c0f4fb8eb62234d4b2255d87e647295c6dd905d4cfd01df5a3b278903fc49c4f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
Size

361KB
MD5

15ae8f17b13074ebd092129e5c23ddc7
SHA1

7ebce4f6781329628c6eb8322f28bf99982e6a39
SHA256

c0f4fb8eb62234d4b2255d87e647295c6dd905d4cfd01df5a3b278903fc49c4f
SHA512

ac8b4cbbd795481e32896c1ee380cedbaced134455158f6470ed403dca14a07365cfc8fe6cb9cc6d4bedc9108af8c4a39c98594522c318067a109df6ce92f4ea
SSDEEP

6144:kflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:kflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1944	mjecwqojgbvtolga.exe
2552	CreateProcess.exe
3048	qnigavsnkf.exe
2028	CreateProcess.exe
640	CreateProcess.exe
2992	i_qnigavsnkf.exe
1976	CreateProcess.exe
2528	xsqkicxupn.exe
2452	CreateProcess.exe
1960	CreateProcess.exe
1928	i_xsqkicxupn.exe
1752	CreateProcess.exe
1684	kecxrpjhcw.exe
2204	CreateProcess.exe
856	CreateProcess.exe
2424	i_kecxrpjhcw.exe
1696	CreateProcess.exe
980	ecomhbztrl.exe
2516	CreateProcess.exe
1708	CreateProcess.exe
1912	i_ecomhbztrl.exe
2584	CreateProcess.exe
2780	uomgeztrlj.exe
532	CreateProcess.exe
3064	CreateProcess.exe
568	i_uomgeztrlj.exe
2592	CreateProcess.exe
3036	geywrljdbv.exe
2664	CreateProcess.exe
1804	CreateProcess.exe
2808	i_geywrljdbv.exe
892	CreateProcess.exe
2448	vtolgaysql.exe
1940	CreateProcess.exe
2916	CreateProcess.exe
3024	i_vtolgaysql.exe
1760	CreateProcess.exe
848	tnlgdysqki.exe
1796	CreateProcess.exe
1036	CreateProcess.exe
2120	i_tnlgdysqki.exe
2124	CreateProcess.exe
2232	idavtnhfax.exe
2144	CreateProcess.exe
684	CreateProcess.exe
2524	i_idavtnhfax.exe
1960	CreateProcess.exe
1848	vsnkfzxspk.exe
1544	CreateProcess.exe
356	CreateProcess.exe
2468	i_vsnkfzxspk.exe
2212	CreateProcess.exe
2092	kicaupmhfz.exe
2552	CreateProcess.exe
1500	CreateProcess.exe
2016	i_kicaupmhfz.exe
3044	CreateProcess.exe
2592	hfzxrmkecw.exe
640	CreateProcess.exe
2808	CreateProcess.exe
2908	i_hfzxrmkecw.exe
2448	CreateProcess.exe
1080	zurmgezwrl.exe
1464	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
3048	qnigavsnkf.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2528	xsqkicxupn.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1684	kecxrpjhcw.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
980	ecomhbztrl.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2780	uomgeztrlj.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
3036	geywrljdbv.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2448	vtolgaysql.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
848	tnlgdysqki.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2232	idavtnhfax.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1848	vsnkfzxspk.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2092	kicaupmhfz.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2592	hfzxrmkecw.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1080	zurmgezwrl.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2320	ojhbztomge.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2168	dbwtoigbyt.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1908	bwqoigbvtn.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1304	qlfdyvqkic.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2984	gavsnlfzxs.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
2660	dxvqkicsmh.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
3052	snkfzxrpke.exe
1944	mjecwqojgbvtolga.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsqkicxupn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kecxrpjhcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlgdysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlfdyvqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gavsnlfzxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zurmgezwrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojhbztomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbwtoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxvqkicsmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjecwqojgbvtolga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geywrljdbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtolgaysql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idavtnhfax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsnkfzxspk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kicaupmhfz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnigavsnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecomhbztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uomgeztrlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfzxrmkecw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwqoigbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snkfzxrpke.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
704	ipconfig.exe
2028	ipconfig.exe
348	ipconfig.exe
2960	ipconfig.exe
1836	ipconfig.exe
2632	ipconfig.exe
1924	ipconfig.exe
2144	ipconfig.exe
1308	ipconfig.exe
1584	ipconfig.exe
1276	ipconfig.exe
1720	ipconfig.exe
820	ipconfig.exe
2200	ipconfig.exe
1324	ipconfig.exe
1252	ipconfig.exe
332	ipconfig.exe
264	ipconfig.exe
1352	ipconfig.exe
2404	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c28afe7af318bd3b4a279041270446a0b0626d85a67ce51cca0b87d1144b6f35000000000e8000000002000020000000cf543080f128cab4c322925620d96fb57db572005971796c1d7c5030cd590cad20000000eeb5d77d90cdfcead6fee44ac8a1341b5053c026834b991b5a69ff9345b24cd34000000084c9486dea468e92110fd1ea4e155eee7476461a6e5b447e892caa018d12e5759f137fe08fca90019019c556b261308de4de57487d5f1ae09f5021270782a2db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51B43AE1-82BB-11EF-ACDF-5EE01BAFE073} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06cff28c816db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434254541"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000007b0bdc91c4becd2bd55032b17eb316565155459cd1633984ef49fc7953e91c86000000000e80000000020000200000000994b4ff99803f1efb62f53f9bcfdcdab0c0c1647027a0014a588bf8f08a554190000000e8c60534d890e6cfa27afe4933e3a5481ac382868f84e1d1aec7da257256aa047daaa889d330a0d741e2a32cda227e5950c56b6ff30dffe4b9325bea568c30977adaa53393dc45207c8476abdfddf3eaf797f983c206779a7519adb6b5b44a08d1c728e05471e4950ad43f50c26a59ef82279c6a4202e300c2aec2bed59d51e5b77ecd5e57eadb3523c095f8615ef98040000000b0da938e307f14ce6cfeef35fc9596a40c121eff9bd05bda6f9faf9708a1a7fcccd7266f0a66ee621f5c9f21ea235c6f8741f7024e1ff1c66796cbfcd3e09a68	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
1944	mjecwqojgbvtolga.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
3048	qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2992	i_qnigavsnkf.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
2528	xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1928	i_xsqkicxupn.exe
1684	kecxrpjhcw.exe

