e9a1fc7a0c02b600d3694df5708548a385a882c62315fc0130a7d98e17750751

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
Size

361KB
MD5

29326712b4014011b32db84af6695ed5
SHA1

53cac5fb78c06d438debbb8ea55e043666f213a6
SHA256

e9a1fc7a0c02b600d3694df5708548a385a882c62315fc0130a7d98e17750751
SHA512

52a1a56886cf8820816957d3515f53eb5c36b0b9ee563d232b194f7a932c34b16fd8c32075e1134cd65f4dac4abea59d82ebdb83c6b596f205783ea2ce898d3c
SSDEEP

6144:nflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:nflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3964	idbvtnlfdyvqniga.exe
396	CreateProcess.exe
3604	tnlfdxvqni.exe
1868	CreateProcess.exe
376	CreateProcess.exe
4156	i_tnlfdxvqni.exe
748	CreateProcess.exe
4104	ausnkfcxvp.exe
2116	CreateProcess.exe
2700	CreateProcess.exe
4852	i_ausnkfcxvp.exe
1804	CreateProcess.exe
1916	usmkecxupn.exe
3396	CreateProcess.exe
1828	CreateProcess.exe
4532	i_usmkecxupn.exe
2432	CreateProcess.exe
1356	xupnhfzxrp.exe
2200	CreateProcess.exe
4772	CreateProcess.exe
4048	i_xupnhfzxrp.exe
376	CreateProcess.exe
4780	uomhezxrpj.exe
2280	CreateProcess.exe
748	CreateProcess.exe
3788	i_uomhezxrpj.exe
3588	CreateProcess.exe
3300	ojhbztrlje.exe
4500	CreateProcess.exe
3644	CreateProcess.exe
3396	i_ojhbztrlje.exe
1712	CreateProcess.exe
3660	jdbvtolgdy.exe
3444	CreateProcess.exe
4388	CreateProcess.exe
432	i_jdbvtolgdy.exe
3432	CreateProcess.exe
1060	ljdbvtolge.exe
4872	CreateProcess.exe
4472	CreateProcess.exe
4772	i_ljdbvtolge.exe
3036	CreateProcess.exe
3196	gaysqlidav.exe
2800	CreateProcess.exe
2328	CreateProcess.exe
1400	i_gaysqlidav.exe
1408	CreateProcess.exe
1732	aysqkicavs.exe
4852	CreateProcess.exe
2412	CreateProcess.exe
2260	i_aysqkicavs.exe
3968	CreateProcess.exe
1464	ausmkfcxup.exe
772	CreateProcess.exe
4836	CreateProcess.exe
1288	i_ausmkfcxup.exe
1188	CreateProcess.exe
2196	fzxrpkhcau.exe
3408	CreateProcess.exe
2284	CreateProcess.exe
2580	i_fzxrpkhcau.exe
4856	CreateProcess.exe
2612	cwupmhfzxr.exe
5040	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ausnkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ojhbztrlje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdbvtolgdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_fzxrpkhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_tnlfdxvqni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ausnkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uomhezxrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bytrljdbvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysqkicavsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vpnhfaxsqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlfdxvqni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usmkecxupn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jdbvtolgdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljdbvtolge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fzxrpkhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaysqlidav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_gaysqlidav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_aysqkicavs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ausmkfcxup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_cwupmhfzxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_uomhezxrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ljdbvtolge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztrljebwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnhfaxsqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axsqkicaus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_axsqkicaus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_usmkecxupn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ausmkfcxup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_wtomgeywqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bytrljdbvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xupnhfzxrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtomgeywqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtnlgdywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bvtnlgdywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idbvtnlfdyvqniga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xupnhfzxrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojhbztrlje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aysqkicavs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwupmhfzxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ztrljebwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ysqkicavsn.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1416	ipconfig.exe
4932	ipconfig.exe
2376	ipconfig.exe
4588	ipconfig.exe
3428	ipconfig.exe
2824	ipconfig.exe
4496	ipconfig.exe
640	ipconfig.exe
912	ipconfig.exe
608	ipconfig.exe
2424	ipconfig.exe
728	ipconfig.exe
4620	ipconfig.exe
2176	ipconfig.exe
4568	ipconfig.exe
3664	ipconfig.exe
2996	ipconfig.exe
664	ipconfig.exe
872	ipconfig.exe
2792	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2212608194"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000005e0050e19510fc502e6d57ffe811c268c3d116e819ff48dc3645cf76f41791af000000000e8000000002000020000000461aab6d441d3525b171026f49fec1f5ba1b9cb927729511bede519768ccf41a2000000043df27532ea972522dacd88b8c2ced719db9d161e1cfc82681ae001e63df0d9b40000000aa80d4a0c88f74fed1092fe1c2b2502f6b4562b7fbd4c11acef8a2ec58a276ffd0d6a058f0e4109436e3a4719c2ded276e5ac29628cdc38d5bac35f3d56ae82f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31136309"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000005f4f58b573d2e7a16e46b3fb161dca2decaac98369e735f9cd736f2fa878e118000000000e8000000002000020000000d379c336e48f323b93bdfad044f563cbb46f8513ff9a9d3fb84c866ecea1ad1f200000007d41496ec43067ea10f1426726574a2c28f9846d8f99aad1788f8f70da069de54000000083eb6df81002d19b77dc5ee5ab4186170f0a2434a3a420375289941484262a3c272a6e4031a15bc2ec98bdfce58625b3b1d6f6569c62c037b0ebf85e6e02c7f7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2212608194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2216514563"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AF8B414E-8628-11EF-AEE2-D2BD7E71DA05} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31136309"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80727584351adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31136309"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90466e84351adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435234452"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
3964	idbvtnlfdyvqniga.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	i_tnlfdxvqni.exe
Token: SeDebugPrivilege	4852	i_ausnkfcxvp.exe
Token: SeDebugPrivilege	4532	i_usmkecxupn.exe
Token: SeDebugPrivilege	4048	i_xupnhfzxrp.exe
Token: SeDebugPrivilege	3788	i_uomhezxrpj.exe
Token: SeDebugPrivilege	3396	i_ojhbztrlje.exe
Token: SeDebugPrivilege	432	i_jdbvtolgdy.exe
Token: SeDebugPrivilege	4772	i_ljdbvtolge.exe
Token: SeDebugPrivilege	1400	i_gaysqlidav.exe
Token: SeDebugPrivilege	2260	i_aysqkicavs.exe
Token: SeDebugPrivilege	1288	i_ausmkfcxup.exe
Token: SeDebugPrivilege	2580	i_fzxrpkhcau.exe
Token: SeDebugPrivilege	2496	i_cwupmhfzxr.exe
Token: SeDebugPrivilege	1096	i_ztrljebwuo.exe
Token: SeDebugPrivilege	4852	i_wtomgeywqo.exe
Token: SeDebugPrivilege	2996	i_bytrljdbvt.exe
Token: SeDebugPrivilege	3564	i_bvtnlgdywq.exe
Token: SeDebugPrivilege	1632	i_ysqkicavsn.exe
Token: SeDebugPrivilege	4488	i_vpnhfaxsqk.exe
Token: SeDebugPrivilege	1400	i_axsqkicaus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3820	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3820	iexplore.exe
3820	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3964	5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe	86
