9796b912b1396c5613d5e3ccd4eaaea626c2c1f44802612d56c495ca477201ab

Analysis

max time kernel
148s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
Size

361KB
MD5

002cdb22d09eb3e1ddc00b1abc8e6cb6
SHA1

f45474194877dde14040352dfa88684f6d5d2edc
SHA256

9796b912b1396c5613d5e3ccd4eaaea626c2c1f44802612d56c495ca477201ab
SHA512

225d376f71ecee7d23593ba27f1caa0836819eb8490f37920c0f9bba6dd9bda7167fbd4881e6045aa0081c1369be57f49b2a08bce06df2191d5706789e16d811
SSDEEP

6144:WflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:WflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1616	qoidavtnifaysmkf.exe
2748	CreateProcess.exe
3032	smkecwrpjh.exe
2792	CreateProcess.exe
2660	CreateProcess.exe
2696	i_smkecwrpjh.exe
3056	CreateProcess.exe
2024	ojhbztomge.exe
2852	CreateProcess.exe
2948	CreateProcess.exe
2972	i_ojhbztomge.exe
1688	CreateProcess.exe
1704	ywqojdbvtn.exe
684	CreateProcess.exe
2544	CreateProcess.exe
2216	i_ywqojdbvtn.exe
1572	CreateProcess.exe
580	lgdysqkidx.exe
1420	CreateProcess.exe
2428	CreateProcess.exe
1524	i_lgdysqkidx.exe
2080	CreateProcess.exe
2408	dbvpnifaus.exe
2964	CreateProcess.exe
2792	CreateProcess.exe
2748	i_dbvpnifaus.exe
2736	CreateProcess.exe
2860	qkicxvpnhc.exe
2696	CreateProcess.exe
2132	CreateProcess.exe
1068	i_qkicxvpnhc.exe
2856	CreateProcess.exe
1440	zxsmkecxrp.exe
3036	CreateProcess.exe
2720	CreateProcess.exe
1948	i_zxsmkecxrp.exe
1432	CreateProcess.exe
2060	mhbzurmgey.exe
1408	CreateProcess.exe
2332	CreateProcess.exe
1640	i_mhbzurmgey.exe
2376	CreateProcess.exe
2280	ecwuojgbzt.exe
2524	CreateProcess.exe
2996	CreateProcess.exe
1096	i_ecwuojgbzt.exe
2348	CreateProcess.exe
964	rmgeywqljd.exe
1960	CreateProcess.exe
2756	CreateProcess.exe
2936	i_rmgeywqljd.exe
1508	CreateProcess.exe
2080	dbvqoigavt.exe
2788	CreateProcess.exe
2792	CreateProcess.exe
2668	i_dbvqoigavt.exe
2928	CreateProcess.exe
1144	qnigavsnlf.exe
704	CreateProcess.exe
2828	CreateProcess.exe
2200	i_qnigavsnlf.exe
780	CreateProcess.exe
3012	nlfdxsqkic.exe
3020	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
3032	smkecwrpjh.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2024	ojhbztomge.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1704	ywqojdbvtn.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
580	lgdysqkidx.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2408	dbvpnifaus.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2860	qkicxvpnhc.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1440	zxsmkecxrp.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2060	mhbzurmgey.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2280	ecwuojgbzt.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
964	rmgeywqljd.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2080	dbvqoigavt.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1144	qnigavsnlf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
3012	nlfdxsqkic.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
756	dxvpkicaup.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
336	pnhfzurmke.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1828	mhfzxrebwu.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1612	cwrpjhbwto.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2972	omgeytrljd.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2116	eywqoidbvt.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
2204	bvqoigavtn.exe
