054b50a5991c8252046d

SHA1
c0098ccec5c59dd1bb6589c5236a9cf974994145

SHA256
00d26310287058b48c5e42c1cea6229da7762e72b0a0cb16b926e3bf22ee4772

SHA512
22d32853a674ddff50a842a979d3cba55760779141bf0e25f988926cef0944032699e389505940bfb2436930773a66de6b6f06e88954a66b9234e8dc3afc4b1e

Download Submit
C:\Temp\i_rmkecwupmh.exe

Filesize
361KB

MD5
268738f85ff718434e4b817cf06cc8d0

SHA1
a750ff030a304fcce692f4ce552fdbf53f052847

SHA256
621b51e86b5047d7f45ea2972dc8f372a610e4b9cef8580d3c0f1a19405c0b42

SHA512
1417c48c4c6bb1f93a2f92d616a8b47e6355e998204b19002937af11d74f6f7fdb8d775daf651400e05d5a3db22b84190b78ba19a935f915f90e5c0a9be2665b

Download Submit
C:\Temp\i_xrpkhcausm.exe

Filesize
361KB

MD5
a4eb79b4311f17af1c001a8716bdbf98

SHA1
42862c777d99d86b07e9620ef791ba7ccc6c9295

SHA256
97277e9ad5e42a3b321a445eb599053d0632ea081cf16fcd60d62e2602736fda

SHA512
71da81427cf10c96b25c943d7be4649a75d77f0e2e0e12a9e937700a86e7ba4cfd136f9f118a2f8145c1d85118105b95565aba26289a666767801f7c93b713fd

Download Submit
C:\Temp\i_xupnhfzxrp.exe

Filesize
361KB

MD5
2adc6eddcda2d57c35564e562c7a8ff3

SHA1
e6bf0e2825aabeb4ab812b6581428a045199f9f5

SHA256
a2c20d93ff15cbe3d2a9764b141a2286f7c849e439a49376ec63f4a0c03169e0

SHA512
ad53072de3462668cae1c504edf5dcc6aefcbef7f63c227a21c60e9759f49bea061f2f448b815a0e66b7a3c1965b511be0d99276f9a22ecf3660758ce8bc5528

Download Submit
C:\Temp\igbytqljdb.exe

Filesize
361KB

MD5
705b7a0684b6f71ee2d8ab324e074739

SHA1
51f1839cb7905034495c657c295d50f43b15842f

SHA256
885486d25e44fb3fb1181a0545d7abc6d70e909a67260fbaa4666e3add1ab6dc

SHA512
1821a189f9f495a2de087a84aa79a1553d7bf03b1e493ce977240a7dbe948178b1d34cd9a6925a991528e684b787f95c835bfe1cd9ed772e163dbd8f29c21812

Download Submit
C:\Temp\jebwtomgey.exe

Filesize
361KB

MD5
47e2dff1a36d95451b0147f91a3435f1

SHA1
850a2d85c1656a560d3c9a5261e77d4b22103f05

SHA256
57f292ad907ea05c17bd9ef96ce67b01ea155d718300159715d636af032dd626

SHA512
2d5caffaace61e510404e46562d45888871ab227c5db87d9b12c5fb19ed2321bd3c3c55fce5c708f62bff87bd99fe9ab9694186c71741e4f37b3b53db4fb3354

Download Submit
C:\Temp\kidavsnlfd.exe

Filesize
361KB

MD5
b0cd16934e641a55293d975ec7b3e176

SHA1
9c00bf5e0dd295cf03b8d819eda7283749084c0a

SHA256
cb0e99ad8cb1fe7becaf3b48235e5755685f558455f51e35467357a4f4c0634f

SHA512
8cbf4f20aed95b8a223c402a29a36590d35d644f2d4873a4cb5398df209c419d4d0427ca809f581cb4ab1889bc574155181c5206dafd33a2d4e7c7a2cedf94e1

Download Submit
C:\Temp\rmkecwupmh.exe

Filesize
361KB

MD5
29fb9ab8b5497e6a1106414a39466236

SHA1
5843d3818582c79827a3a323768b504abb1fc708

SHA256
73de2e7208e049ba2b01252869d54bf98c052eb0b55cfa4519e6207e23079395

SHA512
a1bc4c30ffca72ab7ebbf784c04481a8905c104cd7cc88ff64ecf61ed192b3ae0a3e67c4bcd6cb3634093e1cbc3065ba658b053c7d0b0c4575bc81dc3834ae7a

Download Submit
C:\Temp\xrpkhcausm.exe

Filesize
361KB

MD5
b3adff6b0a5019b7d9cbfa18f7a30ea4

SHA1
da3b035cabd8d900e6f1e551a217faab15618a14

SHA256
5199068926e965609092cf09d5e1ce2a9477db23d332cab412f878419ce50a30

SHA512
b4172fa6441efe418db97787f2d9566834e2174e30a128d8cad52bd9d0eef398eb85176492ab260bdcd9e8bdb152f834c7516bb9d2ce998691e7fc1f398445e8

Download Submit
C:\Temp\xupnhfzxrp.exe

Filesize
361KB

MD5
00df5d5a3df5d724513ebfa7ec82a9a6

SHA1
49a1cf5c46638790ffcf582f3abfb369e85d620d

SHA256
e81be37e67ac6cd5ec0191f6e41f5b67ebc75826450cedb360ac9f7e6c2364ca

SHA512
b2879433fc23cf377328488ef29fdba79982e49e0a7179e6936cd589a7462723e8e73e2f500723c278108b0226af6e6ba0581486ab3b74346537949f58fd5624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5c93309a2b418ef7de0afb3ae82770c2

SHA1
1b9d1a371d163274c3831c764f18ce33f529e5f6

SHA256
fa0eff22a494037462bc32f5f477044d28d8e7795b8e2ee7724dbe0c646f2b22

SHA512
08d71c4cd9ff5df8c53b83bc24fa1ef42c3c205ed08b3a3d38fbc737a68083241c0230a942336f76d0aeb3bf7ffcdc8b8e4f3f82f9f3eba1c7e47af83802af76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
27c4154b8860518b65ffc7599aa4d341

SHA1
6482d406e5ec5e36b671b3be71945702576ac03b

SHA256
aabc6c44f7ba7b2321414a37fc2b2d7be43efd25210fd42d65ea7936cd777956

SHA512
283e440905bd833d81ae149f58097634ecbfd0a7e09669061d3b8685c6bf2294071387b8db7c26add9f029c4abe0de797868afa18bafef11febd25372c233695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2VX66VOV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/3740-89-0x00000000006B0000-0x000000000070F000-memory.dmp

Filesize
380KB

Download