b1008644e97b39f3bfccfbce5611154cf84da75832ea53e2e85aad0e1b4e9329

Analysis

max time kernel
147s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
Size

361KB
MD5

027913a24d6905ecfee92fb0b63776fb
SHA1

992dec3e6e0fc51d421180e59da594d33137c74a
SHA256

b1008644e97b39f3bfccfbce5611154cf84da75832ea53e2e85aad0e1b4e9329
SHA512

ee632ce95f778f8d08d2017d34fac855e60dab72842081562703305ae0f23b662962efc7eefd21e812785b5043c5c9a09489600531fddec1ad00818646e24731
SSDEEP

6144:AflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:AflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2708	rljebwqojgbvtnlg.exe
2104	CreateProcess.exe
2784	vpnifausnk.exe
2648	CreateProcess.exe
2616	CreateProcess.exe
2672	i_vpnifausnk.exe
1356	CreateProcess.exe
1016	xvpkhczuom.exe
3024	CreateProcess.exe
2968	CreateProcess.exe
2988	i_xvpkhczuom.exe
2564	CreateProcess.exe
1480	smkecwrpjh.exe
2440	CreateProcess.exe
1428	CreateProcess.exe
1592	i_smkecwrpjh.exe
2076	CreateProcess.exe
1912	hczuomgezt.exe
1528	CreateProcess.exe
2840	CreateProcess.exe
2776	i_hczuomgezt.exe
2976	CreateProcess.exe
2168	uomgeytrlj.exe
2936	CreateProcess.exe
2700	CreateProcess.exe
1916	i_uomgeytrlj.exe
2756	CreateProcess.exe
612	jgbytnlgdy.exe
2972	CreateProcess.exe
1440	CreateProcess.exe
3000	i_jgbytnlgdy.exe
1996	CreateProcess.exe
2436	gbvtnlgays.exe
1856	CreateProcess.exe
580	CreateProcess.exe
2084	i_gbvtnlgays.exe
1020	CreateProcess.exe
2128	sqlidxvqni.exe
2088	CreateProcess.exe
2012	CreateProcess.exe
2064	i_sqlidxvqni.exe
1672	CreateProcess.exe
912	icavsnhfzx.exe
2196	CreateProcess.exe
1792	CreateProcess.exe
624	i_icavsnhfzx.exe
2216	CreateProcess.exe
2636	xspkicwupm.exe
2640	CreateProcess.exe
2144	CreateProcess.exe
2252	i_xspkicwupm.exe
2172	CreateProcess.exe
2280	upnhfzurmk.exe
1880	CreateProcess.exe
3024	CreateProcess.exe
1040	i_upnhfzurmk.exe
3016	CreateProcess.exe
3040	khcwuomhbz.exe
2356	CreateProcess.exe
1856	CreateProcess.exe
2912	i_khcwuomhbz.exe
2568	CreateProcess.exe
2364	zxrljebwqo.exe
1784	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2784	vpnifausnk.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
1016	xvpkhczuom.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
1480	smkecwrpjh.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
1912	hczuomgezt.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2168	uomgeytrlj.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
612	jgbytnlgdy.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2436	gbvtnlgays.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2128	sqlidxvqni.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
912	icavsnhfzx.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2636	xspkicwupm.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2280	upnhfzurmk.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
3040	khcwuomhbz.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2364	zxrljebwqo.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2012	wuojgbzlgd.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
1324	jgbytnlgdy.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
760	ywqlidbvqn.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
1536	nigavsnlfz.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2692	ifaysnkfcx.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
880	xvpnhcausm.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2636	mkecxrpjhb.exe