PID 5008 wrote to memory of 3964	5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe	86
PID 5008 wrote to memory of 3964	5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe	86
PID 5008 wrote to memory of 3820	5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe	87
PID 5008 wrote to memory of 3820	5008	29326712b4014011b32db84af6695ed5_JaffaCakes118.exe	87
PID 3820 wrote to memory of 3024	3820	iexplore.exe	89
PID 3820 wrote to memory of 3024	3820	iexplore.exe	89
PID 3820 wrote to memory of 3024	3820	iexplore.exe	89
PID 3964 wrote to memory of 396	3964	idbvtnlfdyvqniga.exe	91
PID 3964 wrote to memory of 396	3964	idbvtnlfdyvqniga.exe	91
PID 3964 wrote to memory of 396	3964	idbvtnlfdyvqniga.exe	91
PID 3604 wrote to memory of 1868	3604	tnlfdxvqni.exe	95
PID 3604 wrote to memory of 1868	3604	tnlfdxvqni.exe	95
PID 3604 wrote to memory of 1868	3604	tnlfdxvqni.exe	95
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	99
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	99
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	99
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	103
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	103
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	103
PID 4104 wrote to memory of 2116	4104	ausnkfcxvp.exe	106
PID 4104 wrote to memory of 2116	4104	ausnkfcxvp.exe	106
PID 4104 wrote to memory of 2116	4104	ausnkfcxvp.exe	106
PID 3964 wrote to memory of 2700	3964	idbvtnlfdyvqniga.exe	110
PID 3964 wrote to memory of 2700	3964	idbvtnlfdyvqniga.exe	110
PID 3964 wrote to memory of 2700	3964	idbvtnlfdyvqniga.exe	110
PID 3964 wrote to memory of 1804	3964	idbvtnlfdyvqniga.exe	114
PID 3964 wrote to memory of 1804	3964	idbvtnlfdyvqniga.exe	114
PID 3964 wrote to memory of 1804	3964	idbvtnlfdyvqniga.exe	114
PID 1916 wrote to memory of 3396	1916	usmkecxupn.exe	117
PID 1916 wrote to memory of 3396	1916	usmkecxupn.exe	117
PID 1916 wrote to memory of 3396	1916	usmkecxupn.exe	117
PID 3964 wrote to memory of 1828	3964	idbvtnlfdyvqniga.exe	120
PID 3964 wrote to memory of 1828	3964	idbvtnlfdyvqniga.exe	120
PID 3964 wrote to memory of 1828	3964	idbvtnlfdyvqniga.exe	120
PID 3964 wrote to memory of 2432	3964	idbvtnlfdyvqniga.exe	124
PID 3964 wrote to memory of 2432	3964	idbvtnlfdyvqniga.exe	124
PID 3964 wrote to memory of 2432	3964	idbvtnlfdyvqniga.exe	124
PID 1356 wrote to memory of 2200	1356	xupnhfzxrp.exe	126
PID 1356 wrote to memory of 2200	1356	xupnhfzxrp.exe	126
PID 1356 wrote to memory of 2200	1356	xupnhfzxrp.exe	126
PID 3964 wrote to memory of 4772	3964	idbvtnlfdyvqniga.exe	134
PID 3964 wrote to memory of 4772	3964	idbvtnlfdyvqniga.exe	134
PID 3964 wrote to memory of 4772	3964	idbvtnlfdyvqniga.exe	134
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	138
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	138
PID 3964 wrote to memory of 376	3964	idbvtnlfdyvqniga.exe	138
PID 4780 wrote to memory of 2280	4780	uomhezxrpj.exe	141
PID 4780 wrote to memory of 2280	4780	uomhezxrpj.exe	141
PID 4780 wrote to memory of 2280	4780	uomhezxrpj.exe	141
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	145
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	145
PID 3964 wrote to memory of 748	3964	idbvtnlfdyvqniga.exe	145
PID 3964 wrote to memory of 3588	3964	idbvtnlfdyvqniga.exe	149
PID 3964 wrote to memory of 3588	3964	idbvtnlfdyvqniga.exe	149
PID 3964 wrote to memory of 3588	3964	idbvtnlfdyvqniga.exe	149
PID 3300 wrote to memory of 4500	3300	ojhbztrlje.exe	151
PID 3300 wrote to memory of 4500	3300	ojhbztrlje.exe	151
PID 3300 wrote to memory of 4500	3300	ojhbztrlje.exe	151
PID 3964 wrote to memory of 3644	3964	idbvtnlfdyvqniga.exe	155
PID 3964 wrote to memory of 3644	3964	idbvtnlfdyvqniga.exe	155
PID 3964 wrote to memory of 3644	3964	idbvtnlfdyvqniga.exe	155
PID 3964 wrote to memory of 1712	3964	idbvtnlfdyvqniga.exe	159
PID 3964 wrote to memory of 1712	3964	idbvtnlfdyvqniga.exe	159