1616	qoidavtnifaysmkf.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojhbztomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgdysqkidx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvqoigavt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwrpjhbwto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdxsqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoidavtnifaysmkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smkecwrpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvpnifaus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkicxvpnhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxvpkicaup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnhfzurmke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvqoigavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywqojdbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecwuojgbzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmgeywqljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhfzxrebwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omgeytrljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eywqoidbvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxsmkecxrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhbzurmgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnigavsnlf.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1864	ipconfig.exe
2688	ipconfig.exe
2760	ipconfig.exe
2932	ipconfig.exe
2844	ipconfig.exe
840	ipconfig.exe
1784	ipconfig.exe
1168	ipconfig.exe
2252	ipconfig.exe
2392	ipconfig.exe
1692	ipconfig.exe
3056	ipconfig.exe
1760	ipconfig.exe
2384	ipconfig.exe
1492	ipconfig.exe
2644	ipconfig.exe
2664	ipconfig.exe
1464	ipconfig.exe
1232	ipconfig.exe
996	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433843389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000267d281334e6bc4fe582f29d12e0cbd0a57033d957ec4b4a4a9b0b708f127e24000000000e8000000002000020000000c5b20df09eddf9e3a968d060bb1f7c0f0143f6d09e3d25bbb613fe0c02f7f17220000000e24823dd8bec7754aa56038bf4bfde2589758ce3d8dd9207d3c64421066ff42540000000352ea6308726d13471c13e8ecc06d01ca6b5aee4106aa3228b872e25e3f019a9014524ac3a3156f42f6f9651ea0b273440eb9e57e46dbdc80e7118a91052a054	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15385121-7EFE-11EF-AF94-46A49AEEEEC8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c509ee0a13db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000e1cc173a9128c2d5d65c82d898a86773199428a0e4bfe3fd091f483b1598c254000000000e8000000002000020000000ead9587b34a95def1b335ed4930de828885421480cc8500b6400e5f92abcc22090000000036fa78b326893b079fe5d41b9439d7baf635c886d8d4019a76f16479fe175e4e534168fd7c7d0d19c5a0012aafa93044ec3e98237304478c0a159392e335dff06faf9091d5b16312c198c299e40ff9bf485719d9d562cda0326bcac257a18d46e0d6a6aa00bd229e7978d1eac06b73c2aaa407d88db3a773638a634695bc765b5b7dbb59eeddb1d464b86e6c45b7be5400000000cd589604b6c516461d5c44a66da68aea9ac026fc45232b5988a268f665e8d34bda3429439c0108f28950fa5972f38eba8514498863bfaa67f1e15721587331c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
1616	qoidavtnifaysmkf.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
3032	smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2696	i_smkecwrpjh.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2024	ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
2972	i_ojhbztomge.exe
1704	ywqojdbvtn.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	i_smkecwrpjh.exe
Token: SeDebugPrivilege	2972	i_ojhbztomge.exe
Token: SeDebugPrivilege	2216	i_ywqojdbvtn.exe
Token: SeDebugPrivilege	1524	i_lgdysqkidx.exe
Token: SeDebugPrivilege	2748	i_dbvpnifaus.exe
Token: SeDebugPrivilege	1068	i_qkicxvpnhc.exe
Token: SeDebugPrivilege	1948	i_zxsmkecxrp.exe
Token: SeDebugPrivilege	1640	i_mhbzurmgey.exe
Token: SeDebugPrivilege	1096	i_ecwuojgbzt.exe
Token: SeDebugPrivilege	2936	i_rmgeywqljd.exe
Token: SeDebugPrivilege	2668	i_dbvqoigavt.exe
Token: SeDebugPrivilege	2200	i_qnigavsnlf.exe
Token: SeDebugPrivilege	3004	i_nlfdxsqkic.exe
Token: SeDebugPrivilege	292	i_dxvpkicaup.exe
Token: SeDebugPrivilege	2496	i_pnhfzurmke.exe
Token: SeDebugPrivilege	1396	i_mhfzxrebwu.exe
Token: SeDebugPrivilege	352	i_cwrpjhbwto.exe
Token: SeDebugPrivilege	828	i_omgeytrljd.exe
Token: SeDebugPrivilege	624	i_eywqoidbvt.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2100	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2100	iexplore.exe