Suspicious behavior: LoadsDriver 21 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	i_qnigavsnkf.exe
Token: SeDebugPrivilege	1928	i_xsqkicxupn.exe
Token: SeDebugPrivilege	2424	i_kecxrpjhcw.exe
Token: SeDebugPrivilege	1912	i_ecomhbztrl.exe
Token: SeDebugPrivilege	568	i_uomgeztrlj.exe
Token: SeDebugPrivilege	2808	i_geywrljdbv.exe
Token: SeDebugPrivilege	3024	i_vtolgaysql.exe
Token: SeDebugPrivilege	2120	i_tnlgdysqki.exe
Token: SeDebugPrivilege	2524	i_idavtnhfax.exe
Token: SeDebugPrivilege	2468	i_vsnkfzxspk.exe
Token: SeDebugPrivilege	2016	i_kicaupmhfz.exe
Token: SeDebugPrivilege	2908	i_hfzxrmkecw.exe
Token: SeDebugPrivilege	352	i_zurmgezwrl.exe
Token: SeDebugPrivilege	2980	i_ojhbztomge.exe
Token: SeDebugPrivilege	2064	i_dbwtoigbyt.exe
Token: SeDebugPrivilege	2180	i_bwqoigbvtn.exe
Token: SeDebugPrivilege	2976	i_qlfdyvqkic.exe
Token: SeDebugPrivilege	1696	i_gavsnlfzxs.exe
Token: SeDebugPrivilege	3048	i_dxvqkicsmh.exe
Token: SeDebugPrivilege	2220	i_snkfzxrpke.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2748	iexplore.exe
2748	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1944	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1944	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1944	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1944	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2748	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2748	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2748	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2748	2440	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1988	2748	iexplore.exe	32
PID 2748 wrote to memory of 1988	2748	iexplore.exe	32
PID 2748 wrote to memory of 1988	2748	iexplore.exe	32
PID 2748 wrote to memory of 1988	2748	iexplore.exe	32
PID 1944 wrote to memory of 2552	1944	mjecwqojgbvtolga.exe	33
PID 1944 wrote to memory of 2552	1944	mjecwqojgbvtolga.exe	33
PID 1944 wrote to memory of 2552	1944	mjecwqojgbvtolga.exe	33
PID 1944 wrote to memory of 2552	1944	mjecwqojgbvtolga.exe	33
PID 3048 wrote to memory of 2028	3048	qnigavsnkf.exe	36
PID 3048 wrote to memory of 2028	3048	qnigavsnkf.exe	36
PID 3048 wrote to memory of 2028	3048	qnigavsnkf.exe	36
PID 3048 wrote to memory of 2028	3048	qnigavsnkf.exe	36
PID 1944 wrote to memory of 640	1944	mjecwqojgbvtolga.exe	39
PID 1944 wrote to memory of 640	1944	mjecwqojgbvtolga.exe	39
PID 1944 wrote to memory of 640	1944	mjecwqojgbvtolga.exe	39