2708	rljebwqojgbvtnlg.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xspkicwupm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgbytnlgdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigavsnlfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkecxrpjhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvpkhczuom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smkecwrpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uomgeytrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbvtnlgays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqlidxvqni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icavsnhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuojgbzlgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rljebwqojgbvtnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgbytnlgdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khcwuomhbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvpnhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnifausnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hczuomgezt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upnhfzurmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxrljebwqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywqlidbvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifaysnkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1980	ipconfig.exe
1844	ipconfig.exe
2428	ipconfig.exe
308	ipconfig.exe
2096	ipconfig.exe
3008	ipconfig.exe
1164	ipconfig.exe
2152	ipconfig.exe
2416	ipconfig.exe
3028	ipconfig.exe
788	ipconfig.exe
2516	ipconfig.exe
2624	ipconfig.exe
764	ipconfig.exe
2600	ipconfig.exe
2824	ipconfig.exe
1800	ipconfig.exe
1896	ipconfig.exe
1668	ipconfig.exe
1928	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433879071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000ae48edc9915840bfacff6b0580ddfb0bc2a69fc4107869c3136b4a39ab7c71d2000000000e8000000002000020000000fb8c26a2b8e58c465ecda93c4eca7cccca9349f48cce07b8b3a4e39fe952d06d2000000065438d0e488d937f4ecdbd3882941180334c1bbca7ed784339fafaaa21df79f7400000009bbf12069fb465ab228b0258cd0fda115e5907a1029a37ac38bce2049a4885be652175500bfc6fd1da632070b2e93741f70d163d1c22f07d44447a15d9c65e8c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000d676cde22e42db8b3daed1e9037637a7d657a8c60ca6ce53fff798581e8a4be0000000000e8000000002000020000000c4d7459cc965628f101cca17708a5354ac2a213cd7b22e1f925c08ab42a3a32590000000aae94b9bf0bf6ddfcf71d4cb38ada12d22b5ebff9494592aca8fb5f8b1b0f6e8e75a9019189dd9f94174d4db009d4942d68b3eaf17a6503197fe848f2cd40002604d17fd264d249b9138a77af90e3014e678d0fa85921ed45cf1b53b14a629b6090650c05dc9b933e788d504a0a86e1c92919a0f9cb1e3f36445065b750adf0133fdc75dcdec96cd0b5112ce6e1fa0b3400000009ce506778b165b5955c66872f666e8be2e114f9b2a78a3ab20688a772e109488479077813352257cc54228e3dd23098be94aec0a98e2951fcf15d4a7f8eeafb5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500b0e025e13db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2943ABD1-7F51-11EF-BDBD-E62D5E492327} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2708	rljebwqojgbvtnlg.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2784	vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
2672	i_vpnifausnk.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
1016	xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
2988	i_xvpkhczuom.exe
1480	smkecwrpjh.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	i_vpnifausnk.exe
Token: SeDebugPrivilege	2988	i_xvpkhczuom.exe
Token: SeDebugPrivilege	1592	i_smkecwrpjh.exe
Token: SeDebugPrivilege	2776	i_hczuomgezt.exe
Token: SeDebugPrivilege	1916	i_uomgeytrlj.exe
Token: SeDebugPrivilege	3000	i_jgbytnlgdy.exe
Token: SeDebugPrivilege	2084	i_gbvtnlgays.exe
Token: SeDebugPrivilege	2064	i_sqlidxvqni.exe
Token: SeDebugPrivilege	624	i_icavsnhfzx.exe
Token: SeDebugPrivilege	2252	i_xspkicwupm.exe
Token: SeDebugPrivilege	1040	i_upnhfzurmk.exe
Token: SeDebugPrivilege	2912	i_khcwuomhbz.exe
Token: SeDebugPrivilege	2248	i_zxrljebwqo.exe
Token: SeDebugPrivilege	2604	i_wuojgbzlgd.exe
Token: SeDebugPrivilege	2508	i_jgbytnlgdy.exe
Token: SeDebugPrivilege	2112	i_ywqlidbvqn.exe
Token: SeDebugPrivilege	3052	i_nigavsnlfz.exe
Token: SeDebugPrivilege	1496	i_ifaysnkfcx.exe
Token: SeDebugPrivilege	1412	i_xvpnhcausm.exe
Token: SeDebugPrivilege	3068	i_mkecxrpjhb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2448	iexplore.exe