2100	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1616	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	31
PID 2076 wrote to memory of 1616	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	31
PID 2076 wrote to memory of 1616	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	31
PID 2076 wrote to memory of 1616	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2100	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2100	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2100	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2100	2076	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	32
PID 2100 wrote to memory of 2712	2100	iexplore.exe	33
PID 2100 wrote to memory of 2712	2100	iexplore.exe	33
PID 2100 wrote to memory of 2712	2100	iexplore.exe	33
PID 2100 wrote to memory of 2712	2100	iexplore.exe	33
PID 1616 wrote to memory of 2748	1616	qoidavtnifaysmkf.exe	34
PID 1616 wrote to memory of 2748	1616	qoidavtnifaysmkf.exe	34
PID 1616 wrote to memory of 2748	1616	qoidavtnifaysmkf.exe	34
PID 1616 wrote to memory of 2748	1616	qoidavtnifaysmkf.exe	34
PID 3032 wrote to memory of 2792	3032	smkecwrpjh.exe	37
PID 3032 wrote to memory of 2792	3032	smkecwrpjh.exe	37
PID 3032 wrote to memory of 2792	3032	smkecwrpjh.exe	37
PID 3032 wrote to memory of 2792	3032	smkecwrpjh.exe	37
PID 1616 wrote to memory of 2660	1616	qoidavtnifaysmkf.exe	40
PID 1616 wrote to memory of 2660	1616	qoidavtnifaysmkf.exe	40
PID 1616 wrote to memory of 2660	1616	qoidavtnifaysmkf.exe	40
PID 1616 wrote to memory of 2660	1616	qoidavtnifaysmkf.exe	40
PID 1616 wrote to memory of 3056	1616	qoidavtnifaysmkf.exe	42
PID 1616 wrote to memory of 3056	1616	qoidavtnifaysmkf.exe	42
PID 1616 wrote to memory of 3056	1616	qoidavtnifaysmkf.exe	42
PID 1616 wrote to memory of 3056	1616	qoidavtnifaysmkf.exe	42
PID 2024 wrote to memory of 2852	2024	ojhbztomge.exe	44
PID 2024 wrote to memory of 2852	2024	ojhbztomge.exe	44
PID 2024 wrote to memory of 2852	2024	ojhbztomge.exe	44
PID 2024 wrote to memory of 2852	2024	ojhbztomge.exe	44
PID 1616 wrote to memory of 2948	1616	qoidavtnifaysmkf.exe	47
PID 1616 wrote to memory of 2948	1616	qoidavtnifaysmkf.exe	47
PID 1616 wrote to memory of 2948	1616	qoidavtnifaysmkf.exe	47
PID 1616 wrote to memory of 2948	1616	qoidavtnifaysmkf.exe	47
PID 1616 wrote to memory of 1688	1616	qoidavtnifaysmkf.exe	49
PID 1616 wrote to memory of 1688	1616	qoidavtnifaysmkf.exe	49
PID 1616 wrote to memory of 1688	1616	qoidavtnifaysmkf.exe	49
PID 1616 wrote to memory of 1688	1616	qoidavtnifaysmkf.exe	49
PID 1704 wrote to memory of 684	1704	ywqojdbvtn.exe	51
PID 1704 wrote to memory of 684	1704	ywqojdbvtn.exe	51
PID 1704 wrote to memory of 684	1704	ywqojdbvtn.exe	51
PID 1704 wrote to memory of 684	1704	ywqojdbvtn.exe	51
PID 1616 wrote to memory of 2544	1616	qoidavtnifaysmkf.exe	54
PID 1616 wrote to memory of 2544	1616	qoidavtnifaysmkf.exe	54
PID 1616 wrote to memory of 2544	1616	qoidavtnifaysmkf.exe	54
PID 1616 wrote to memory of 2544	1616	qoidavtnifaysmkf.exe	54
PID 1616 wrote to memory of 1572	1616	qoidavtnifaysmkf.exe	56
PID 1616 wrote to memory of 1572	1616	qoidavtnifaysmkf.exe	56
PID 1616 wrote to memory of 1572	1616	qoidavtnifaysmkf.exe	56
PID 1616 wrote to memory of 1572	1616	qoidavtnifaysmkf.exe	56
PID 580 wrote to memory of 1420	580	lgdysqkidx.exe	58
PID 580 wrote to memory of 1420	580	lgdysqkidx.exe	58
PID 580 wrote to memory of 1420	580	lgdysqkidx.exe	58
PID 580 wrote to memory of 1420	580	lgdysqkidx.exe	58
PID 1616 wrote to memory of 2428	1616	qoidavtnifaysmkf.exe	61
PID 1616 wrote to memory of 2428	1616	qoidavtnifaysmkf.exe	61
PID 1616 wrote to memory of 2428	1616	qoidavtnifaysmkf.exe	61
PID 1616 wrote to memory of 2428	1616	qoidavtnifaysmkf.exe	61
PID 1616 wrote to memory of 2080	1616	qoidavtnifaysmkf.exe	63
PID 1616 wrote to memory of 2080	1616	qoidavtnifaysmkf.exe	63
PID 1616 wrote to memory of 2080	1616	qoidavtnifaysmkf.exe	63
PID 1616 wrote to memory of 2080	1616	qoidavtnifaysmkf.exe	63

