c968f51619a2cbf00069de63e83f27257222212e2564c4d4a46a12851c24ba5a

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
Size

361KB
MD5

13cf0c7a5bd9b9fa1d17936e63107a2a
SHA1

9d8f29bcc9ef72047bf1c137e785d047e35ab416
SHA256

c968f51619a2cbf00069de63e83f27257222212e2564c4d4a46a12851c24ba5a
SHA512

7b378cb67a35a3c4a2a82e7625bf72ba347105ea5e8c9e574b4f72dc20a16e85b41efbb1037f343ddfe54c64d80bfcdaf00712f894192f3947fe384f45e045a2
SSDEEP

6144:9flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:9flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2192	lgaysqlfdxvqkica.exe
2588	CreateProcess.exe
3000	pkecwupjhb.exe
3056	CreateProcess.exe
612	CreateProcess.exe
2908	i_pkecwupjhb.exe
2348	CreateProcess.exe
1060	urmjeywroj.exe
112	CreateProcess.exe
1124	CreateProcess.exe
1316	i_urmjeywroj.exe
1688	CreateProcess.exe
1088	rojhbwtomg.exe
2492	CreateProcess.exe
2476	CreateProcess.exe
2296	i_rojhbwtomg.exe
2004	CreateProcess.exe
2432	jeywqojdbv.exe
2180	CreateProcess.exe
1976	CreateProcess.exe
1788	i_jeywqojdbv.exe
1332	CreateProcess.exe
1280	vtoigaysnl.exe
2688	CreateProcess.exe
2536	CreateProcess.exe
2032	i_vtoigaysnl.exe
2544	CreateProcess.exe
680	wqlivtnhfa.exe
400	CreateProcess.exe
1652	CreateProcess.exe
2340	i_wqlivtnhfa.exe
572	CreateProcess.exe
536	gavsnkfzxs.exe
1616	CreateProcess.exe
1636	CreateProcess.exe
1784	i_gavsnkfzxs.exe
1296	CreateProcess.exe
2904	vpnicausmh.exe
1588	CreateProcess.exe
1684	CreateProcess.exe
2940	i_vpnicausmh.exe
2232	CreateProcess.exe
2204	kfcxrpjhcw.exe
2176	CreateProcess.exe
2408	CreateProcess.exe
448	i_kfcxrpjhcw.exe
888	CreateProcess.exe
940	hcauomhezt.exe
976	CreateProcess.exe
1244	CreateProcess.exe
820	i_hcauomhezt.exe
2272	CreateProcess.exe
1332	wuojhbztom.exe
1144	CreateProcess.exe
2168	CreateProcess.exe
2820	i_wuojhbztom.exe
3016	CreateProcess.exe
1716	pjhbwtomgb.exe
400	CreateProcess.exe
300	CreateProcess.exe
2572	i_pjhbwtomgb.exe
1428	CreateProcess.exe
2660	eywqljdbvq.exe
744	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
3000	pkecwupjhb.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1060	urmjeywroj.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1088	rojhbwtomg.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2432	jeywqojdbv.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1280	vtoigaysnl.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
680	wqlivtnhfa.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
536	gavsnkfzxs.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2904	vpnicausmh.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2204	kfcxrpjhcw.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
940	hcauomhezt.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1332	wuojhbztom.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1716	pjhbwtomgb.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2660	eywqljdbvq.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1984	bytnlgdysq.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2796	tnlfdysqki.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2204	icavsnhfzx.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2528	avpnhfausm.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1700	xspkicwupm.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
3068	mkecxrpjhb.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
1708	ezxrmjebwq.exe
2192	lgaysqlfdxvqkica.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icavsnhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgaysqlfdxvqkica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkecwupjhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urmjeywroj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjhbwtomgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlfdysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avpnhfausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rojhbwtomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtoigaysnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gavsnkfzxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcauomhezt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xspkicwupm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeywqojdbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqlivtnhfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnicausmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfcxrpjhcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuojhbztom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezxrmjebwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eywqljdbvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bytnlgdysq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkecxrpjhb.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2992	ipconfig.exe
1600	ipconfig.exe
2320	ipconfig.exe
2328	ipconfig.exe
988	ipconfig.exe
1696	ipconfig.exe
2364	ipconfig.exe
892	ipconfig.exe
1756	ipconfig.exe
1916	ipconfig.exe
2056	ipconfig.exe
2652	ipconfig.exe
544	ipconfig.exe
2988	ipconfig.exe
792	ipconfig.exe
2308	ipconfig.exe
608	ipconfig.exe
1592	ipconfig.exe
324	ipconfig.exe
1980	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000009fd1583eb98d69384a97424146d13d32fcac6e70675d25cec68c16e79e1eb4c1000000000e8000000002000020000000dc8d399ff81f1a029ed18592346cc9efb04cb9ef42637b36bde845dcf8c7f93720000000a564d3ac61717975f898477c6dd61468cc65a6cd3d36b37a9f28c41d709b6a294000000087ddcbed9e6d2683cd72b23f79978bbebc451e08bb634dc103eea4527fd42965faeaad3b8c8a1c4bf136733c2a9300716f89b0f16e348a7c8ab9105cb8c20947	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000525883f25a2504049545b6754d86a0bb99f14fbc8425c5854ee5fe4ef6af10e1000000000e80000000020000200000008034d134d60fc238ec28372f070df2215d2b470d1b828bae520ab2e259ffe24890000000878ea72e5af21f94021c5dda8940a06181ad789d716753dd77459d078825b89cb741b7124c8606cd067d6f37b58b9237b7b169daf1f19857f990071c173e59c843a14511fba32417fd794bbbd2b504e34d97948a92bc258f360588c8727b44102b64fa8041091c1f2018c11c599a07e455b55a54e18d5f52dac022a9c70eed62de8b78389377b6d12823a9dbf3453363400000008be762b06c2c06ce49c01eed140668e1a0b93af408b4f2facabd53a85395a2703210205c8506f0d9f3e3e001a13dd2d70cf8100d152a3e1805894221d8da36a2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05ad82a6d16db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{539B7901-8260-11EF-AC29-D6FE44FD4752} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434215443"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
2192	lgaysqlfdxvqkica.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
3000	pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
2908	i_pkecwupjhb.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1060	urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1316	i_urmjeywroj.exe
1088	rojhbwtomg.exe