2448	iexplore.exe
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2708	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2708	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2708	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2708	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2448	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2448	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2448	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2448	1728	027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2292	2448	iexplore.exe	32
PID 2448 wrote to memory of 2292	2448	iexplore.exe	32
PID 2448 wrote to memory of 2292	2448	iexplore.exe	32
PID 2448 wrote to memory of 2292	2448	iexplore.exe	32
PID 2708 wrote to memory of 2104	2708	rljebwqojgbvtnlg.exe	33
PID 2708 wrote to memory of 2104	2708	rljebwqojgbvtnlg.exe	33
PID 2708 wrote to memory of 2104	2708	rljebwqojgbvtnlg.exe	33
PID 2708 wrote to memory of 2104	2708	rljebwqojgbvtnlg.exe	33
PID 2784 wrote to memory of 2648	2784	vpnifausnk.exe	36
PID 2784 wrote to memory of 2648	2784	vpnifausnk.exe	36
PID 2784 wrote to memory of 2648	2784	vpnifausnk.exe	36
PID 2784 wrote to memory of 2648	2784	vpnifausnk.exe	36
PID 2708 wrote to memory of 2616	2708	rljebwqojgbvtnlg.exe	39
PID 2708 wrote to memory of 2616	2708	rljebwqojgbvtnlg.exe	39
PID 2708 wrote to memory of 2616	2708	rljebwqojgbvtnlg.exe	39
PID 2708 wrote to memory of 2616	2708	rljebwqojgbvtnlg.exe	39
PID 2708 wrote to memory of 1356	2708	rljebwqojgbvtnlg.exe	41
PID 2708 wrote to memory of 1356	2708	rljebwqojgbvtnlg.exe	41
PID 2708 wrote to memory of 1356	2708	rljebwqojgbvtnlg.exe	41
PID 2708 wrote to memory of 1356	2708	rljebwqojgbvtnlg.exe	41
PID 1016 wrote to memory of 3024	1016	xvpkhczuom.exe	43
PID 1016 wrote to memory of 3024	1016	xvpkhczuom.exe	43
PID 1016 wrote to memory of 3024	1016	xvpkhczuom.exe	43
PID 1016 wrote to memory of 3024	1016	xvpkhczuom.exe	43
PID 2708 wrote to memory of 2968	2708	rljebwqojgbvtnlg.exe	47
PID 2708 wrote to memory of 2968	2708	rljebwqojgbvtnlg.exe	47
PID 2708 wrote to memory of 2968	2708	rljebwqojgbvtnlg.exe	47
PID 2708 wrote to memory of 2968	2708	rljebwqojgbvtnlg.exe	47
PID 2708 wrote to memory of 2564	2708	rljebwqojgbvtnlg.exe	49
PID 2708 wrote to memory of 2564	2708	rljebwqojgbvtnlg.exe	49
PID 2708 wrote to memory of 2564	2708	rljebwqojgbvtnlg.exe	49
PID 2708 wrote to memory of 2564	2708	rljebwqojgbvtnlg.exe	49
PID 1480 wrote to memory of 2440	1480	smkecwrpjh.exe	51
PID 1480 wrote to memory of 2440	1480	smkecwrpjh.exe	51
PID 1480 wrote to memory of 2440	1480	smkecwrpjh.exe	51
PID 1480 wrote to memory of 2440	1480	smkecwrpjh.exe	51
PID 2708 wrote to memory of 1428	2708	rljebwqojgbvtnlg.exe	54
PID 2708 wrote to memory of 1428	2708	rljebwqojgbvtnlg.exe	54
PID 2708 wrote to memory of 1428	2708	rljebwqojgbvtnlg.exe	54
PID 2708 wrote to memory of 1428	2708	rljebwqojgbvtnlg.exe	54
PID 2708 wrote to memory of 2076	2708	rljebwqojgbvtnlg.exe	56
PID 2708 wrote to memory of 2076	2708	rljebwqojgbvtnlg.exe	56
PID 2708 wrote to memory of 2076	2708	rljebwqojgbvtnlg.exe	56
PID 2708 wrote to memory of 2076	2708	rljebwqojgbvtnlg.exe	56
PID 1912 wrote to memory of 1528	1912	hczuomgezt.exe	58
PID 1912 wrote to memory of 1528	1912	hczuomgezt.exe	58
PID 1912 wrote to memory of 1528	1912	hczuomgezt.exe	58
PID 1912 wrote to memory of 1528	1912	hczuomgezt.exe	58
PID 2708 wrote to memory of 2840	2708	rljebwqojgbvtnlg.exe	61
PID 2708 wrote to memory of 2840	2708	rljebwqojgbvtnlg.exe	61
PID 2708 wrote to memory of 2840	2708	rljebwqojgbvtnlg.exe	61
PID 2708 wrote to memory of 2840	2708	rljebwqojgbvtnlg.exe	61
PID 2708 wrote to memory of 2976	2708	rljebwqojgbvtnlg.exe	63
PID 2708 wrote to memory of 2976	2708	rljebwqojgbvtnlg.exe	63
PID 2708 wrote to memory of 2976	2708	rljebwqojgbvtnlg.exe	63
PID 2708 wrote to memory of 2976	2708	rljebwqojgbvtnlg.exe	63