C:\Users\Admin\AppData\Local\Temp\002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Temp\qoidavtnifaysmkf.exe
  C:\Temp\qoidavtnifaysmkf.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkecwrpjh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2748
  - - C:\Temp\smkecwrpjh.exe
      C:\Temp\smkecwrpjh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2792
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkecwrpjh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2660
  - - C:\Temp\i_smkecwrpjh.exe
      C:\Temp\i_smkecwrpjh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojhbztomge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3056
  - - C:\Temp\ojhbztomge.exe
      C:\Temp\ojhbztomge.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2688
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojhbztomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2948
  - - C:\Temp\i_ojhbztomge.exe
      C:\Temp\i_ojhbztomge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqojdbvtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1688
  - - C:\Temp\ywqojdbvtn.exe
      C:\Temp\ywqojdbvtn.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:684
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1464
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqojdbvtn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2544
  - - C:\Temp\i_ywqojdbvtn.exe
      C:\Temp\i_ywqojdbvtn.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgdysqkidx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1572
  - - C:\Temp\lgdysqkidx.exe
      C:\Temp\lgdysqkidx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1420
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1784
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgdysqkidx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2428
  - - C:\Temp\i_lgdysqkidx.exe
      C:\Temp\i_lgdysqkidx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvpnifaus.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2080
  - - C:\Temp\dbvpnifaus.exe
      C:\Temp\dbvpnifaus.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvpnifaus.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2792
  - - C:\Temp\i_dbvpnifaus.exe
      C:\Temp\i_dbvpnifaus.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qkicxvpnhc.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2736
  - - C:\Temp\qkicxvpnhc.exe
      C:\Temp\qkicxvpnhc.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2860
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qkicxvpnhc.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2132
  - - C:\Temp\i_qkicxvpnhc.exe
      C:\Temp\i_qkicxvpnhc.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1068
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxsmkecxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2856
  - - C:\Temp\zxsmkecxrp.exe
      C:\Temp\zxsmkecxrp.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1440
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxsmkecxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2720
  - - C:\Temp\i_zxsmkecxrp.exe
      C:\Temp\i_zxsmkecxrp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mhbzurmgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1432
  - - C:\Temp\mhbzurmgey.exe
      C:\Temp\mhbzurmgey.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1408
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mhbzurmgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2332
  - - C:\Temp\i_mhbzurmgey.exe
      C:\Temp\i_mhbzurmgey.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwuojgbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2376
  - - C:\Temp\ecwuojgbzt.exe
      C:\Temp\ecwuojgbzt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2280
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2524
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2384
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwuojgbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2996
  - - C:\Temp\i_ecwuojgbzt.exe
      C:\Temp\i_ecwuojgbzt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmgeywqljd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2348
  - - C:\Temp\rmgeywqljd.exe
      C:\Temp\rmgeywqljd.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:964
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1960
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1492
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmgeywqljd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2756
  - - C:\Temp\i_rmgeywqljd.exe
      C:\Temp\i_rmgeywqljd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvqoigavt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1508
  - - C:\Temp\dbvqoigavt.exe
      C:\Temp\dbvqoigavt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2080
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2788
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2644
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvqoigavt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2792
  - - C:\Temp\i_dbvqoigavt.exe
      C:\Temp\i_dbvqoigavt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qnigavsnlf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2928
  - - C:\Temp\qnigavsnlf.exe
      C:\Temp\qnigavsnlf.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:704
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1168
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qnigavsnlf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2828
  - - C:\Temp\i_qnigavsnlf.exe
      C:\Temp\i_qnigavsnlf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdxsqkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:780
  - - C:\Temp\nlfdxsqkic.exe
      C:\Temp\nlfdxsqkic.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3012
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdxsqkic.exe ups_ins
    3⤵
    PID:2872
  - - C:\Temp\i_nlfdxsqkic.exe
      C:\Temp\i_nlfdxsqkic.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvpkicaup.exe ups_run
    3⤵
    PID:1480
  - - C:\Temp\dxvpkicaup.exe
      C:\Temp\dxvpkicaup.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:756
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:316
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvpkicaup.exe ups_ins
    3⤵
    PID:3060
  - - C:\Temp\i_dxvpkicaup.exe
      C:\Temp\i_dxvpkicaup.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:292
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhfzurmke.exe ups_run
    3⤵
    PID:804
  - - C:\Temp\pnhfzurmke.exe
      C:\Temp\pnhfzurmke.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:336
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2396
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhfzurmke.exe ups_ins
    3⤵
    PID:1076
  - - C:\Temp\i_pnhfzurmke.exe
      C:\Temp\i_pnhfzurmke.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mhfzxrebwu.exe ups_run
    3⤵
    PID:2256
  - - C:\Temp\mhfzxrebwu.exe
      C:\Temp\mhfzxrebwu.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1828
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:920
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1232
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mhfzxrebwu.exe ups_ins
    3⤵
    PID:2504
  - - C:\Temp\i_mhfzxrebwu.exe
      C:\Temp\i_mhfzxrebwu.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1396
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwrpjhbwto.exe ups_run
    3⤵
    PID:1780
  - - C:\Temp\cwrpjhbwto.exe
      C:\Temp\cwrpjhbwto.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1612
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2168
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:840
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwrpjhbwto.exe ups_ins
    3⤵
    PID:1816
  - - C:\Temp\i_cwrpjhbwto.exe
      C:\Temp\i_cwrpjhbwto.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\omgeytrljd.exe ups_run
    3⤵
    PID:2708
  - - C:\Temp\omgeytrljd.exe
      C:\Temp\omgeytrljd.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2972
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2968
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_omgeytrljd.exe ups_ins
    3⤵
    PID:2180
  - - C:\Temp\i_omgeytrljd.exe
      C:\Temp\i_omgeytrljd.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eywqoidbvt.exe ups_run
    3⤵
    PID:1468
  - - C:\Temp\eywqoidbvt.exe
      C:\Temp\eywqoidbvt.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2116
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2908
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eywqoidbvt.exe ups_ins
    3⤵
    PID:904
  - - C:\Temp\i_eywqoidbvt.exe
      C:\Temp\i_eywqoidbvt.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvqoigavtn.exe ups_run
    3⤵
    PID:2516
  - - C:\Temp\bvqoigavtn.exe
      C:\Temp\bvqoigavtn.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1572
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvqoigavtn.exe ups_ins
    3⤵
    PID:808
  - - C:\Temp\i_bvqoigavtn.exe
      C:\Temp\i_bvqoigavtn.exe ups_ins
      4⤵
      PID:2428
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\dbvpnifaus.exe