PID 1944 wrote to memory of 640	1944	mjecwqojgbvtolga.exe	39
PID 1944 wrote to memory of 1976	1944	mjecwqojgbvtolga.exe	41
PID 1944 wrote to memory of 1976	1944	mjecwqojgbvtolga.exe	41
PID 1944 wrote to memory of 1976	1944	mjecwqojgbvtolga.exe	41
PID 1944 wrote to memory of 1976	1944	mjecwqojgbvtolga.exe	41
PID 2528 wrote to memory of 2452	2528	xsqkicxupn.exe	43
PID 2528 wrote to memory of 2452	2528	xsqkicxupn.exe	43
PID 2528 wrote to memory of 2452	2528	xsqkicxupn.exe	43
PID 2528 wrote to memory of 2452	2528	xsqkicxupn.exe	43
PID 1944 wrote to memory of 1960	1944	mjecwqojgbvtolga.exe	46
PID 1944 wrote to memory of 1960	1944	mjecwqojgbvtolga.exe	46
PID 1944 wrote to memory of 1960	1944	mjecwqojgbvtolga.exe	46
PID 1944 wrote to memory of 1960	1944	mjecwqojgbvtolga.exe	46
PID 1944 wrote to memory of 1752	1944	mjecwqojgbvtolga.exe	48
PID 1944 wrote to memory of 1752	1944	mjecwqojgbvtolga.exe	48
PID 1944 wrote to memory of 1752	1944	mjecwqojgbvtolga.exe	48
PID 1944 wrote to memory of 1752	1944	mjecwqojgbvtolga.exe	48
PID 1684 wrote to memory of 2204	1684	kecxrpjhcw.exe	50
PID 1684 wrote to memory of 2204	1684	kecxrpjhcw.exe	50
PID 1684 wrote to memory of 2204	1684	kecxrpjhcw.exe	50
PID 1684 wrote to memory of 2204	1684	kecxrpjhcw.exe	50
PID 1944 wrote to memory of 856	1944	mjecwqojgbvtolga.exe	53
PID 1944 wrote to memory of 856	1944	mjecwqojgbvtolga.exe	53
PID 1944 wrote to memory of 856	1944	mjecwqojgbvtolga.exe	53
PID 1944 wrote to memory of 856	1944	mjecwqojgbvtolga.exe	53
PID 1944 wrote to memory of 1696	1944	mjecwqojgbvtolga.exe	55
PID 1944 wrote to memory of 1696	1944	mjecwqojgbvtolga.exe	55
PID 1944 wrote to memory of 1696	1944	mjecwqojgbvtolga.exe	55
PID 1944 wrote to memory of 1696	1944	mjecwqojgbvtolga.exe	55
PID 980 wrote to memory of 2516	980	ecomhbztrl.exe	57
PID 980 wrote to memory of 2516	980	ecomhbztrl.exe	57
PID 980 wrote to memory of 2516	980	ecomhbztrl.exe	57
PID 980 wrote to memory of 2516	980	ecomhbztrl.exe	57
PID 1944 wrote to memory of 1708	1944	mjecwqojgbvtolga.exe	60
PID 1944 wrote to memory of 1708	1944	mjecwqojgbvtolga.exe	60
PID 1944 wrote to memory of 1708	1944	mjecwqojgbvtolga.exe	60
PID 1944 wrote to memory of 1708	1944	mjecwqojgbvtolga.exe	60
PID 1944 wrote to memory of 2584	1944	mjecwqojgbvtolga.exe	63
PID 1944 wrote to memory of 2584	1944	mjecwqojgbvtolga.exe	63
PID 1944 wrote to memory of 2584	1944	mjecwqojgbvtolga.exe	63
PID 1944 wrote to memory of 2584	1944	mjecwqojgbvtolga.exe	63