Suspicious behavior: LoadsDriver 21 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	i_pkecwupjhb.exe
Token: SeDebugPrivilege	1316	i_urmjeywroj.exe
Token: SeDebugPrivilege	2296	i_rojhbwtomg.exe
Token: SeDebugPrivilege	1788	i_jeywqojdbv.exe
Token: SeDebugPrivilege	2032	i_vtoigaysnl.exe
Token: SeDebugPrivilege	2340	i_wqlivtnhfa.exe
Token: SeDebugPrivilege	1784	i_gavsnkfzxs.exe
Token: SeDebugPrivilege	2940	i_vpnicausmh.exe
Token: SeDebugPrivilege	448	i_kfcxrpjhcw.exe
Token: SeDebugPrivilege	820	i_hcauomhezt.exe
Token: SeDebugPrivilege	2820	i_wuojhbztom.exe
Token: SeDebugPrivilege	2572	i_pjhbwtomgb.exe
Token: SeDebugPrivilege	3012	i_eywqljdbvq.exe
Token: SeDebugPrivilege	752	i_bytnlgdysq.exe
Token: SeDebugPrivilege	2384	i_tnlfdysqki.exe
Token: SeDebugPrivilege	1468	i_icavsnhfzx.exe
Token: SeDebugPrivilege	684	i_avpnhfausm.exe
Token: SeDebugPrivilege	2996	i_xspkicwupm.exe
Token: SeDebugPrivilege	3036	i_mkecxrpjhb.exe
Token: SeDebugPrivilege	1564	i_ezxrmjebwq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2060	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2060	iexplore.exe
2060	iexplore.exe
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2192	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2192	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2192	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2192	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2060	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2060	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2060	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2060	2352	13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2664	2060	iexplore.exe	32
PID 2060 wrote to memory of 2664	2060	iexplore.exe	32
PID 2060 wrote to memory of 2664	2060	iexplore.exe	32
PID 2060 wrote to memory of 2664	2060	iexplore.exe	32
PID 2192 wrote to memory of 2588	2192	lgaysqlfdxvqkica.exe	33
PID 2192 wrote to memory of 2588	2192	lgaysqlfdxvqkica.exe	33
PID 2192 wrote to memory of 2588	2192	lgaysqlfdxvqkica.exe	33
PID 2192 wrote to memory of 2588	2192	lgaysqlfdxvqkica.exe	33
PID 3000 wrote to memory of 3056	3000	pkecwupjhb.exe	36
PID 3000 wrote to memory of 3056	3000	pkecwupjhb.exe	36
PID 3000 wrote to memory of 3056	3000	pkecwupjhb.exe	36
PID 3000 wrote to memory of 3056	3000	pkecwupjhb.exe	36
PID 2192 wrote to memory of 612	2192	lgaysqlfdxvqkica.exe	39
PID 2192 wrote to memory of 612	2192	lgaysqlfdxvqkica.exe	39
PID 2192 wrote to memory of 612	2192	lgaysqlfdxvqkica.exe	39