Filesize
361KB

MD5
d02d0ea9d9f777ba3dad1275f110d47d

SHA1
6e76833c466f310a475b0e36b32502de217fdc25

SHA256
837569ab394f71901fbdf3f0a46de3d95e85c84732ed529b2dd53160882ea124

SHA512
37e1b50f725373745865ecf9d0077180e954ebc0266eb583d929de7c60e41239ada7e8f64bfb9771e2058d6f7cc81eac19efce1c1a5d35aca6b9df323e29eee4

Download Submit
C:\Temp\i_dbvpnifaus.exe

Filesize
361KB

MD5
eba690f5f3b06aa11b3110bc8e5a1141

SHA1
8254491f2d43e73a2c69aa11406d5e145d81b581

SHA256
5acd85ead404b5561b6c10c605898ea7403a7b6d898c876605a3cf9dfd71fbfb

SHA512
dac28034d15b5079a5647f890e0fafe8828dca8dc91d840ecbcc39be80027f9b163ce8e988e7d6367f374ca1a9e8667d2745827a150aa294c6ced1f30336404c

Download Submit
C:\Temp\i_lgdysqkidx.exe

Filesize
361KB

MD5
7acdff94034c5b45b7281f617a36454b

SHA1
d7e3b405064312b3f0a6351aa91eafa6bc91f6f1

SHA256
4716415f5d52fe6b012b94bba1e1812e6f446dc70f2aad0a928c1b008c1e19dc

SHA512
df6f7564a5943a35ebfa090174812dcd8feb3d17695e7b62bfbe8daed8b2ad6f7912c9d79f7ad0b2d02699423c33d1fce03fa70f942ccd27e5afa2dbb4870431

Download Submit
C:\Temp\i_ojhbztomge.exe

Filesize
361KB

MD5
d7f04caf3d352f4c3b9e0b7fdbaa9530

SHA1
af47ec61b8563da4826f955a79c10d84dee38e40

SHA256
3218e5186d01e7c7448262032ab9a1ba101c3b434bee43bf73ffbbfda96a08ea

SHA512
56614a0b71ed686860166beab69abcb9a146e3dafb423b7ec59ce9b3551bee4112e4eb5b5dd252818557a63a9e97619f97d15d791c62ec20fb3ab93de7348365

Download Submit
C:\Temp\i_qkicxvpnhc.exe

Filesize
361KB

MD5
2483876031f9c94bf4fe475466af3483

SHA1
950320b2b4c650b1c4b7ba03750df84dc1c8c059

SHA256
6c95ff68359d4f4a4d8ec2aeb0f23b6b09670d5f0cfc3831d200052f9e3fdc0c

SHA512
5e1f205f0c55b5a966e75147dbdc3def33ceea2be0722f77224982d56bdfdb087a7eaae2ba0730e5e978123ec48525045b85146df996a6fdd7ed51125488caca

Download Submit
C:\Temp\i_smkecwrpjh.exe

Filesize
361KB

MD5
53012e6a5175c05fd42584c7eff7f80e

SHA1
008b8322de2d62051c6e92eda2781ee586fe5a02

SHA256
1bc09c3b00703e96325bf9692c79efbfc6f8544960f15dc248871535df99ec6d

SHA512
f4dc05728801b7c13b1084a2ad65594b0be56568642e30a7bdad07dbc2f80858cdd2f005b244408528c8e01c1a30f713663c8558fdebecb390d26b92f409663a

Download Submit
C:\Temp\i_ywqojdbvtn.exe

Filesize
361KB

MD5
f86b05282ef76e79e35785bbb72b46a8

SHA1
1a4b2454c4a22e5a080075f3051d9569cc6988b8

SHA256
212cfec2360e7fe017d3d897fa018df7e95d9168e644603e80b121052788ec71

SHA512
ea023702b1f583571ad54ef6ae07df0ca146cd7bcfb7cf84349139bfe78163c1265510ce0b10c3b450009c5c91fad2a038dd59e79c909d535cb6736ab1c9bd02