C:\Users\Admin\AppData\Local\Temp\027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\027913a24d6905ecfee92fb0b63776fb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Temp\rljebwqojgbvtnlg.exe
  C:\Temp\rljebwqojgbvtnlg.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifausnk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2104
  - - C:\Temp\vpnifausnk.exe
      C:\Temp\vpnifausnk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2648
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifausnk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2616
  - - C:\Temp\i_vpnifausnk.exe
      C:\Temp\i_vpnifausnk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpkhczuom.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1356
  - - C:\Temp\xvpkhczuom.exe
      C:\Temp\xvpkhczuom.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3024
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpkhczuom.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2968
  - - C:\Temp\i_xvpkhczuom.exe
      C:\Temp\i_xvpkhczuom.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkecwrpjh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2564
  - - C:\Temp\smkecwrpjh.exe
      C:\Temp\smkecwrpjh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2440
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1980
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkecwrpjh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1428
  - - C:\Temp\i_smkecwrpjh.exe
      C:\Temp\i_smkecwrpjh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hczuomgezt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2076
  - - C:\Temp\hczuomgezt.exe
      C:\Temp\hczuomgezt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1528
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hczuomgezt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2840
  - - C:\Temp\i_hczuomgezt.exe
      C:\Temp\i_hczuomgezt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomgeytrlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2976
  - - C:\Temp\uomgeytrlj.exe
      C:\Temp\uomgeytrlj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2936
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomgeytrlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2700
  - - C:\Temp\i_uomgeytrlj.exe
      C:\Temp\i_uomgeytrlj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbytnlgdy.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2756
  - - C:\Temp\jgbytnlgdy.exe
      C:\Temp\jgbytnlgdy.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:612
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2972
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:764
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbytnlgdy.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1440
  - - C:\Temp\i_jgbytnlgdy.exe
      C:\Temp\i_jgbytnlgdy.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gbvtnlgays.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1996
  - - C:\Temp\gbvtnlgays.exe
      C:\Temp\gbvtnlgays.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2436
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1856
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gbvtnlgays.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:580
  - - C:\Temp\i_gbvtnlgays.exe
      C:\Temp\i_gbvtnlgays.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\sqlidxvqni.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1020
  - - C:\Temp\sqlidxvqni.exe
      C:\Temp\sqlidxvqni.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2128
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2088
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2428
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_sqlidxvqni.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2012
  - - C:\Temp\i_sqlidxvqni.exe
      C:\Temp\i_sqlidxvqni.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1672
  - - C:\Temp\icavsnhfzx.exe
      C:\Temp\icavsnhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2196
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2600
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnhfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1792
  - - C:\Temp\i_icavsnhfzx.exe
      C:\Temp\i_icavsnhfzx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkicwupm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2216
  - - C:\Temp\xspkicwupm.exe
      C:\Temp\xspkicwupm.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2636
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2640
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2824
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkicwupm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2144
  - - C:\Temp\i_xspkicwupm.exe
      C:\Temp\i_xspkicwupm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\upnhfzurmk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2172
  - - C:\Temp\upnhfzurmk.exe
      C:\Temp\upnhfzurmk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2280
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1880
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_upnhfzurmk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3024
  - - C:\Temp\i_upnhfzurmk.exe
      C:\Temp\i_upnhfzurmk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\khcwuomhbz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3016
  - - C:\Temp\khcwuomhbz.exe
      C:\Temp\khcwuomhbz.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3040
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2356
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1800
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_khcwuomhbz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1856
  - - C:\Temp\i_khcwuomhbz.exe
      C:\Temp\i_khcwuomhbz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxrljebwqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2568
  - - C:\Temp\zxrljebwqo.exe
      C:\Temp\zxrljebwqo.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2364
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1784
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1164
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxrljebwqo.exe ups_ins
    3⤵
    PID:2404
  - - C:\Temp\i_zxrljebwqo.exe
      C:\Temp\i_zxrljebwqo.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wuojgbzlgd.exe ups_run
    3⤵
    PID:2064
  - - C:\Temp\wuojgbzlgd.exe
      C:\Temp\wuojgbzlgd.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2012
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2276
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wuojgbzlgd.exe ups_ins
    3⤵
    PID:1072
  - - C:\Temp\i_wuojgbzlgd.exe
      C:\Temp\i_wuojgbzlgd.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2604
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbytnlgdy.exe ups_run
    3⤵
    PID:2016
  - - C:\Temp\jgbytnlgdy.exe
      C:\Temp\jgbytnlgdy.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1324
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1796
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1896
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbytnlgdy.exe ups_ins
    3⤵
    PID:2804
  - - C:\Temp\i_jgbytnlgdy.exe
      C:\Temp\i_jgbytnlgdy.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqlidbvqn.exe ups_run
    3⤵
    PID:1792
  - - C:\Temp\ywqlidbvqn.exe
      C:\Temp\ywqlidbvqn.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:760
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2272
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqlidbvqn.exe ups_ins
    3⤵
    PID:2980
  - - C:\Temp\i_ywqlidbvqn.exe
      C:\Temp\i_ywqlidbvqn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nigavsnlfz.exe ups_run
    3⤵
    PID:2120
  - - C:\Temp\nigavsnlfz.exe
      C:\Temp\nigavsnlfz.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1536
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2440
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nigavsnlfz.exe ups_ins
    3⤵
    PID:1744
  - - C:\Temp\i_nigavsnlfz.exe
      C:\Temp\i_nigavsnlfz.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ifaysnkfcx.exe ups_run
    3⤵
    PID:1428
  - - C:\Temp\ifaysnkfcx.exe
      C:\Temp\ifaysnkfcx.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2692
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2832
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ifaysnkfcx.exe ups_ins
    3⤵
    PID:560
  - - C:\Temp\i_ifaysnkfcx.exe
      C:\Temp\i_ifaysnkfcx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpnhcausm.exe ups_run
    3⤵
    PID:2780
  - - C:\Temp\xvpnhcausm.exe
      C:\Temp\xvpnhcausm.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:880
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3048
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpnhcausm.exe ups_ins
    3⤵
    PID:2928
  - - C:\Temp\i_xvpnhcausm.exe
      C:\Temp\i_xvpnhcausm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1412
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mkecxrpjhb.exe ups_run
    3⤵
    PID:2840
  - - C:\Temp\mkecxrpjhb.exe
      C:\Temp\mkecxrpjhb.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2636
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2620
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mkecxrpjhb.exe ups_ins
    3⤵
    PID:2672
  - - C:\Temp\i_mkecxrpjhb.exe
      C:\Temp\i_mkecxrpjhb.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\gbvtnlgays.exe