C:\Users\Admin\AppData\Local\Temp\15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Temp\mjecwqojgbvtolga.exe
  C:\Temp\mjecwqojgbvtolga.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qnigavsnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2552
  - - C:\Temp\qnigavsnkf.exe
      C:\Temp\qnigavsnkf.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2028
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:264
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qnigavsnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:640
  - - C:\Temp\i_qnigavsnkf.exe
      C:\Temp\i_qnigavsnkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsqkicxupn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1976
  - - C:\Temp\xsqkicxupn.exe
      C:\Temp\xsqkicxupn.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2452
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1276
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsqkicxupn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1960
  - - C:\Temp\i_xsqkicxupn.exe
      C:\Temp\i_xsqkicxupn.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecxrpjhcw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1752
  - - C:\Temp\kecxrpjhcw.exe
      C:\Temp\kecxrpjhcw.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2204
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecxrpjhcw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:856
  - - C:\Temp\i_kecxrpjhcw.exe
      C:\Temp\i_kecxrpjhcw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2424
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecomhbztrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1696
  - - C:\Temp\ecomhbztrl.exe
      C:\Temp\ecomhbztrl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2516
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:704
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecomhbztrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1708
  - - C:\Temp\i_ecomhbztrl.exe
      C:\Temp\i_ecomhbztrl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomgeztrlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2584
  - - C:\Temp\uomgeztrlj.exe
      C:\Temp\uomgeztrlj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2780
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomgeztrlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3064
  - - C:\Temp\i_uomgeztrlj.exe
      C:\Temp\i_uomgeztrlj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywrljdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2592
  - - C:\Temp\geywrljdbv.exe
      C:\Temp\geywrljdbv.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3036
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2664
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:820
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywrljdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Temp\i_geywrljdbv.exe
      C:\Temp\i_geywrljdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtolgaysql.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:892
  - - C:\Temp\vtolgaysql.exe
      C:\Temp\vtolgaysql.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2448
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1940
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:348
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtolgaysql.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2916
  - - C:\Temp\i_vtolgaysql.exe
      C:\Temp\i_vtolgaysql.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3024
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlgdysqki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1760
  - - C:\Temp\tnlgdysqki.exe
      C:\Temp\tnlgdysqki.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:848
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1796
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlgdysqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1036
  - - C:\Temp\i_tnlgdysqki.exe
      C:\Temp\i_tnlgdysqki.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idavtnhfax.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2124
  - - C:\Temp\idavtnhfax.exe
      C:\Temp\idavtnhfax.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2232
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2144
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2200
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idavtnhfax.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:684
  - - C:\Temp\i_idavtnhfax.exe
      C:\Temp\i_idavtnhfax.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vsnkfzxspk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1960
  - - C:\Temp\vsnkfzxspk.exe
      C:\Temp\vsnkfzxspk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1848
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1544
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vsnkfzxspk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:356
  - - C:\Temp\i_vsnkfzxspk.exe
      C:\Temp\i_vsnkfzxspk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicaupmhfz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2212
  - - C:\Temp\kicaupmhfz.exe
      C:\Temp\kicaupmhfz.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2092
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2552
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicaupmhfz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1500
  - - C:\Temp\i_kicaupmhfz.exe
      C:\Temp\i_kicaupmhfz.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzxrmkecw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3044
  - - C:\Temp\hfzxrmkecw.exe
      C:\Temp\hfzxrmkecw.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2592
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:640
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1324
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzxrmkecw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2808
  - - C:\Temp\i_hfzxrmkecw.exe
      C:\Temp\i_hfzxrmkecw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zurmgezwrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2448
  - - C:\Temp\zurmgezwrl.exe
      C:\Temp\zurmgezwrl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1080
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1464
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1836
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zurmgezwrl.exe ups_ins
    3⤵
    PID:2076
  - - C:\Temp\i_zurmgezwrl.exe
      C:\Temp\i_zurmgezwrl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojhbztomge.exe ups_run
    3⤵
    PID:1204
  - - C:\Temp\ojhbztomge.exe
      C:\Temp\ojhbztomge.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1744
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojhbztomge.exe ups_ins
    3⤵
    PID:1292
  - - C:\Temp\i_ojhbztomge.exe
      C:\Temp\i_ojhbztomge.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbwtoigbyt.exe ups_run
    3⤵
    PID:2172
  - - C:\Temp\dbwtoigbyt.exe
      C:\Temp\dbwtoigbyt.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2248
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2144
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbwtoigbyt.exe ups_ins
    3⤵
    PID:2140
  - - C:\Temp\i_dbwtoigbyt.exe
      C:\Temp\i_dbwtoigbyt.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwqoigbvtn.exe ups_run
    3⤵
    PID:1528
  - - C:\Temp\bwqoigbvtn.exe
      C:\Temp\bwqoigbvtn.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1908
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1892
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwqoigbvtn.exe ups_ins
    3⤵
    PID:744
  - - C:\Temp\i_bwqoigbvtn.exe
      C:\Temp\i_bwqoigbvtn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2180
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qlfdyvqkic.exe ups_run
    3⤵
    PID:1848
  - - C:\Temp\qlfdyvqkic.exe
      C:\Temp\qlfdyvqkic.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1304
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:660
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qlfdyvqkic.exe ups_ins
    3⤵
    PID:692
  - - C:\Temp\i_qlfdyvqkic.exe
      C:\Temp\i_qlfdyvqkic.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gavsnlfzxs.exe ups_run
    3⤵
    PID:856
  - - C:\Temp\gavsnlfzxs.exe
      C:\Temp\gavsnlfzxs.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2984
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1948
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gavsnlfzxs.exe ups_ins
    3⤵
    PID:2356
  - - C:\Temp\i_gavsnlfzxs.exe
      C:\Temp\i_gavsnlfzxs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvqkicsmh.exe ups_run
    3⤵
    PID:2740
  - - C:\Temp\dxvqkicsmh.exe
      C:\Temp\dxvqkicsmh.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2660
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2672
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvqkicsmh.exe ups_ins
    3⤵
    PID:776
  - - C:\Temp\i_dxvqkicsmh.exe
      C:\Temp\i_dxvqkicsmh.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfzxrpke.exe ups_run
    3⤵
    PID:3020
  - - C:\Temp\snkfzxrpke.exe
      C:\Temp\snkfzxrpke.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3052
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2384
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1584
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfzxrpke.exe ups_ins
    3⤵
    PID:2264
  - - C:\Temp\i_snkfzxrpke.exe
      C:\Temp\i_snkfzxrpke.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2220
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\ecomhbztrl.exe