Download Submit
C:\Temp\i_zxsmkecxrp.exe

Filesize
361KB

MD5
e37622783ce9d527b5652a3881789bc1

SHA1
bc6fc9a750cfdad800a7deac6ba062d5c2b22a3d

SHA256
d61368175ce6eeb3819e05fce8dfaf24d8bedd72299742cdd561c6545517f04a

SHA512
5997b9b80e128813dfa32b4e1868e306be8e00becf176a9aacfc839f974ccd279a091d78c504e97b234046ce3bfefb76e92ef16bfa6e40c42d082cc8617fdd6a

Download Submit
C:\Temp\lgdysqkidx.exe

Filesize
361KB

MD5
bdd1c32396a460d6119867eaccca78ac

SHA1
4be2f9bca61e1d76fd31c2434ed7a1833fc47ada

SHA256
71b296af484a5624692b1d50881ffbf9c0a1e3206c7d5dfc01eeb0a3a4c13bfb

SHA512
39c6ef3ed15b8babc6aa77698bba1a9908edca53cd722ae35c8c3d7a2d39b6db4c0f62de2f2aa25305179bbaabba94c508f61e3cc782968451e85b2fa395fa05

Download Submit
C:\Temp\mhbzurmgey.exe

Filesize
361KB

MD5
82666fc387eb6cc78baedf9baadc3a12

SHA1
cd5206b4966c57cb8e506f9de51be4e15bb02896

SHA256
c65ea3adf8fffbf6bc3c6d0e12912dd205a8307cf678c0ca63e2f84aab6e5f81

SHA512
f45803f47377c123eb6345cf3707694288c90f2f9e4d6c1085fc37ca5a3dcd844864f7bb11be71155435efa5bf2c2015ec17098afcdfef18fa7da6566dbed630

Download Submit
C:\Temp\ojhbztomge.exe

Filesize
361KB

MD5
203d4f940211dba9ff18f89f4dbc3e51

SHA1
19129cee20ce028004b6e34293cfc6ccc424a816

SHA256
e8795aaecddc69ec0778c5768b417d5abc39f60f49b2ccfea59c5e22c1922c45

SHA512
86cbec9a4c40ac41588675dce6c6cbc74109b34d6801215a66ade6d12fef21aa3716b4c62c510f0897c9e058bbe682a5aeba641b6743e790a891bd3e52d59193

Download Submit
C:\Temp\qkicxvpnhc.exe

Filesize
361KB

MD5
65dd4f6273dd56e0922f9a265ebfdd90

SHA1
a62975c15f212990d38fd18edaacbc66e0a92ca8

SHA256
424fe0ba2424d473555f4afd4c8eed4eb38c46ba9f9eb922b9a445e23dd719cf

SHA512
d753f2e2dbd3e04b4dbc99307450a852a5d4d9d3492776a4d2efaec400458ce757b949ecbe163d1cf5420c9430c333a2fcb8881e51be41714aefc2e1b332f086

Download Submit
C:\Temp\smkecwrpjh.exe

Filesize
361KB

MD5
ad9dc479f1d13018a3e861a221e59fe7

SHA1
4a7b01fd354bf4adc13175f68401b228b47efdad

SHA256
d440352ac1c3835ff041e965b9103feda4ad14e977420401704c975e624ccf59

SHA512
acec8f65127f13b46701607b5db54288764c51dbce7e8185d293854493b69166311650f190b20b960d8598b5e04db6aef676b291593e2975f55fdb1999e269f1

Download Submit
C:\Temp\ywqojdbvtn.exe

Filesize
361KB

MD5
26a092b8643f15607cc8a25cedf5be07

SHA1
74e98c7bdee5ef5a7c03036de6396b9692a7f040

SHA256
deaa7e09b7154e76e4d2b02162681a122b0b629ea92f4b88dbb38f0c14415478

SHA512
7f8b6e3344271ab1b61ae14d2ab9cb2bf2c847204ec664b9717c70183ab7bfc367eb45d9782534f4439b45c0ea599e437876d40e2883dffa67322ff84335faa1

Download Submit
C:\Temp\zxsmkecxrp.exe

Filesize
361KB

MD5
f1331ec873d10984073a9403b0726b26

SHA1
3e873df1b5d2ec57ce87281d58686fea05db9f26

SHA256
1b88860b339c7100ee32a6875e9d15db616abf09a053ae58aef3115dbb59646a

SHA512
e4b57aa3b4453ae3232ee4cb21a5949f4d1c043a624b2ab39e284e92d4052b1e7ef28a2f97085eda556949ff8eb078261feb4720ef673ca0d657ebcd321da52c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ce1e81e70a669608532bb34b38f7056

SHA1
a89a334877ab623db6c0388458169597187df2cc

SHA256
97537acbd79ae4958ecffb4feb1543d89db9fc6235a1a271f474b297f3ac497f

SHA512
21b730d11cf03eacd4cd7b9da0be5d76f39247813aa81dd81911da61481e1d06461a087504310b1f48b9ec1b527bd1e5e3f67e498bd9d4dc25dbbfd3e78a516e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5412dfb097d477301b2c7d43bece88f5