PID 2192 wrote to memory of 612	2192	lgaysqlfdxvqkica.exe	39
PID 2192 wrote to memory of 2348	2192	lgaysqlfdxvqkica.exe	41
PID 2192 wrote to memory of 2348	2192	lgaysqlfdxvqkica.exe	41
PID 2192 wrote to memory of 2348	2192	lgaysqlfdxvqkica.exe	41
PID 2192 wrote to memory of 2348	2192	lgaysqlfdxvqkica.exe	41
PID 1060 wrote to memory of 112	1060	urmjeywroj.exe	43
PID 1060 wrote to memory of 112	1060	urmjeywroj.exe	43
PID 1060 wrote to memory of 112	1060	urmjeywroj.exe	43
PID 1060 wrote to memory of 112	1060	urmjeywroj.exe	43
PID 2192 wrote to memory of 1124	2192	lgaysqlfdxvqkica.exe	46
PID 2192 wrote to memory of 1124	2192	lgaysqlfdxvqkica.exe	46
PID 2192 wrote to memory of 1124	2192	lgaysqlfdxvqkica.exe	46
PID 2192 wrote to memory of 1124	2192	lgaysqlfdxvqkica.exe	46
PID 2192 wrote to memory of 1688	2192	lgaysqlfdxvqkica.exe	48
PID 2192 wrote to memory of 1688	2192	lgaysqlfdxvqkica.exe	48
PID 2192 wrote to memory of 1688	2192	lgaysqlfdxvqkica.exe	48
PID 2192 wrote to memory of 1688	2192	lgaysqlfdxvqkica.exe	48
PID 1088 wrote to memory of 2492	1088	rojhbwtomg.exe	50
PID 1088 wrote to memory of 2492	1088	rojhbwtomg.exe	50
PID 1088 wrote to memory of 2492	1088	rojhbwtomg.exe	50
PID 1088 wrote to memory of 2492	1088	rojhbwtomg.exe	50
PID 2192 wrote to memory of 2476	2192	lgaysqlfdxvqkica.exe	53
PID 2192 wrote to memory of 2476	2192	lgaysqlfdxvqkica.exe	53
PID 2192 wrote to memory of 2476	2192	lgaysqlfdxvqkica.exe	53
PID 2192 wrote to memory of 2476	2192	lgaysqlfdxvqkica.exe	53
PID 2192 wrote to memory of 2004	2192	lgaysqlfdxvqkica.exe	55
PID 2192 wrote to memory of 2004	2192	lgaysqlfdxvqkica.exe	55
PID 2192 wrote to memory of 2004	2192	lgaysqlfdxvqkica.exe	55
PID 2192 wrote to memory of 2004	2192	lgaysqlfdxvqkica.exe	55
PID 2432 wrote to memory of 2180	2432	jeywqojdbv.exe	57
PID 2432 wrote to memory of 2180	2432	jeywqojdbv.exe	57
PID 2432 wrote to memory of 2180	2432	jeywqojdbv.exe	57
PID 2432 wrote to memory of 2180	2432	jeywqojdbv.exe	57
PID 2192 wrote to memory of 1976	2192	lgaysqlfdxvqkica.exe	60
PID 2192 wrote to memory of 1976	2192	lgaysqlfdxvqkica.exe	60
PID 2192 wrote to memory of 1976	2192	lgaysqlfdxvqkica.exe	60
PID 2192 wrote to memory of 1976	2192	lgaysqlfdxvqkica.exe	60
PID 2192 wrote to memory of 1332	2192	lgaysqlfdxvqkica.exe	62
PID 2192 wrote to memory of 1332	2192	lgaysqlfdxvqkica.exe	62
PID 2192 wrote to memory of 1332	2192	lgaysqlfdxvqkica.exe	62
PID 2192 wrote to memory of 1332	2192	lgaysqlfdxvqkica.exe	62