Filesize
361KB

MD5
b497a5431750792fdc452ba3ba44dae2

SHA1
133d6312d4eda06291588e9497bde43c3f50bb14

SHA256
1de62df7a87e6ec788dca7c10740d010eb295e3fda2fbd32460a370c7ff7e8a3

SHA512
a4267494b9e6746d34479badff464836d39456db67203fe54a0bf6b0532cb15cb6baea4b4dfe4ed4e8148f57bd4efd4e9418c39cee82fd8fc8dbdc1512bbf19d

Download Submit
C:\Temp\geywrljdbv.exe

Filesize
361KB

MD5
d421392235e3cbf96c2c769bafe14d51

SHA1
2caf252d03cafd5bc78622592a3deba5a9a937cf

SHA256
dcf114c8f8d4cf1981389f8e8e1c097e9a24a0bbf82ab57199f5e47dec392510

SHA512
fa3c5eb78c4a94bbbc554f3fdeb1e1e8c25a917225809121d05a66a169f7d42e1f00c334b4fed8a8cd4b6b7dad10dad66f1d4ccf055befa94069f102db02c7b0

Download Submit
C:\Temp\i_ecomhbztrl.exe

Filesize
361KB

MD5
fae6436424877a36362aa5a09d84eb1e

SHA1
88ef8602f2b9837b166a6cf49b74309d0c8629ae

SHA256
8e617aa575ba88d6349ad667b95738b8346e83c4a458932ebab0806b6c9a664f

SHA512
df81a7292a184cf0b7d1991732c20d994e592f628d7afc0196a3c0702afaf90505aa674901d15d76aaf19e3aeeaee6afd8983e43a8cd01b2a39cb69a8d3a4e44

Download Submit
C:\Temp\i_geywrljdbv.exe

Filesize
361KB

MD5
006e98bc6d1e3731874105bf368260d2

SHA1
71b6593ca878d252be8378c65abda118539181a4

SHA256
168fb3a342a47bd688b8df04211108da49466da0023d637a858b520774726780

SHA512
bc9dd16b323bd32378f1f2ffb601e305ce43c4ea150e02bc46f9c76a7bca9753342054ec37e7976983f691016a884f799f5ad8bc3dc82b2a3e9073c5dd36acf7

Download Submit
C:\Temp\i_kecxrpjhcw.exe

Filesize
361KB

MD5
10417c0228a365fe812be9f1d9aac4c3

SHA1
1a47d1e27448b5389faf5d4bbda178a9ef573862

SHA256
559ad765161c2f9fcebb4786612634818bb87726c1cc16f4dd45e4e5fc2e8043

SHA512
cc37f1805ea518387f6e396cb4486fc342f308abd2d5e288bd9ea1f90a7e55867dc596090775bdc0a4586dcd9aa2efaf67d1f9500379c2934f6f66c13ee30aa0