Filesize
361KB

MD5
6f034a92a8f2288932a78d54377f6a4f

SHA1
56fb78aabaf3d92feb8a3bbb5e77206e260b42b6

SHA256
346b14cd2a33f96471f5ba36d4c94542d4206b13bc3c63c32f44b5a0c95d2452

SHA512
2e1429da18eb864bc24c3d104d0062522b18f3fa8996e778652e29f8bb587d58260c8dd89ca51cd8e2cb9cf8914b61e21533c864dd9f5c0b0ca10b1d8a75791f

Download Submit
C:\Temp\hczuomgezt.exe

Filesize
361KB

MD5
8b7440cb2e060c3697eee856e89249e4

SHA1
2e5d0ae194a0d0eeb747d8dd93d6dac802f90169

SHA256
2b7205307bdf8e9f599df429f6e3fda8999c5925247ff077616bfe0f8ed0438f

SHA512
8483975f6f5d305b702f5a075bad63ac26dae6447caf8c86c9d4ac7443c45b3f4df9aeab198e935597c75ab9992194b259a267e1f5e0a0686f361213801482a3

Download Submit
C:\Temp\i_gbvtnlgays.exe

Filesize
361KB

MD5
cddeb55a6643ab4d294f7ba165da23e6

SHA1
1b87c970b2df01177f2633a0b54a3b575593b2d9

SHA256
1e121738e0dae1e6af88ecc3b8759592dfb7b8ee9249f1243f5f903e69f2996d

SHA512
ca2289809ad2d7263a858e28544a2c92324c90bddd9a12eab48cc0c6219c5f342c8719b569084c1c7a166402090cb34f4f7511825a7795c8118dfd1e0d91a189

Download Submit
C:\Temp\i_hczuomgezt.exe

Filesize
361KB

MD5
9e3c48ec29e513d280ff595cbd2da12b

SHA1
a9a5d1ff26b8db11fdbac0c6febaa0f79c941a0f

SHA256
094c6c0384059dbf67b2f2088285af48da49e8cfade0fa38645507430a695f98

SHA512
667c8a038c5eb2a985d85e1e45e0e68c6bb88d79d8af4bc78c00b020c2b15f4950366d5fe7f0b98faead3723274a923bcd71037f699dfbf86ecb8bfc97159ef0

Download Submit
C:\Temp\i_jgbytnlgdy.exe

Filesize
361KB

MD5
d8cd6d3e4514d0f313da595aff9a50ad

SHA1
70ec7c2a667835e326c663e712bbd98983c0c2fe

SHA256
b8a6520274fda7197eaf1d353652a7c484f288dd88c6608ac90a5dd43278e655

SHA512
72391dffd4823a9486ff1b2e832661e909a81c2134e25c6019b17de41510a9b0ab0e483949feea39cbadb39d17c5478a575e960ff673c67b4cd2fcfab6eec24e

Download Submit
C:\Temp\i_smkecwrpjh.exe

Filesize
361KB

MD5
a21fb08b860f66a488e90218b293d50f

SHA1
6f5461e45bdb00e510be66220aa0d5d434ba3327

SHA256
e4f761bca36d821532ea82488433c61e0da5f8e0085d0eb37da08164c0816e7d

SHA512
7fa29d69ce42948c321c61ccb3f8e4aac1f6398df32fc50829928a79527544cabddb7bc5cd6a5bfb1ce5383c21c15e066779e2281623ae91be1ec32e5ef6c096