C:\Users\Admin\AppData\Local\Temp\13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13cf0c7a5bd9b9fa1d17936e63107a2a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Temp\lgaysqlfdxvqkica.exe
  C:\Temp\lgaysqlfdxvqkica.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkecwupjhb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Temp\pkecwupjhb.exe
      C:\Temp\pkecwupjhb.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3056
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2328
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkecwupjhb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:612
  - - C:\Temp\i_pkecwupjhb.exe
      C:\Temp\i_pkecwupjhb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\urmjeywroj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2348
  - - C:\Temp\urmjeywroj.exe
      C:\Temp\urmjeywroj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:112
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_urmjeywroj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1124
  - - C:\Temp\i_urmjeywroj.exe
      C:\Temp\i_urmjeywroj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rojhbwtomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1688
  - - C:\Temp\rojhbwtomg.exe
      C:\Temp\rojhbwtomg.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rojhbwtomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2476
  - - C:\Temp\i_rojhbwtomg.exe
      C:\Temp\i_rojhbwtomg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jeywqojdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2004
  - - C:\Temp\jeywqojdbv.exe
      C:\Temp\jeywqojdbv.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2180
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jeywqojdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1976
  - - C:\Temp\i_jeywqojdbv.exe
      C:\Temp\i_jeywqojdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtoigaysnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1332
  - - C:\Temp\vtoigaysnl.exe
      C:\Temp\vtoigaysnl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1280
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2688
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtoigaysnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2536
  - - C:\Temp\i_vtoigaysnl.exe
      C:\Temp\i_vtoigaysnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqlivtnhfa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2544
  - - C:\Temp\wqlivtnhfa.exe
      C:\Temp\wqlivtnhfa.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:680
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:400
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqlivtnhfa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1652
  - - C:\Temp\i_wqlivtnhfa.exe
      C:\Temp\i_wqlivtnhfa.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2340
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gavsnkfzxs.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:572
  - - C:\Temp\gavsnkfzxs.exe
      C:\Temp\gavsnkfzxs.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:536
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1616
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1696
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gavsnkfzxs.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1636
  - - C:\Temp\i_gavsnkfzxs.exe
      C:\Temp\i_gavsnkfzxs.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnicausmh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1296
  - - C:\Temp\vpnicausmh.exe
      C:\Temp\vpnicausmh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2904
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1588
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnicausmh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1684
  - - C:\Temp\i_vpnicausmh.exe
      C:\Temp\i_vpnicausmh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfcxrpjhcw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2232
  - - C:\Temp\kfcxrpjhcw.exe
      C:\Temp\kfcxrpjhcw.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2176
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfcxrpjhcw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2408
  - - C:\Temp\i_kfcxrpjhcw.exe
      C:\Temp\i_kfcxrpjhcw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:448
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hcauomhezt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:888
  - - C:\Temp\hcauomhezt.exe
      C:\Temp\hcauomhezt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:976
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1600
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hcauomhezt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1244
  - - C:\Temp\i_hcauomhezt.exe
      C:\Temp\i_hcauomhezt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:820
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wuojhbztom.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2272
  - - C:\Temp\wuojhbztom.exe
      C:\Temp\wuojhbztom.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1332
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1144
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wuojhbztom.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2168
  - - C:\Temp\i_wuojhbztom.exe
      C:\Temp\i_wuojhbztom.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhbwtomgb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3016
  - - C:\Temp\pjhbwtomgb.exe
      C:\Temp\pjhbwtomgb.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1716
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:400
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2652
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhbwtomgb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:300
  - - C:\Temp\i_pjhbwtomgb.exe
      C:\Temp\i_pjhbwtomgb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eywqljdbvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1428
  - - C:\Temp\eywqljdbvq.exe
      C:\Temp\eywqljdbvq.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2660
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:744
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:544
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eywqljdbvq.exe ups_ins
    3⤵
    PID:1496
  - - C:\Temp\i_eywqljdbvq.exe
      C:\Temp\i_eywqljdbvq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bytnlgdysq.exe ups_run
    3⤵
    PID:2876
  - - C:\Temp\bytnlgdysq.exe
      C:\Temp\bytnlgdysq.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1984
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1784
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bytnlgdysq.exe ups_ins
    3⤵
    PID:2356
  - - C:\Temp\i_bytnlgdysq.exe
      C:\Temp\i_bytnlgdysq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:752
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdysqki.exe ups_run
    3⤵
    PID:1296
  - - C:\Temp\tnlfdysqki.exe
      C:\Temp\tnlfdysqki.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2520
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdysqki.exe ups_ins
    3⤵
    PID:2940
  - - C:\Temp\i_tnlfdysqki.exe
      C:\Temp\i_tnlfdysqki.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2384
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnhfzx.exe ups_run
    3⤵
    PID:1800
  - - C:\Temp\icavsnhfzx.exe
      C:\Temp\icavsnhfzx.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2936
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnhfzx.exe ups_ins
    3⤵
    PID:2072
  - - C:\Temp\i_icavsnhfzx.exe
      C:\Temp\i_icavsnhfzx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avpnhfausm.exe ups_run
    3⤵
    PID:1232
  - - C:\Temp\avpnhfausm.exe
      C:\Temp\avpnhfausm.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1528
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:892
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avpnhfausm.exe ups_ins
    3⤵
    PID:2552
  - - C:\Temp\i_avpnhfausm.exe
      C:\Temp\i_avpnhfausm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:684
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkicwupm.exe ups_run
    3⤵
    PID:1760
  - - C:\Temp\xspkicwupm.exe
      C:\Temp\xspkicwupm.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1700
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkicwupm.exe ups_ins
    3⤵
    PID:3060
  - - C:\Temp\i_xspkicwupm.exe
      C:\Temp\i_xspkicwupm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mkecxrpjhb.exe ups_run
    3⤵
    PID:1688
  - - C:\Temp\mkecxrpjhb.exe
      C:\Temp\mkecxrpjhb.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3068
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2280
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:324
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mkecxrpjhb.exe ups_ins
    3⤵
    PID:2968
  - - C:\Temp\i_mkecxrpjhb.exe
      C:\Temp\i_mkecxrpjhb.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ezxrmjebwq.exe ups_run
    3⤵
    PID:1264
  - - C:\Temp\ezxrmjebwq.exe
      C:\Temp\ezxrmjebwq.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1708
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1444
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1980
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ezxrmjebwq.exe ups_ins
    3⤵
    PID:2076
  - - C:\Temp\i_ezxrmjebwq.exe
      C:\Temp\i_ezxrmjebwq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\gavsnkfzxs.exe