Download Submit
C:\Temp\i_qnigavsnkf.exe

Filesize
361KB

MD5
ccc5f96d2d46ea1d49339d162709fb4b

SHA1
4ce2bf380d254352fa9511a51adacb54264f99e9

SHA256
e22e86297cde7a1c9378bc3924446a06e6990b4efa1e75c823f03df671525135

SHA512
66f60f537e19f7a99338183c4ff7aa06395d3f8f1f717fda539230eca3cd09600b75a06cae954914c539113e2a356833a1dc1bafc34438e396a26f54e5800c09

Download Submit
C:\Temp\i_uomgeztrlj.exe

Filesize
361KB

MD5
9213e42d265ad3309d87d5300614824c

SHA1
69118132c20353b09ff0ad70cde4dac2bd8ba582

SHA256
cc26bffcab0404a036cb395f47ca359c26a1f8a2bc52e28cb4fa092cd549ea83

SHA512
e82495e14380706c6e45a87de549793b62cd0b192c28d8c496cde6a0084ecc41855d2345b20d6bce432d3a3c6e75e9714caa96d6f48c2ced4e694fb4e1279092

Download Submit
C:\Temp\i_vtolgaysql.exe

Filesize
361KB

MD5
bc4126d1cf6a142a82ea3cf1a634b979

SHA1
7cc5b9eb924e7acad8ce4c797689cdb8054a35ca

SHA256
49dd3b1f3da76ef5f50ac4876c2798b22254e424528dfc60508c59843e120f01

SHA512
4cb98f5d051ad16bf51626dee0c7458d327c44df22f20ec7b496c3c56fd06cea5ae63b5d4894c5971802fd2837a09381b02c7865c84205769a3cad3bb0e91dee

Download Submit
C:\Temp\i_xsqkicxupn.exe

Filesize
361KB

MD5
e3b43d31b923a370b319ed56c7f116c2

SHA1
c4172188a7fe80d9da496bb090297f513d66c6bb

SHA256
9734d434b2826fa83991101f01c87f4e3d256a4f2278ad9b0939703b692c4077

SHA512
3ae29fa6722bee6e1c0a4cc303ba6fa8917c850f21242a69be28a023f3212d75ab76ae4d2e0f0f039b9279b60f6f04600d26a5f982d521ee2cea820abd06930b

Download Submit
C:\Temp\kecxrpjhcw.exe

Filesize
361KB

MD5
d4b8e1f865718f4e4d31df4ee822b00d

SHA1
093dcbd8bb35560f44e82c4dd8fd98cb2f1eaf22

SHA256
0582b8eb2fffd75f1f68bd1bf432a6d83770c3cc3f06db47c037bd1c04854ec3

SHA512
329a9433e8d5d3ccdbe3de1c8eba31165376465c7e0e7c6fe7c771618e76a536d53fd6ea6ab0460f464c167a8d12781e2490fb50e437498d573cc260065bc50e

Download Submit
C:\Temp\qnigavsnkf.exe

Filesize
361KB

MD5
b27e0eeb1017766123402a7cf002d4c2

SHA1
cbee8e73a2dcec4351cc37af4b723c93094e93a5

SHA256
ebb0ab38390f20fa929c4e8eb294aec6507822594b435923596cd58b4961353c

SHA512
1409489b69addafbb0080395e09fdae3811eeeff97d9f03899fca9a976ba51aaa47d7e4776d63612c65a3a36c00f8e0c6ee18ff25ed69761a0c56f41fc2a4b12

Download Submit
C:\Temp\tnlgdysqki.exe

Filesize
361KB

MD5
6c8bd3c2a5edeb7871da5f020c21cb08

SHA1
674ed9a7a6c0ec34dce3107cd4337798e2b48636

SHA256
3f0aeb519f5cfe54503d87e82760b24faef84884b2e4f9a4ff817ee5b4150fd1

SHA512
f36202b349ddab691078598a30e7649f9c524effda0bfeccc9d98a1388f15066c949df599cd64ad97f6c3869f6c7be43eff3a7f7ee2b821cb6b8aa698c753961

Download Submit
C:\Temp\uomgeztrlj.exe

Filesize
361KB

MD5
711872959fad946708981a142695dc3c

SHA1
6ec1ac4bc7e486d707f78565c2455d0b6136b1fc

SHA256
8c7e5dfc213702852e4f762c060bac3c9d9d76f387f1e50d54be5ded4d4ce194

SHA512
4a4100114f58681acf3a54073484f668d362779b6c1e01042dfbbfd92ade0df82393c6f20e5c0daff3adc564423bdf9b7f45f81230b6ec3ae044415b902f0916