Download Submit
C:\Temp\i_uomgeytrlj.exe

Filesize
361KB

MD5
3b51491e611e1d1d0bee7dcb43dd7586

SHA1
1fd2538e0504efbe7783d98f97a4a94bc7eb4211

SHA256
b7b6871170c3b4d7a0990fc57fd38f617e615f05f10c012bc3004977243b0335

SHA512
9be612b687040f71d180217e5685d0d6d171e9734b5f8d41915e8f8d927a32e510ec162862c2cdd3b23b53bac9af576fdc1e215d81f294a7138ef21d6b6643ac

Download Submit
C:\Temp\i_vpnifausnk.exe

Filesize
361KB

MD5
9866be78dd64e0ce715e3d6bb50a6885

SHA1
2637062ccbdca08d214c4d7f89a17af97a86b592

SHA256
bfebaf0cf0be04b917af64032763607a16bae9cfaf84b46324147bbfa2e80e02

SHA512
4399aab00924a3756da8e9e1ad78372781fec536fe707d7c65e4e8b71dfd82ac7dbd98241fdae8509728c4cf020b0acbf9af174202782f1277d7e713d354c945

Download Submit
C:\Temp\i_xvpkhczuom.exe

Filesize
361KB

MD5
e8996deebd1a3718c7b12525a2fa4a72

SHA1
4f473b2d8d477d8ae18fbfaf3c2a716adc98d13d

SHA256
26fc27f49dc17f64bbc7c3c344f669e71831cd309e4f54890cdd3686f79cf6f8

SHA512
c24e721398a98f97d6cf100d73df4d770f9d8e83d323f6b4c8b4b8378dc90d3b585dc9a680640cfdff513859990c59bc4b75dbf33e20399fad76f9027fa0c4bc

Download Submit
C:\Temp\jgbytnlgdy.exe

Filesize
361KB

MD5
3ed683d2461db56601c20066ba7cc617

SHA1
4521a1fba0153b6bc095b90dcf07cb3cf6c97a10

SHA256
aaba0a809412b8c8ccbb7ce7705e4fb7d7ac489b6d547cd531fe911817f23945

SHA512
28a789afcf78b96f85ff5f67dc54a7f996dbf5d1d888e534ea1cf2d951ba8c297bec4d2852948adc159dc5e7127c72660b9a803e8ea58c46bbfc6658a778b619

Download Submit
C:\Temp\rljebwqojgbvtnlg.exe

Filesize
361KB

MD5
2dd0edadeb76bf31454ec46a2cc1c665

SHA1
3b327ac19040409989ee659e65f0551a01059570

SHA256
7fd1b561a6349243a7483682641cee692d61c67706d1a6f227ad63e905be27bf

SHA512
b0fff9b9b49634e5bdc1b4d2e5293deaec67b084a1057fc352edbad74b50f2fd8dd3c8b9bbda63b2f959e19697b3558d07a4d83afcf235e70f06e106f785cf29

Download Submit
C:\Temp\smkecwrpjh.exe

Filesize
361KB

MD5
ad9dc479f1d13018a3e861a221e59fe7

SHA1
4a7b01fd354bf4adc13175f68401b228b47efdad

SHA256
d440352ac1c3835ff041e965b9103feda4ad14e977420401704c975e624ccf59

SHA512
acec8f65127f13b46701607b5db54288764c51dbce7e8185d293854493b69166311650f190b20b960d8598b5e04db6aef676b291593e2975f55fdb1999e269f1

Download Submit
C:\Temp\sqlidxvqni.exe

Filesize
361KB

MD5
23c471415219ed517622427d5727abea

SHA1
7b4394800e23e65c9913d9ccbcb945d0674a5030

SHA256
5c4df7b797181b5f6ee18bad8c988d8e0b510e562fdef528ed93c3c2c1e9ad54

SHA512
93e1a15a92e96c3cf463221186593ceddb77f5ed23cf5cc967b5d58533d18d779df17a353d8c07c74df32fa7d910d4c1f50cb69338cc064c1e78d5e162e88cff

Download Submit
C:\Temp\uomgeytrlj.exe

Filesize
361KB

MD5
a075d110bf3c90149f6e93b0463c499a

SHA1
bee8e8a887062f0ea872a26c7c0379a6cc695140

SHA256
6ec12ef28f7ce9acafd3ec12e0b8164d6b67f85216b876f568e014f478b6dcf2

SHA512
8195da115e1e2f8f4f86195c21c501ebbe2cd6fb28c9e3d860891c7539db23fa9e0f1e637cf72947a35d9a20b41a7e002ac417e1fb183e91491e46d0fb6454dd