Filesize
361KB

MD5
2894579ddc1ccafdab5d56449fad4414

SHA1
cb428aa270dd81b61284c142c7a21bf5bd55d1e0

SHA256
09c7fab1afd9c9eec7805f02cca4b0bdc48b07f6839a27ea87566b9587583e6d

SHA512
43836d5335f54a38eff2d3aa49fca786b585cf5c0a1fcb1937d67379934418f01a80ee4d76b3afd7f6e5c12146f8f9c08b62a0a4864ea0414924f8dd17b2be2e

Download Submit
C:\Temp\i_gavsnkfzxs.exe

Filesize
361KB

MD5
9c19f3a7228c4408e81648fd07c05dac

SHA1
0dba8d65b2f04d1144e05d6d8cf9dbaff06c1c85

SHA256
a6aefed4a37ffa8f6b8aa9b47ded2ef9fc9573515b83a08bd0fc077068abeddd

SHA512
e444f9a4d3fb82c11f97594585505eb7f84c2c0eb85348a7220255904b76223d93eaeada20bcece9680b2a223fbaa6e3321c29883c40cc815e2645a7ebbced68

Download Submit
C:\Temp\i_jeywqojdbv.exe

Filesize
361KB

MD5
0b4c1e83c9c7615c460f1fc7e5dd2d0b

SHA1
053b4118f4d1252c3e8f29e09e06182564611d28

SHA256
dff6093307347e0fad96f7c3754658f073faf7714b4adcfda4b32426268ee916

SHA512
9498ff983e20bcf85ac5ae34642a185043d58a224c2e0386af11965bb799001627aa3ec248d39fde8a31ca15c7cee69072f59fef0597ac4c9be012266c0baa41

Download Submit
C:\Temp\i_pkecwupjhb.exe

Filesize
361KB

MD5
b2818afc3778ca32ae24c4c249f384fb

SHA1
e292636384ce4df69eb16d4c4a122106f41a7ecf

SHA256
bf688f3db9db6050049d0c05651b93f06d73b2da68dd6b553dfa77bcaff42369

SHA512
9f217f72a1f0f53e19e13cfa0918201aa37c823a0fb308d2d784fe1d3a2494c55e1426aa0e2e6c29e4a7ff475573c43764942ac09a54d01d39b81a0c675a6e41

Download Submit
C:\Temp\i_rojhbwtomg.exe

Filesize
361KB

MD5
f70905592f751c0fa17391ae2d336080

SHA1
2380a657a744028d9fb6093c8b85ff46f63235a0

SHA256
9218cbbfe8592d3000cc4ac894c8f78be978566498e76da0f3a4a203809c05a8

SHA512
4ad5891d463831e48dfc67e61eb88cf557753296145bda6d6fed15e2c06956bd372f02a2725b9e1a4618de8457041ec235bc6d1ecbd3f8d39f62658692b50c16

Download Submit
C:\Temp\i_urmjeywroj.exe

Filesize
361KB

MD5
b0dede7ca4b2b38674160e9d9d35d343

SHA1
49f36e41133c87943e20129448ad026b02d582e1

SHA256
518fbcf342f267489b67fb907a635796e93d8e8e940ee70acf534d41054a3ef6

SHA512
b681d5e03de7e3e3ebcd117bc323814585eebde9703977093f5475b871158e6c4ad584d53225542e3eee21d342694521619fcf92a19a5043b4889cc2d4150bc3