Download Submit
C:\Temp\vtolgaysql.exe

Filesize
361KB

MD5
e70ec31e52804e40536be4faf65ec161

SHA1
cd0f60c03cecbe997a95e4b21cfa382de2681126

SHA256
20129263896e1845258323fb7fc0294422ab41965fbeec4c2275334169601f79

SHA512
8eca5878fa2b9fe9fffccdeb86b81e2b64f6f44fbc89d8df5bbb6681eda704682bebdba475de6630933e7e7bad4f07cbb1864d67260dbd8e643d902deb6116c1

Download Submit
C:\Temp\xsqkicxupn.exe

Filesize
361KB

MD5
7b5c4f246e360d281771c8a448171ecb

SHA1
5ac31d4b550841018cfff833216f2e6a7dcd4655

SHA256
0321466186fb30a4add46c9ea008c6d7ffbcaddf04899b608f78c5c8fe32492a

SHA512
cfbbbfc2e858471409c29ab164435e82990141a98294b67e4348caa8fde6cf776d2b48700876045224b0454aa72d6e225c8c7ae021afa7832c401c2f8cc5dd71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8e19ecb9a922103faaaaa378a2b2b8

SHA1
18ba8d51cf081fda676c1ded8c022a9b75303854

SHA256
31c50f001c50b0bcbeee90478ebcf970a30bc3f118d65e9bc29b36738b2ac0b5

SHA512
8b67334233064d1764605d3de41647b7377bf58ace325dbdab4740a99fa3aa46eb907ee4470c1888620461c85bf523251719e4b64d94805f5b820d24f50d1dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c748442b2dbed82b2f0be3c3656f4fb

SHA1
82cfe7199e603b664d3b73a49169d93f1ca0ad38

SHA256
a652412436112168f73067cb2169e9505ce23908b005787fa962fb0740b30b3f

SHA512
bf0dc2a3b1c8ccd8d87220fc7cdadc6564a5708c384252171cc9c1c42ae0f42e731a091801241f99f765205f27a0babc0828cf7b25f6ae78f4a886eaf6e7ed4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f9d8a7046d00c34e10a7031128fe6a

SHA1
2fac29cf76ae1457ef1295182124aae7b18f2805

SHA256
ace64727ea58730b11a91955e4eb8f03b3f1b2fc4a1bbd35fb0216b6f7e6ec61

SHA512
75529365352ec2e51f13cf33d3b42259e35ead750c4cfa35f608fc8a5b67f02eb44c76950ca2db0123638ca804af84c27b33972121a0680bd1d4b0fd893c39ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95eaf03a448ade6ce80ff3804e9a9f4c

SHA1
5272068a899cd01d932da08c77da871b55d9b012

SHA256
627ec0bc2799fb7297fd9eef298dea876c7723852ab2309f9698612e65b61373

SHA512
d9e9be6f0e99c817199d7c1d8fdbcea3f1e8dd6598d59370915c439b7d9dcfb1261fcad197fe4361545f6c74a8b451aa41ea5ed48cdff1ecec0a3f55ddb46548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed9f908d694f85c1c61f32b8f1e75c48

SHA1
0e85bfee409d443508bb98119e2db3510fcda376

SHA256
54d9308faac299c5b836638cde97784f41d28b3cba669a3bc8c5705aba82ecd1

SHA512
877d0b83205a6bcc4623278b953473ec7e366cafd236b1ba375eeade55705a4c74017fa2dff6bb828ead23a22dd8a0adb464d0d91a47fd0099cebdbee10ea9f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44b118fab8e394f1c15751f6e04e31f2

SHA1
1aa060474ba6228b7a2786e83b3ab82b16e73c73

SHA256
630c86c9320c9b997debabc5d4610919649f0e4b0e4ffc797290337dfb1149a3

SHA512
14bb1d6369519a98d0bb0969f64f87bf287c13c90fb585dcfaa9b44337ae0920198e51acce8809a7e95dadcca611b37a20ac4e3dfd8e5e5cc1bce36c58bed70f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b979f3f4149854c303f5915f9ed80a04

SHA1
183bfa819344ba735fb3efef03d352e8d93df6b4

SHA256
65f41c9cf291ff74d4b90b1dee077f8dcd18c4c87adbbc82a23ba64083a3912f

SHA512
fb7f72ac792022e9858003ec0c71f8e5b09086241de1de2fed2ceba0641c4850d5271ab2d1977d93edb1ba39c0436dc589f059e44e713eb89844d7e97424e943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8c65667d1250081afea1673bb17c9fc

SHA1
5ffcfcb386646d553effd0b303347d88b95fbab4

SHA256
8988cf8a9bcb8ea474305d7b345608cae93c6edc3d153e15ac2be84972883cb2

SHA512
e4938e3ec8624a81877924d5456dbf35e796c81184ec31577e1bc6c915ae50f6dd7dc98702412aaaee46d270e02dfba946ea4d1e5c4c20a4c761d0582c769937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0b6b5a8c1eb71c29e76d85c99331831