C:\Users\Admin\AppData\Local\Temp\29326712b4014011b32db84af6695ed5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29326712b4014011b32db84af6695ed5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Temp\idbvtnlfdyvqniga.exe
  C:\Temp\idbvtnlfdyvqniga.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdxvqni.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:396
  - - C:\Temp\tnlfdxvqni.exe
      C:\Temp\tnlfdxvqni.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1868
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4588
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdxvqni.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:376
  - - C:\Temp\i_tnlfdxvqni.exe
      C:\Temp\i_tnlfdxvqni.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausnkfcxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:748
  - - C:\Temp\ausnkfcxvp.exe
      C:\Temp\ausnkfcxvp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2116
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausnkfcxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2700
  - - C:\Temp\i_ausnkfcxvp.exe
      C:\Temp\i_ausnkfcxvp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usmkecxupn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Temp\usmkecxupn.exe
      C:\Temp\usmkecxupn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3396
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usmkecxupn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1828
  - - C:\Temp\i_usmkecxupn.exe
      C:\Temp\i_usmkecxupn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2432
  - - C:\Temp\xupnhfzxrp.exe
      C:\Temp\xupnhfzxrp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2200
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2424
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4772
  - - C:\Temp\i_xupnhfzxrp.exe
      C:\Temp\i_xupnhfzxrp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4048
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomhezxrpj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:376
  - - C:\Temp\uomhezxrpj.exe
      C:\Temp\uomhezxrpj.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2280
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3428
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomhezxrpj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:748
  - - C:\Temp\i_uomhezxrpj.exe
      C:\Temp\i_uomhezxrpj.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojhbztrlje.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3588
  - - C:\Temp\ojhbztrlje.exe
      C:\Temp\ojhbztrlje.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4500
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2824
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojhbztrlje.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3644
  - - C:\Temp\i_ojhbztrlje.exe
      C:\Temp\i_ojhbztrlje.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3396
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdbvtolgdy.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1712
  - - C:\Temp\jdbvtolgdy.exe
      C:\Temp\jdbvtolgdy.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3660
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3444
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdbvtolgdy.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4388
  - - C:\Temp\i_jdbvtolgdy.exe
      C:\Temp\i_jdbvtolgdy.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:432
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbvtolge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3432
  - - C:\Temp\ljdbvtolge.exe
      C:\Temp\ljdbvtolge.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4872
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbvtolge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4472
  - - C:\Temp\i_ljdbvtolge.exe
      C:\Temp\i_ljdbvtolge.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaysqlidav.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3036
  - - C:\Temp\gaysqlidav.exe
      C:\Temp\gaysqlidav.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3196
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2800
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaysqlidav.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2328
  - - C:\Temp\i_gaysqlidav.exe
      C:\Temp\i_gaysqlidav.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysqkicavs.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1408
  - - C:\Temp\aysqkicavs.exe
      C:\Temp\aysqkicavs.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1732
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysqkicavs.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2412
  - - C:\Temp\i_aysqkicavs.exe
      C:\Temp\i_aysqkicavs.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausmkfcxup.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3968
  - - C:\Temp\ausmkfcxup.exe
      C:\Temp\ausmkfcxup.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1464
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausmkfcxup.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4836
  - - C:\Temp\i_ausmkfcxup.exe
      C:\Temp\i_ausmkfcxup.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fzxrpkhcau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1188
  - - C:\Temp\fzxrpkhcau.exe
      C:\Temp\fzxrpkhcau.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3408
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fzxrpkhcau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2284
  - - C:\Temp\i_fzxrpkhcau.exe
      C:\Temp\i_fzxrpkhcau.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwupmhfzxr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Temp\cwupmhfzxr.exe
      C:\Temp\cwupmhfzxr.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2612
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwupmhfzxr.exe ups_ins
    3⤵
    PID:3544
  - - C:\Temp\i_cwupmhfzxr.exe
      C:\Temp\i_cwupmhfzxr.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrljebwuo.exe ups_run
    3⤵
    PID:4556
  - - C:\Temp\ztrljebwuo.exe
      C:\Temp\ztrljebwuo.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5032
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrljebwuo.exe ups_ins
    3⤵
    PID:4376
  - - C:\Temp\i_ztrljebwuo.exe
      C:\Temp\i_ztrljebwuo.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wtomgeywqo.exe ups_run
    3⤵
    PID:4268
  - - C:\Temp\wtomgeywqo.exe
      C:\Temp\wtomgeywqo.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4368
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2328
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wtomgeywqo.exe ups_ins
    3⤵
    PID:3664
  - - C:\Temp\i_wtomgeywqo.exe
      C:\Temp\i_wtomgeywqo.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bytrljdbvt.exe ups_run
    3⤵
    PID:2356
  - - C:\Temp\bytrljdbvt.exe
      C:\Temp\bytrljdbvt.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1652
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2792
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bytrljdbvt.exe ups_ins
    3⤵
    PID:4436
  - - C:\Temp\i_bytrljdbvt.exe
      C:\Temp\i_bytrljdbvt.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtnlgdywq.exe ups_run
    3⤵
    PID:4444
  - - C:\Temp\bvtnlgdywq.exe
      C:\Temp\bvtnlgdywq.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4428
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2176
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtnlgdywq.exe ups_ins
    3⤵
    PID:2264
  - - C:\Temp\i_bvtnlgdywq.exe
      C:\Temp\i_bvtnlgdywq.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3564
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysqkicavsn.exe ups_run
    3⤵
    PID:5088
  - - C:\Temp\ysqkicavsn.exe
      C:\Temp\ysqkicavsn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:728
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1856
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2376
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysqkicavsn.exe ups_ins
    3⤵
    PID:1524
  - - C:\Temp\i_ysqkicavsn.exe
      C:\Temp\i_ysqkicavsn.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnhfaxsqk.exe ups_run
    3⤵
    PID:3520
  - - C:\Temp\vpnhfaxsqk.exe
      C:\Temp\vpnhfaxsqk.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4616
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnhfaxsqk.exe ups_ins
    3⤵
    PID:4680
  - - C:\Temp\i_vpnhfaxsqk.exe
      C:\Temp\i_vpnhfaxsqk.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4488
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\axsqkicaus.exe ups_run
    3⤵
    PID:2632
  - - C:\Temp\axsqkicaus.exe
      C:\Temp\axsqkicaus.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:5000
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2192
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4620
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_axsqkicaus.exe ups_ins
    3⤵
    PID:5044
  - - C:\Temp\i_axsqkicaus.exe
      C:\Temp\i_axsqkicaus.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
4dbf97cd4b42a5f52c2b420fdafe6fcb