Download Submit
C:\Temp\i_vtoigaysnl.exe

Filesize
361KB

MD5
c78782eff105e2edf99367ac7a56fc0c

SHA1
8583302ffcbd5f229b2f67d1febf2901e89afdc6

SHA256
9122a25884c1f2e35e9c52b74f5f142d241f164e1a9fe20de4b433d88633335a

SHA512
0e6c104b9d9ce01f8b0bc97c24800602af565a70cafa2422fed189225c2a20776b021ebbc69356055330a3726e020aff0b459e34dbfcd5c278ae8f7ed67f78fa

Download Submit
C:\Temp\i_wqlivtnhfa.exe

Filesize
361KB

MD5
1b150bfb0ad9b36018dc249323caf697

SHA1
e95448e44f654b998978f1ef386d2b69533d830f

SHA256
15d4257ea5e96858afcd7fb853c577cf43363e0f5b63aac0ce9236b8c6daff35

SHA512
055034a0ec721c6159af8161f5890406275f31cda8bb6dd79d2d52bed6a87ade88bf3ee7abe9b81255feadfc665b5418db11ac70d1752ad1e48c3721548113a3

Download Submit
C:\Temp\jeywqojdbv.exe

Filesize
361KB

MD5
7b3342e4f01b0d57c8d05325235447f3

SHA1
7f07943326985e6ba89ebef0bf307156587ee2b1

SHA256
39abb26f81538427db0ae197553c3de45df71483bc30cebdb6ac475dbe86b317

SHA512
50f0a8c1d95be65dc83f89e9f33d97472488b7744db8c63d2eb9541ec8e109c158c12ec6d05c9c889e91a2d6c77b0518b9798e34df5855a81e3a2fb1e27d2f5d

Download Submit
C:\Temp\pkecwupjhb.exe

Filesize
361KB

MD5
5884744c0566f53eafd03486f6d6a3ed

SHA1
7a15dd9f33c20b10abb43b0bfe4f219980e4c88a

SHA256
d324688f50933e64187414a44273ec2fa0fc806cd2980e55ae70c4b478ce963d

SHA512
d86637e096a2eb8a7bd93312d7b5e26b0d23c1ae208ba330cc70c248c00f222c25e5434f730993bcae9e5fe69ea5cd3e1ac868a166885aa8d166eb2b467f216e

Download Submit
C:\Temp\rojhbwtomg.exe

Filesize
361KB

MD5
88251a2e7973b5054a1491c76bcc3653

SHA1
467e4d6bc6a720941518fdf54dc2f94eac0eb3ea

SHA256
4f9e6205b0c16169fe4df97262dac356cc5e20a6a6f313094e198e97739f8f38

SHA512
362ee94d1d839cdfb7998d9f70755d8827b146e0324f1c14b3b89d9171cbb8af319ed91a8b0a91239a68a371a3494ef9fb1bd946b6d223b37a6c8de755764b6c

Download Submit
C:\Temp\urmjeywroj.exe

Filesize
361KB

MD5
505e7e3e11fe5799634e1eba23b0b36d

SHA1
c4fc3755d848a2c5be3384f43378aa942f5af641

SHA256
a05fc47318e1e8a5b56f3e687bec4407675de9499c49857f66285cf2334ba6cd

SHA512
02b9049152d93e6567de0bed50591837914f98468eff83a32281665d48ec1ec020a319aa361d00d1b66d2b3330862f15140315569c970b268fd532d8951b44ad

Download Submit
C:\Temp\vpnicausmh.exe

Filesize
361KB

MD5
c2edf3c4a548de57611222f5e78a88f8

SHA1
415da24b6ca595fcda72f8a8deffaedcbabf1a41

SHA256
ed6eb9f0830df5f47fc24abd2f6f5e95152f96da6eae0f65dcc982e138111f42

SHA512
57cd1be3ea135fc574cc05ea624dd13ff5344efdf88f147fb4dca91f294b77952a9dd1c52bf0065d67d5682af80d7973e02767184f3edb4ca4ca7232acde5506

Download Submit
C:\Temp\vtoigaysnl.exe

Filesize
361KB

MD5
daab80da944dd6a135dfe87a11d20421

SHA1
fbfbd10cc0294f5a530f32ca33a746d8bcfce9d6

SHA256
57c1d1cd47b4d4c17f7cdb6b8b15fbd6594e4f1d2ed5fbe2b8966a5028962743

SHA512
1ddc93647895c0840f2d5c47cf69c315baa058e7c93d15852f57f7b69895b50f030aca4d8cae57cbdafcc21c18aa6e0902c3e1a1052f62f2a879f969856fcfa3