SHA1
4d7782688201eea6052f88998bc0293a1d8ae0a8

SHA256
650184fa692fcb51b5e45393d100b411e3b04b6d9462b0ae4813420c4dcd18ed

SHA512
78e4c4c2eda4fdcedfbd3605e66585ac648ed27ed886f972eddd060fbaf43cca54f9197298b602d3afe2d734dad3b62c65f09d87065cb03ee9b6b97b6ec2ad25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da3fa2a1274ab7faddf82327f33cce7c

SHA1
43a016f7879aa18a3d361ae0b15198bdc94183d0

SHA256
b0fbfa64c543a14af645f8749a4e0a33bad9fa4dc504b9e827fac8f5e22c2513

SHA512
5756e26dbac7b7d05291828b9d4da64534f859dc1508d623de75ace51ceb9741f4a8e5db6de1fc348074937dd3c264b129f1ba8a51583f95b0102c0d5504c789

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f816802c2cc725463195b78dc11a7e

SHA1
5adca17b41a6014814b8738c6106d5af9274a986

SHA256
356bd07c2612df9abb00ea204614784af44f3d1f4b83301301c776e96f280b1c

SHA512
e9f67a972c10f67b9c12ce198d2d26c3f4e63d2f9eb78eccf2837e3b34ac9b63e808286945227e2d90f316d2b9f4c4fc13771cfdfcf17d80442f5073a711a9c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1296f23247b21132d8a9be6e95e3bb5

SHA1
39a222f1a39202ff639cd3833b1ccdcdfc049631

SHA256
27b05434035ae988ef16ae5e2f98c46c75d0d575c38a98306494b42c02fbf8b7

SHA512
5d531c0be67f6320850854c4c5557341620f3b41d866e14e5a00905008cf6bfec6e15b676e25d3c2abd6ab7988ba8a38640586bd65578457d184d9dfc7a533ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99cbaee0ff5834092e0e0e2275fa2f2e

SHA1
8cc4ff4a3bfd582a0733d7b292f7d1a17e2cb887

SHA256
11ef41bfbec43cd064566124c80c8594471454c4be712e8a773caee9389e1ca0

SHA512
6af41bd10b230bc72b06d3317fbab15657c4d95acda3b2f8706862900401bc3adce27201cb643fb1b70a650907248b47feac6e3ff0e70c3cf92e17e3a0090480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a10bf0da2f413b95b0f7d7696ab76e89

SHA1
45c0c9ffe026a3d0623356ace3988cf7531ee1d8

SHA256
fc92e9dcf9754919e0161bd7b4421caf93ceff6fe8d33e7ed874d005d96f0963

SHA512
96d22bfab721198aa382fd7812e557580b8805bde3f015bf8075bb6e3c87359a83aa423a3f6af62212c90d46698f6ea9d74ee14389b42b59ae8596c55531f77a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6491ea009d2e95056ced14be52c50a39

SHA1
bf30da461af0029bd31e979455d435d143e9cd16

SHA256
1399e38a7d1305b6c84a2deec6ab57289e9fbc87b9ce94229c234b318a1e8186

SHA512
716325292d01093f157c2d7f529376a002fe9465fd864c8ddc40cc14f06f41a5f26faa685b88ad8fb6559dc6cdeecb3ecbfd20b09132b08e4373461008962b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27d32a6bf2d99cf0a16242375bb668b4

SHA1
18ecf8b498a3b9e217da82d460abcaad8cab3c4b

SHA256
1d474229b55382898680b7ae474cfd7c3a19102baee918294e1e7d4c79cfe828

SHA512
707492e2077a2ca8f68883f401c2d90fbf32de23d7ae43c97deedc6713bd9024c67112a03590d00d2abb332e530d2fccc41f95015f9ee00a85b116314273851b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d238fc002f9a31949f28f739e9b77bf8

SHA1
48201c8448e4320cbc7eb5514bd819390296a3b1

SHA256
d321a886d38e76a819f38f63c5bab61176a8b3bed70a593bead6a5fdab519cc7

SHA512
aa349eddde1e9c1561eb1057ff5e4f9cb316c75c8954160fb1d1be61dcb79637f8c51ba68e44e9c84220941902fa6b919537841f574b529a14c352e3abd51405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91135b5ecc267e3a15ac5f1336769353

SHA1
e00f88bb86a3a2eb5f5959a319829564157f98af

SHA256
45ac46c7a8d230211e6a9ae0733a9ac209d414783e2c2652ad641cfb503458c3

SHA512
bafc9666c84938a7fb8ab1925bee5f74e474d14ac6b5582ad550030699ef41a81bd5b6b14e6021eda75a48fa019794b20bb513714c6cafff10d9f4cfbc11d792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2b8b396e11e197d419f51e91b751340