Download Submit
C:\Temp\vpnifausnk.exe

Filesize
361KB

MD5
f8c0e191d58979a384322db6c3b1fbd9

SHA1
0964fd81b33a545fbe166906c4ae5a413620a169

SHA256
a9d5a5b9f0127cc6a7feb28c0df887bc709a5c563d8020fc40e7c9f8f2cb4da2

SHA512
6d9538939064cc84f4e6ba16d7f1a52bd47bdfdc54e4c3f0fa1564be0b1e156d7d79d9e17c9757c17f15fb7758f287f9ce6734e1e205cf854f811c66e9e48afc

Download Submit
C:\Temp\xvpkhczuom.exe

Filesize
361KB

MD5
c2dd54afbec6d6e1887c1bf2b54e0b0c

SHA1
3617a37f35ac2e19773416359c08cb1bb5a8c665

SHA256
9d4f09ce18448e55e1f84ae196db798fccf5bbaedd3464b9fc2d7782fa2305b6

SHA512
827724e6e050b9758f2104c14bca8434b7697560a9d4d327095c7efd47776a15c639c9a44ad8a2b8ac9dd7b6721d6de5598a4cafda3487b6a474eaf1e3664a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85ad7c6a9ffc4b6b96920027a20be0b8

SHA1
6e32282d834bc59533413b9ef1b0a1b6bbca2f49

SHA256
d2b1fbadc3cac5daccd5fcab4bb7d0e6caceac6b2b61fd5584b9cd8c0f97d847

SHA512
a15d58d620cf858646d3ec9d6c0ce1d135308502dea02bcc883d14fc89b1faa9fa4f9fd7785368fd1cdae97ae2b4b4be1d3f35d8981cc9d8bde1a50fc7b10713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b4725ddd96e0167bead6ee61e8ae8a8

SHA1
0cc4955ea1506c309e9d2e4167357c70000ac5c9

SHA256
fdb188e3677301eb83ea2ca9048f758a7455f5ad536fb654d5e5e0a9d2e195d8

SHA512
a129ba0199ba1e0d664ac7dbacda436fd47f7568cda65749c0403c4b526b7d6ac9e15f64061c1b1e579e2466e99e813889174bd63059bf3483df18d3e053a47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
738f66cc197225180bd8bc6bbf12eefd

SHA1
b8ff69717a62bce07776ad03c52c2790d3602c4a

SHA256
f22fa5f54f6f824a01c19e17923bbb748b8e7f0999742711f3cd2bde484dd52b

SHA512
3ddb3f2c3588388ecc4c3bb25f1cc43b903ee73086cfc10524d8826596d5ef23734b2c719d64a244a9b8a0d1bc00737e06a64d20ea5dc3f2596128afae7e892c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a18b5b838b4851d790a1d4f8398649d

SHA1
0433bd99374ce14fbecd992db623b1b51c8a2c27

SHA256
76650b3460e6faf58ba1641eec22e90cc7eeec882a550a828ece0d6f19da4a07

SHA512
79511a5702b3fdc81208de07137833ea1d0ba576b08eb856ea974de74e0f3770f672679d47e837dbc726047cb5d988df99403b3e6859d57b051ee9be902ee792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cd6c4cdfb567fdc16d8a382a0dbc388

SHA1
620aafd15340d25e26daa7f37d93aad2fe9bb262

SHA256
b8f45725757f9e585771eaf18c605e1c68bc6931efd182bd3ae1282d017b7e0b

SHA512
3e6228feab5c1ef7279edb399f4919fe2360b46ce239a719f0072305c766d1d2a9e068ca4c865809b482aad9d373721c22b174730fbd1d5e128b7390be83b62c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a5e29c4b808b358bb6395883c9880e3

SHA1
5226fe4cdc16f27ffdfa296286cfa0c91d4b7e73

SHA256
365064057e52bc860bf211128b3cab846d7869a7023cb239522e5ad988275403

SHA512
3d9409abfe87efeafc614b057fd462fc19cc2da7023eaa906b60772045f0d100ee9265ace5733f91078c102ae0b9e0f71c83e3dbd5d73e5da1a0fe4a94240096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884faf4236a020c0260f0c05fd84ee79

SHA1
c28dff876da771cc990330aae7f55e7e27c960b3

SHA256
026c2643d0223b9e5aae812b909bc4ee2740e6e4606e6b6358b3c21efdbf6178

SHA512
f8e1d0964c1ad72a56cc453736a79cc4304b43cb5f7e4a625330ff7f8edea96c2ce2e1a8a0d0da48ca136b4fae8408e5651638963e39e52c614b882e5ae11bd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe249814ff8e81ee2723710ffe268d05