Download Submit
C:\Temp\wqlivtnhfa.exe

Filesize
361KB

MD5
4f1fea67aa200eace54b52fb12fff040

SHA1
b4b839f4fed51a20d8016eeddb81d547508122fa

SHA256
95c6fb27b6a35b886cb746fa7c3ffe55c0102c729f9ce8c8f51b0c3177ef9eb5

SHA512
6f54d6e1820b22d19bd478fac5742789c783a9a71a6a41a1635a5aaa6ce08ab18e01538f46b249d5a91f5bfd79f81aadeefd18a1684ff6a245b012b2ece05954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc7d643c366591aea3819af417396c1

SHA1
2935031718d753a9dc319137c84945e52c46b0f3

SHA256
4a9ae516b2a08d925b0c9c2832cc8400f32ed498d2c22b32b379159dd8bb44ed

SHA512
604a18de63426febfe5ec482460081f4d404585680f81aaf1289183dca6076cfa09eed358f30f91752e1fe6cce356e4f48cce1dc37937b8d2219aeaf4206759d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d4a3b30bf2976d646b8b1da7adfe1e

SHA1
6d1edc905ddb1c4025d6be3c5631303146ab79c3

SHA256
a1ac78dea1c5170f05b01eacf2e978c02b4f1bed8e087824b765da62d994eb3e

SHA512
e45a3c718368fb06e280bbfc7c004f8af510e04fcc27f5a677efac8cc7058e225347c9c654c8b0f5bb5c587cc4176d53c82a01e41315ba2c41075c241cbdea90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f012463b4c035d2cff208753995b4b1

SHA1
8cf3e9263b0ba16e05bf50bf4a2e6ff13630e31e

SHA256
a026b0ed4e76dc617b43ef4b8a920dd5db23d532ed5e13fee1d690caf74752cb

SHA512
c7df1e1baa49429f4c8d0c5af493ccfad0dffbe9e8aa7bf3d5d8603b2e4ab4c28e399e3ac6118bc6e923d71eb5b9360ac833db8fc8eb49e07bd4c23125ee4dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd40a83ac0982014f208fe97d7f6ecf7

SHA1
41539f765ab0bc8e7067dec2f020e09c74b12fe1

SHA256
71618d90c81865d28e90f4e37411feae463a286151fc833e718983f666414582

SHA512
2d57ee5c9baa646f765d70e4ca321a2a27cf9ceabb9c6bb85dcc97ad60ee87e1df7453a40ed0b19b8f0fb18cd322e25b30f219b2751fc1806fea4b3b2d00ff00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1c68775348d299a0ee96126d714de2d

SHA1
0af8d8e1c1ef0854175a16cd4a461abac19a2320

SHA256
e7cbff96938b617b5184acc45e62a5dcfc260b500bda4d8915b7b6aca390624c

SHA512
3eb2a75c5232545c94108f5bca36efe2f417eaa2d24f21953cd999b7564c4396465bd248b27c3751f46a559e61bfa5af98ef6c0580971e4206caacdf8d828955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02e3d13f0c5aa7ca79156f368cdc6b3b

SHA1
e799ee226926fedd6133fb842a7348f9b7dd90bb

SHA256
f931a526a884e964b11f6b86e38e34a366e0c8e2a9e490453ad72cb177678ad7

SHA512
6b4477908a82b28108ac7d5f4280ee7610fdb96d114826bfea14cc9f12fcdfdcc3d8d0885edea686fd57219273db9813d4e86903e3c8bcab8e485d3c6f169717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bddee01fe8ec01edea48c52b57a529ab

SHA1
9c8eecd5181b9fbfde414f297ee1187d61bd2b5e

SHA256
73cd3b08dbb9e2bb02be996a17aa5fdc700106c8ea58a7ce51c3daecc9b84cfe

SHA512
5359dec6e271886ab717c5ec91f7f335e00c5c7df67828c3b6d26810f7bb99e63338d47a746d51a037194243f340c20f5dabf7bf9c0b6496b4e83d6266181430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f7d93c71121f52dab4f2659cada9f8b

SHA1
c4b3107966aaaa1da916b34e2cdcc76abcd72177

SHA256
0c2b43e098745e39531b351b213019e77aac39ef38979bc05d0efce1c9c14275

SHA512
9ff15cf49731668b2e01531b10554ba72692f9ed390de28e9c581de0a34ba9095eb2fdddf91368195294739be14ac61f6ebc3008754579755f770b57c214431f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c23f063a50e32f26d13aabfd0c2a1d9c