SHA1
759b83a3c0293364bd0d7705df52e0833770c8d9

SHA256
0b044c6c455f56e048e487dc3b07ed5db728bd54c4f1ae1c0f7e12c1dc032c71

SHA512
391a0cb77f19eed259921a6cd5b485984f0ba5c6199dffa61015dee0790560f00953f82cbfd3d2f2540332b29cda44e52b5f8e7b210d6c36f5130d6f73d65438

Download Submit
C:\Temp\ausnkfcxvp.exe

Filesize
361KB

MD5
83337b6c4e789f3c472c54b4a30e5669

SHA1
13e7d2f4f09650fa1cf5d3ca1d61c363dad4a06b

SHA256
62a4d8dfcdd626ab6f895aaf23faf10640a7962917bd7383bf460696099e9ba8

SHA512
4e444998f536e4d5785be7c4ea31947a75cae615c274e741ba476d6a49161d88a80658e7018c779494d506300da873d91ec4caab3454ad06e611b07ee975564a

Download Submit
C:\Temp\gaysqlidav.exe

Filesize
361KB

MD5
fe7bd3eb1143b4dabde1f5cd86be3e12

SHA1
44a0496fbf1fddab817573fa06574e5323206b6b

SHA256
ba1ecb5fc6388e1947aaea5cc0746fce66895c3c3bd801188400915df57c0166

SHA512
e0f83b5b33c01e34a8edbe46470df0879f40e9e82430b006399f402f34ff3c2841644353bc6f1841d1e67b7bd6a01be79cdeed3e277cedc93f9a77e68e401005

Download Submit
C:\Temp\i_ausnkfcxvp.exe

Filesize
361KB

MD5
f8b8dfeba59209111033ff626c27aff5

SHA1
dd50a31c77a8e77db5969177e39b08048371991b

SHA256
5ea44ac65351d3dffa3c2ff2c5f142b5f9d04abdb0a42d39090d4bba9ee99d3e

SHA512
4597e7283ecbff817133a2253c918375219609e44d840ec1e04c62793bc876331084509158abd455719f0158611a5d1c9eeb013714037008e321c6abe002e479