SHA1
cd3cfa6f90ff17f9d5bb9a4013e4de59a0e73827

SHA256
1e6c7da1b42750c63ec5baaa852183641956927c6ac9cd344d083ebf6832e4dd

SHA512
c62e767b118376cb8a9ac434deaf47becf18851e83c97c83bcaec632564d72d0e7ead481730f2b3883c44bf55a0f03879fff9ef377e957c0a9e2c550db80f564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e79f3b404d7d8e9345c7e37d9244d1e

SHA1
6a321c623f87dbdfe6a149890e675e0ac4bcb6ad

SHA256
20ef576230d4c43ef740a5a064efa9964513014de37f02eb0595bf86d41d3422

SHA512
add8463163d13179f7b1b0cceabae67df5812e7b7907cd3785245ce08a2883fc61e6fe3c5e5d9b1e56cedee96f1ee1c469522fd67d7b8590495e5601ec8e461c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac48e32c28da630a6fd3f52af5452aad

SHA1
208e78bbecd86580ca91fa26d784a46850d5ed5c

SHA256
2252e1a6ef34b06c61999c0dcc34bf22050e608e59014da1b6ed8c6437a1d015

SHA512
3ad15cbab096251960eed0c440d00ecbb8b9f1a42d6fed65dcc7bff97de22fdbbb9ca53c0bc03a1562dd26313f978baf899808ec6165cfcbad563ef8c0bda12a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b623198f82a71c54a49ac42a624369d

SHA1
07d679f229dd327ff903fbb001d517ecc5c51c43

SHA256
c0528de5b6da26de9c1429b8c4360d3df4e32dd4ada87332976ea41157a18526

SHA512
7dd69a98b18624ff5480a04c052b2c39275ca8c007254d2beba06d59bf6e4befe32848b7330182c3b2f49c0fdb37775c40acb00567f2cbb2244ba0e6ecb5f938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef9926613de80e4e9971b1c487dfae6

SHA1
87ddd9e3d237696fe22a458a4679a41aea8c14c5

SHA256
d09caf60a54ab37a7b2c82c7a7e67e3860d85386e198117baaeb14a5734ad96b

SHA512
454f378788164debe42dc111e045f04a2d9d88af368fa4bdc82372813fa28c697265771723549ab77cb8de864a98eeec57b8bdd10a018d1c16de955c2e4423c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14d48859b3434529ea26459449e8242f

SHA1
3d36d07da228715accffa8de91b73d0bc5c5a905

SHA256
a757bc4281a3585acc0249d097214c458e062a46c53804a543b1fa990e57bfb2

SHA512
c385e24c08b81c58d746835baa9c572d4811061f76e457856648ae245856c6901267d7a06457e95012e8e1d52fa482eb487611c03896f8dd8bfc480bbb9af139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f85110ce9474e52a34fcbd95d05642f5

SHA1
edcc142b82757f69005a0093d066e051f7bf7a2f

SHA256
4a7c4a0153801d0363f3d074b42159063722c35eca9879fc90210b551f985dd4

SHA512
49203ddfd1ef2ff437b444a91247fcd20ad57210239fd9965fc8f216a2af6dc044d9a2777fda72b3def2929e056612aadf5da6404f06db494983aed1bb03895c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d95bfe2668769358516c06cc568ca7f1

SHA1
dc5d8fe2549a378fa7b581aa2de5db15e2098d9d

SHA256
d469829139582a0ee79c7df969bbf8633c7ce47f398911a917db73268d2e072b

SHA512
cfcb94c6bae4c30a3e26238c45f21d6657ed1031f9b57d30b97ab4f2060e89b6cbdac107b42744d217fed277fad83223957ce31faa44aff00f0b58b80cb6f686

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD2D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
cdbe84fbc2dc428caab01c0d42e2b3ad

SHA1
ef75974012f9976560730dbc5f45f409feb964a9

SHA256
c6d54f2501e8b4626be8bece88d104ce3cdac2fc11a5b3dce38d57328dc4e045

SHA512
ae63c89cb804848d703bf69c51e20c4d107c8ddebd91a927599ab95efdf1402ccd114a375076558c919068ca9df46dc1b75228fe98a9562de4abed3ce0fe1d16

Download Submit
\Temp\qoidavtnifaysmkf.exe

Filesize
361KB

MD5
ba62e24f9b093a165bb9230221a18e3e

SHA1
c499554bff7d7b400c5458a2a57ebfc57ea334db

SHA256
e466b6f4653ca367e1272f06f6939b3db196a00a1a8b2fa2c7b3331dfa12638c

SHA512
8d649063eb478081f1d75cf5d9b74db861ad40eb300cc229a3bcf88ba2e8546c4d6ca626b43d8387e7f27d8ba6cadfde63153d38f3e84682c73d686158e38268

Download Submit