SHA1
5cd73f9eee3013ac09dad756d31468b8d32c3f81

SHA256
7a37e8ceb449bf7545366dded62586a05255e5674b7a3bcb0127c12dd806fa62

SHA512
1122a23f2c17190a64ab5ba2d26a4fe3a23515c9db800ac4bd88c8a339be49820927c9526e7daf17c7317533a66f2f50178c4619bddc161e08b4a580e7e4d399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f156c3f6e7c1a74e35339f0dae9196e

SHA1
52f8013ff22e084fcff542ada4f6f6cc78f76f2e

SHA256
02d59261269d468cb1d7ecf0e5d204e9967388e3e5ed24ab11ef53fdde6cdad1

SHA512
8b247138bd7e690e94ca8b2aa89395ecf1610d005659b32d0e75044d134b8dc9a5173d4bbeeb54e79e8f9ae6dc4b1126b172a73517b0976b1fe56a2d0d44f04e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76a4b6ae1d218fc230c88a7e7adf33d

SHA1
1c7df5f24b0cc1a0bfb5ad47ed3217dca6098b92

SHA256
f1a3d7f4d2c0d04d35bff95402b77fe28f9f3d41a8be1dcd7f8df9b79df594e0

SHA512
2682cb0d3c1f37d4f1ae08bc3dc038a402d767e95be60c0b7e264aacb3bb256a92eefe6f51bff071c12848a88799815faf20a304e4ef8f79773feda2f3ea14ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
264ce6304fdf84b85bf59c19e883fc6a

SHA1
cce4ef9b60e5bce7b5e06d47c7573723f83a19f1

SHA256
1bdc10c3d8a73768339c0e84fab4a1e882336348c1141ac6520222274c00c0f6

SHA512
54b9c011ccffdbd255a8aded921e9f1d761f71d494c094568a67aa379be5728cc9578fc992e4b1d11d77424a968529a429b7f8cf5dc77f09887103643b9466e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d972f93ff258ebcd0bcbc980408d9d09

SHA1
dc3ea1a87c5adc955a3eef43db829a3db0928c6d

SHA256
0025a7323b7f17479286280b46b4c9623fc2fda92bee6b0e758c5e076108f621

SHA512
f76e92c3a2a3ad98f25001f72c2a73984b7e93a1e58678b85f657108ad6dea6f2a9876b6b7bfc29fcb7e14561fc4adf75b1d089d6e4816e31fc9f847ebadf676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb7141249c77bcd4eb1d81090b7e5fbf

SHA1
43ae04530b24e1f808b8fc633fa3193bfa19dbf0

SHA256
64652b0c4179f273d7bc56a945384bbd2cc0d4bf639d38fcedbd3f5e8f6f4eb1

SHA512
a3648b3be1bad8b4789653d4a4d97e8cb7fc20f80e19ea807ca73a8a02386f3ac9e826e875d37d2a05fc8b7102b4565b3d01fd9e95f9dc113efbd41cf549e913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a064c9a4857e960a9ee2e781e07a02

SHA1
01af4b56fc8c54f5630f0a50900ae53c4afac57e

SHA256
a74e23da446a7dfc792390a70036f5ea67b377851dc83c7d8247d905d525932c

SHA512
5c6e5ca99a8d37362a8ec1ce503f980419963940ebbbfec56f335c49e8af0828414e8d116171f14cc2b52938417eb976583ee234a64bde8e783262321751e16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A48.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
15114f5a68744d242811893e22eb3897

SHA1
9840b95c6366c392ef1cad6b25fb7099bebfc358

SHA256
2c5ea8275f6bf52f2cad56690ffa7ed156dad01a4596786b0f33775cb71bb206

SHA512
b1a2f361e6bd800a4072e008a0883e33fb94bb12140920c239243e52cc26b5e4deb34e692fec8ead5d4aaab1ff05fc01daa9418beebe9f921b4ef656a3c391ea

Download Submit
\Temp\lgaysqlfdxvqkica.exe

Filesize
361KB

MD5
4740a06390882da7de704f69d1c32193

SHA1
55cb6c07ac0dc58e269238d3f80be0dbe017b998

SHA256
4dabf8c08a6e06391b380233eac7a31ad5a5999fc468d52c04ef40333458dd9c

SHA512
2c9a2bc99562be81e373b77d2bd3d2c512f8a5228082a8d6182727e256fb94078393845b50be4a699d95ca5af5f280cccfdda3183b08c163a0e74056f2c31c52

Download Submit