Download Submit
C:\Temp\i_jdbvtolgdy.exe

Filesize
361KB

MD5
8c524ffefc22d4d21d595571491f376a

SHA1
ee9c9233eb6da79bdee82fea68912b9a5e4ef81d

SHA256
7e2cac8272a6263d98d9bc86fbbaad088bd41f1651b554dab0e6621f14c7b4ae

SHA512
5207727daa491908ac2bfdcc2a2d768591a9f1127738bfc0b30448c33fd2dac495e547808c6983a817d0bff6a797240c563821acf5ed9d652ddcabaa3fddd196

Download Submit
C:\Temp\i_ljdbvtolge.exe

Filesize
361KB

MD5
998b80d541e2b889446697860e9caaf8

SHA1
a8c080941f02d7784c0712fbd19c43868b94ef84

SHA256
ba3979184675e1b5ad481492ef71f0448060cf21242893b6097c4b7da8d75e56

SHA512
8ad93fc9ea2e716726817095f751146db7be770ebec3935277a59274a8599d7e7352d3d1f2eb056b0a94143d5a3e1a18107c774e2db4031ebdb90a8cee6ab44c

Download Submit
C:\Temp\i_ojhbztrlje.exe

Filesize
361KB

MD5
7e6bbc7e10487ca1a10e3940d19849a2

SHA1
4a112515d6feb01420ea74fe1dc81d30481285ee

SHA256
5438fd41a76f5a20b75e3ac91732662646f2d3899103f514ec31505635905a5e

SHA512
245a3b88bf8582f863b7423e65a70b00cf09fbcad8f95053fef538cb338673d28a8efd717c733f2b5017957289956feb7b24b87b705aaf5177707303a48130f5

Download Submit
C:\Temp\i_tnlfdxvqni.exe

Filesize
361KB

MD5
eb9690aac3badb37ead161a44adf51f0

SHA1
0bdaac495a4c51ccc769e7c8d0877c2ce41eb86f

SHA256
d5109025fb5f987da820af54e9b104f77cadecc5bd1c9342114faf82cd13e30c

SHA512
9b0d0600d876687af636ecd621efa3138cd9cb1b36df5cdf323375aea1e69f9e0dd7e72a7692147fb1a23ceda24c50425c700bf1f5bebb459aae6d9f4e532e5c

Download Submit
C:\Temp\i_uomhezxrpj.exe

Filesize
361KB

MD5
9e8567fbecd1eaf0a237bc8bc631c945

SHA1
6b5d08e5516b77e22aea80cacbf4a4a3d7a2802a

SHA256
672eeddbabd92394ab7a581ea9ce2845b3df5bffcb0d24018808e4a391446231

SHA512
4009ee1d448cd44fe263a5ca149afd0a252177fa9f8b0b49e56fde5c4538a8d2ce8c5b298641ebb2527fad1e524f49b3da97bc1ccbdb15cb51220605edf6808e

Download Submit
C:\Temp\i_usmkecxupn.exe

Filesize
361KB

MD5
0bfca936a87b4ceaf9afe6b61d1d5566

SHA1
75c4f4a5e1445bc178646524e01ebdf7fdaf3d69

SHA256
4938647850bd8d2dc832f19514d0c952fc91a82769716438e2a689ce1b1f6e21

SHA512
ff062aa64a1c32d7ad2347e0219c4c9a8738e14b64db1b0ad095f1957522e75b9d46c516f5e6e196d94c9a7b78b5ce63ba97f1e5bc47ca6de9d78c01927f59ef

Download Submit
C:\Temp\i_xupnhfzxrp.exe

Filesize
361KB

MD5
0c4e318defc8a289a3faf2690c5f9268

SHA1
066f8ff785eea4a18b094d7d2a3ad50297d6b88e

SHA256
c93d33f9c05dccab2b50f52235d212c8364d2bf1777b209d2711de9fcbc763c4

SHA512
9dc7323213157a17d10168458fcbd291af9effd86d4bea516d72dfdfd3148a81a5f0c2a3c29ffb06ed06d24b82e75a69cbf3e8061b86bbcd1812e8b43d7ddf58

Download Submit
C:\Temp\idbvtnlfdyvqniga.exe

Filesize
361KB

MD5
7cdc157a41c677d335728c0eae84a9ae

SHA1
8bea0b76b421420c3f12fa6da3e4fad3d5cdb744

SHA256
3597bb60b3670ecb1373663f2e3e7e8f4e58a916fded87889655984ab820ae1b

SHA512
1e250cc32ef6e94ff1ef092a51f425754853ca895394475081b6c1769608d0f116193824550a83e46537003f8a952aad1c8ddee8fbc8f95074b1a4ab52c14201