SHA1
424cb635996c436900123443084e2fbe5728901f

SHA256
ab3fbc3d2bad65b9ff51f0ae60d747ebd24d5571065d7ddfb4fd0fa8c887d5f1

SHA512
291ce4e7f9a0ac1f14a2e343f807cd289cd8900ed96f2f53a879318eff29824cf40a54c5aca58c4870ab68215e3f0873e2c5b07524ae3b14a15a330ff1f20916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01692265f5ba8e3a04b2cde0de69db41

SHA1
a414b818131b01c4e08a9e554a4e24754debc30a

SHA256
9d5db67954d1e779518df8cdc8f9483c3b87f13cbd6d054e874fb9b80abfc3ed

SHA512
ede6af40a151be3b0f7eff507351682648a809ced8841eff958d489ed2a9307685417ab3101b534579426b501c99fe4596f7a197436bd2bc9e69d559eb714565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de14603baf3c75513147381649f71497

SHA1
ff33c84ad14174ac3986f3ada08d307924c51876

SHA256
8652c0bc6a1831556b2ce3bf951cb8ef94f21f19baab60b67e5b962e3b5ac8f6

SHA512
201735317b63c497c59129bcaa92a9a8b9633a79105146e8ea0bd1205a8c79619e133ae55bce2e7f770026f7deadb3ce724e92a8321ea56dd9ae31a66280fa10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c062e17a22b6aa362d74aa9a82663a31

SHA1
734088b48114710336436935910690f09afb0a18

SHA256
7a1ef7c0f6a232d99cbc5c584b17ea948ada6f8116f1a8c3779e6fbb12b6ff79

SHA512
a9c1d2f83cedbd652669355d43d1b57dff3cdc72fe2d231f4960d91cd69d6055ef93abb0c617db876fdbf24674128dfe5aa732f594b996f5823b449839f05aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9968eb5d0b90451341fb8c0fbba8593

SHA1
470950467f1a93d0d8c4376b54d78f714e0a96b8

SHA256
93456624b922fc2306a2db1a0c16b0ac9bf772b54508cd767838c2f6f4cd1108

SHA512
09e78eab21bcced15398e53d89eb313692634ca9d2d1c057764b0ba5b05d85cee6264748acc40a2b40134c419eea7dcd15a0328fc2a06d23b12592d84f6a68fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2de596c927bd0c244bd657588365911

SHA1
1240fe593b2646032e4e4586add7bedac14c40e1

SHA256
b5d1e2049f4d15054f8ce3ff774ba0be8fa4cf0f044824cba918408e0dc39713

SHA512
09cd766d8c929450e40a94952372dda42a1af8044d21d59ed87f8d00b5a0439fcae3c6ccda614c8cffb2bb95965674f375954589720fe72a8616af497c04d533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21f6ab1bd374b165bf099b0d7872e1d3

SHA1
28e0f42b2bc4dc3b23c1748d39a4b6421d17d277

SHA256
739e521c8ebe4adc9c0559f7e3365896e0d59e5028ee526e37c5af5c2318c026

SHA512
c2c989bdef470d659ecb4a12b07aaf7380ff448f08055fed3e43122fd6fdc6f77eeb694769c3a550572246c57a368208ec07bf2463644700e35e04359a17bc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ef0e42f04496f3e2359f2c040cf4a75

SHA1
5362fa7f65dc27cd70c02a782ae6ebf302fe152e

SHA256
371a8f8ac2f8feb9b1fb509d22bf15e3d081ac81f661141e84266a6dd65901d3

SHA512
dc2dbcf0376b601307a5af7de7ef9c87bf6cfda3ca57347bf19b50f7078ed9ba474aec88845a35f2a8a525255cc0c7133b5d1602695b1e99e85c33fc647e1676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adaffb764182dde0b82245c95dd9a29f

SHA1
1469328bee6efdf62bad6913a144797e04903e67

SHA256
abecca4a3708bdd42d0224a1091f604af83fb2e7e19498336625001f4d4aa1c4

SHA512
c95e88c84d687e043f5fc6ad733c7b645fa75996593469a0407798b0d9b79f786f5c5b35945b6ff5441bb01bffdadf95671ce23f921711340d0c32ce11d4b023

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD29C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD31D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
4b2fd011155c0d508b686e78a5b77056

SHA1
f96bcc328b9156e4f45384633d38e66c97cc9d80

SHA256
e8b39a644b864ebddae85edcf3c77234811f9c26466233fa2c09d41ccb04a027

SHA512
268c95cd3a2c8ac2bc2cd9b1066337dd9504c6a51eb4dda4ab3973e1917e4636c7fc802ecfe5d4cfd59883344f6f219e792e30da7f3cc7af5e7022992f8d4b52

Download Submit