SHA1
806f6b770113ec969d39aa0b939fe94ec10bfcfd

SHA256
ca71d83fc8d3182a0942e989ec057ae2009c1f24b3c6fcf81db34127dfa2ed50

SHA512
31f80c82a5ffacb444f7ee2d6f394475d7df7a385d2d0103281932e9817bd76c056acfa0e1ba04602de83883e344d36285a57da95a49d71d94814475a2482a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
243a856c9a3414612dadb5811583691c

SHA1
17d2f2496f11fbdc175d96bb64b14b3ce688928a

SHA256
df07a1c0590dca9db602cc1383066a3e014470866fd2eff1663fab2b7a6c8a9a

SHA512
750f1ca895afd83c634947bac3ddd1b7025c32efd235b72e5ca854fc470bc5e352c600f36787d4fda8d9e781466fd9f7f73a0a1244f30c28b88a027c195a8d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c6e3287dfca59e90f1514487c009a4

SHA1
90ed7f9a99a30285fb8535a4c98d5953a519f87c

SHA256
7537366dcef0a75417f18a7c41f5d9e19ec635d5088118493af8f2ea34d3972c

SHA512
eeaa87860cb565263fda2efb8ae02c23cb62a3d695310598e802eab986683deb7d8f00b7d2208bc49b64b1bceda19bfe8a4614b98c33e9d827a00606a5d728ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
930b7301e7cbddaa1bc82eff7bb7e5d7

SHA1
db35df080b2df7602f9b6581b1f55b6cfaed2c72

SHA256
85964d5f5960b13145459f2cf6bf1eeb5ae64e587c1fe431d77fe012cab9314f

SHA512
50882cf83e5035edfc99a5f52f38e7e4e47273295b39b97a7276172e8aa24480a0105c6171aab0518a6e6b3591d6eab9943d00680d8b8bd440074f4ecb1869a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff53a2670a885613a7e3ecfd6120710e

SHA1
6b5214d1ca7ba9098f95e6ea08709e4c3dc87f88

SHA256
b227a5b4a59a5f2403f78b5deef3f7e02273d62a3b3ee01df93fd3ba57c14145

SHA512
6e50736cd1e993cf9e2cb85491af1d0319bd70cdd7da2762d6cb186184837141bf163ff7d8047126c5363be42d0f98fa0ed6e2009c0259a0525a947b47c9bdbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
552298d9faed427c525875a26d3799b4

SHA1
01469be8bcc10d4391d7cd464ca1fea1c3aeff0b

SHA256
8e2ac1bcdb50231e028e0bb31d539729d261e8dde65d0059c4761573e6016738

SHA512
9a008afe07eaeb4693b1231aa4ca4d5e5cffb5dfc041494c8600303623b76605615e59533d5d0b45fcf4a89d8a7808ee9cdad80f03f49aa796b5573fe28e0a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffdea066a477b24b623c9e6c7af7e420

SHA1
c220667ebf82248f6f3da68f1743bdab731660f5

SHA256
a3f166128d5ff8189de09a60c72024ee39c00647b3f1e7c5e4ab7e283644f97a

SHA512
f84269456bbcf70b87f600b40b188084a32790f11929766806e350ef3dda574f15d75b1777c5134673713543d2a565b45e333defd1a7bc0408847aa94319fbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab87D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8829.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
c183b84389116af6043345e7c9267408

SHA1
a8f052016985595af75a9b7a4992d47362ddd2dd

SHA256
9303bb85dda6a916e65a311fe939c474ad39a21a662407ce65b8db3970c8e352

SHA512
1dae28738bff9bb987f597bb7abeb94f3afd22800f0eeebcd9c896138ee6cd87ee2fe5f62959ee0001a953d1a5a29f3f73f6ffcf2af7038d83fca2bd81a012a9

Download Submit
\Temp\mjecwqojgbvtolga.exe

Filesize
361KB

MD5
162ab0020c9f3f83de4980cf60605764

SHA1
a459e73dac3509cb0c76b16212357c4c022a3a82

SHA256
f39a7ef4429e1120ea8bcf53953d23b3e15d29bc26def28b84207da48f5c6233

SHA512
9650f941d39cdb3ac5219c7f62cf8e4bee010508ed51942f867e88164aef6772cfa53c78bd5157fd8949025f492573a748ea9b8fd25a7aba16a466055237e32a

Download Submit