Download Submit
C:\Temp\jdbvtolgdy.exe

Filesize
361KB

MD5
38a972eeb6c85d65579c3e6621f55f42

SHA1
0f96ac9da634924824e653f134d638c4b03df405

SHA256
dae3d39541676c25d51259cf52c1d1c5d5404a219cd99d7d8d5b118ac649855a

SHA512
e0427dc1d2f2eef00c7e43415797823c931e29f17c56e85e7aee8996ddb125d972f5a08b2af0e7a793619cb3b398bd4453c3214d4a53335197fd8ee3df84d2b1

Download Submit
C:\Temp\ljdbvtolge.exe

Filesize
361KB

MD5
2ac3ab584b25f9b2689132c9754d6956

SHA1
a93a2dadb007d5d73ef61d9462cc5f2aa5b521fa

SHA256
4ba583b283d7729f55fc97aa4ac40a8d5e39e3fd7974ca210c01ec66abf303cf

SHA512
9ae7786704c7d4174efd6061f45e308ada8fdf7c50094fdddd61ac9c1ed6d14bf2dd5ac3c9f80bf995c9d8f3e433e1efe06211184150a5191833a46d6eed0525

Download Submit
C:\Temp\ojhbztrlje.exe

Filesize
361KB

MD5
8a077b6ee9eb21e4a0c69d828e5f9691

SHA1
31fdd95bda8f3ba4deccca881498a5be0e629b1c

SHA256
1793ebb1da6f5d741f4a4f3792e50768dc8a04bfa2b8a5b33c35aa804af769fc

SHA512
36a5775528fbdca202435c59211ebba71e3a709cf0228cbb50befa4551977db27e1bd9a09fe9b9dd6254b39fedd0d235aad56cd45deb598138ff61098f9435fb

Download Submit
C:\Temp\tnlfdxvqni.exe

Filesize
361KB

MD5
321fd09fe4c9d98af37bdc754708409f

SHA1
5e62a305c38d6391937f07e0f7847b3270dfa204

SHA256
14780ac77a8027b3c86102c4624376b776b9b975afecd04db7c88b104064cb66

SHA512
9f250cc1b4b14688603937c73d9d73a911d6c7cf3a919f6cd923c35cd126fc0fd0deeaec2c82637b41036860ce191d7e960d5cb2527a30c436626abeafb9dfbf

Download Submit
C:\Temp\uomhezxrpj.exe

Filesize
361KB

MD5
d48b9629f15eed8e5846a8b1055ad4af

SHA1
6ff3b8ef8af317ccffcb5927d276ce78501e8d94

SHA256
6fca3d6f9a647e0cbf91f9cd8da2b680570a6c03bd367d53f416ea01057a7076

SHA512
8291bbe39ed2823810fdd6ed109ca62b1a34670e337c4feb4617a3dfaaa5ceadcf9d66c631b71f826cdf41a4c1be070ffec0009d6d8cdeaade8c06eb9f830802

Download Submit
C:\Temp\usmkecxupn.exe

Filesize
361KB

MD5
eed9e949df19aa6bf1d4052e1b4f7887

SHA1
8a5c10a35a49ee871ba9e9efefbd36c92cb98eea

SHA256
003297b8d3aeaa1f8f49bfe4e2677a9b7ce09861cede37b441107ec3f2bfd801

SHA512
f2529f522c606ca3d46ce95d5b539d14d6ddbc8c7b438b19334b65a82b04eeb5c2d7b5c78d5a0f11f6a98d7f63660b04ccc8d7b79a28e8f121cc86feec7b79f6

Download Submit
C:\Temp\xupnhfzxrp.exe

Filesize
361KB

MD5
1606218951470582d0455300d3f66b05

SHA1
ee80f11a365e7e6174738df59f02150f7b1bbd3b

SHA256
55f10ea64b8f6fe4e3d9ec4949e473c21f69475b74db01bc528179e13c8a67bd

SHA512
69c10753427035402db56a92cdb606298509d0e96e5c15c5724a069d386cd69a634d1589215928dae313916a618f86ad97e944d61660c474ac3532903d059c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit