ae5e514dbd7c2ad9505b28251412651aba7b1aefe1c52d782dad2df0d4e7e625

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
Size

361KB
MD5

3d22ace956dc88fbdd82f947835613a0
SHA1

683e77c7724d7fff0faa1a2036be3ed90289cc9f
SHA256

ae5e514dbd7c2ad9505b28251412651aba7b1aefe1c52d782dad2df0d4e7e625
SHA512

f0f6cc0aff062a96376c68fd7e313a2df194bda3feb9bdf2268f8983f57b9451c0e195d47941abd8274d32734d9651315516da45563b0415f1f8a2ea466468d2
SSDEEP

6144:0flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:0flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
628	nlfdxvqnigaysqki.exe
1224	CreateProcess.exe
1084	yvqnigaysq.exe
1116	CreateProcess.exe
5004	CreateProcess.exe
1640	i_yvqnigaysq.exe
4188	CreateProcess.exe
2144	kfdxvpnifa.exe
3892	CreateProcess.exe
2992	CreateProcess.exe
2348	i_kfdxvpnifa.exe
1584	CreateProcess.exe
4144	mkfcxvpnhf.exe
3372	CreateProcess.exe
700	CreateProcess.exe
3864	i_mkfcxvpnhf.exe
1824	CreateProcess.exe
1756	khcausmkec.exe
5040	CreateProcess.exe
4040	CreateProcess.exe
3604	i_khcausmkec.exe
2096	CreateProcess.exe
1808	hbzurmkecw.exe
4484	CreateProcess.exe
3340	CreateProcess.exe
5112	i_hbzurmkecw.exe
4488	CreateProcess.exe
2260	ezwrojhbzt.exe
4332	CreateProcess.exe
2136	CreateProcess.exe
4976	i_ezwrojhbzt.exe
5056	CreateProcess.exe
2940	dbwtomgeyw.exe
3232	CreateProcess.exe
1164	CreateProcess.exe
1208	i_dbwtomgeyw.exe
3632	CreateProcess.exe
656	bvtnlgdywq.exe
2548	CreateProcess.exe
4808	CreateProcess.exe
2664	i_bvtnlgdywq.exe
4988	CreateProcess.exe
3112	ysqlidbvtn.exe
4088	CreateProcess.exe
1568	CreateProcess.exe
5052	i_ysqlidbvtn.exe
2824	CreateProcess.exe
4156	vqnifaysqk.exe
1732	CreateProcess.exe
3772	CreateProcess.exe
2252	i_vqnifaysqk.exe
4560	CreateProcess.exe
1344	ausnkfdxvp.exe
536	CreateProcess.exe
2468	CreateProcess.exe
2972	i_ausnkfdxvp.exe
5020	CreateProcess.exe
3932	xvpnhfzxsp.exe
5112	CreateProcess.exe
1296	CreateProcess.exe
3920	i_xvpnhfzxsp.exe
736	CreateProcess.exe
4944	xrpjhczusm.exe
1856	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpjhczusm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwupezwrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trljdbvtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsqkicausn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysqlidbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ausnkfdxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xvpnhfzxsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xrpjhczusm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysqkidavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ysqkidavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_khcausmkec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbzurmkecw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ztrmjecwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdxvqnigaysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvqnigaysq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_yvqnigaysq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_trljdbvtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_mkfcxvpnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_hbzurmkecw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysqlidavtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xsqkicausn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kfdxvpnifa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkfcxvpnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbwtomgeyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bvtnlgdywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vqnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvpnhfzxsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoigaytqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfdxvpnifa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khcausmkec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezwrojhbzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ezwrojhbzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_dbwtomgeyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtnlgdywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ysqlidbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ausnkfdxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_cwupezwrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztrmjecwuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_qoigaytqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ysqlidavtn.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4640	ipconfig.exe
2648	ipconfig.exe
1572	ipconfig.exe
4640	ipconfig.exe
4960	ipconfig.exe
1580	ipconfig.exe
4832	ipconfig.exe
2136	ipconfig.exe
2568	ipconfig.exe
1416	ipconfig.exe
4924	ipconfig.exe
4416	ipconfig.exe
1940	ipconfig.exe
3920	ipconfig.exe
1744	ipconfig.exe
1732	ipconfig.exe
4052	ipconfig.exe
4508	ipconfig.exe
4520	ipconfig.exe
2624	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137041"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137041"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137041"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D6898E5E-8904-11EF-ADF2-E24E87F0D14E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2868683971"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2870871160"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c799872fe271d383831ef40abe9c3d7b0e50b817243f5e3adc6bb7f6bcf3361e000000000e8000000002000020000000623de76e1abab2851a9a4627c17fad5ee93f96681d9d400db00521022a9fff91200000009364a0300c3d166a1c294650c645c3e438c37825a56f82a4615dd831c034de8540000000ac9b5dae5b078e4722ba4a8e68dc42369d560a763d5d1a830b697ba5fb8001f7adcc5fddea9301a66c80c7acf29163e183c936f593180467469028c5dbadab69	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907778ab111ddb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2868683971"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000be478dbc6043477a69861e3fc76331d61b7fcd378b5c962d8d97d5b2be7aa24f000000000e80000000020000200000005f95a793c8d4de586c6b87b646b100cbf6cf5de027ac1856f69ef72345ba7d8620000000b956d412cb29b065b0088b8e63f9e102f40f45b5b8ff9ad1cf93cf7e870bc6d0400000007d9b99480a75fe920ead1702c01884a497747e607b0afae334b7a12b39a724aedaf1dd12cf03b0632960c1bfd745b1f12e39d924ad72b3bee14013681a0ff2a8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2870871160"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02d76ab111ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137041"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435548909"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
628	nlfdxvqnigaysqki.exe
628	nlfdxvqnigaysqki.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	i_yvqnigaysq.exe
Token: SeDebugPrivilege	2348	i_kfdxvpnifa.exe
Token: SeDebugPrivilege	3864	i_mkfcxvpnhf.exe
Token: SeDebugPrivilege	3604	i_khcausmkec.exe
Token: SeDebugPrivilege	5112	i_hbzurmkecw.exe
Token: SeDebugPrivilege	4976	i_ezwrojhbzt.exe
Token: SeDebugPrivilege	1208	i_dbwtomgeyw.exe
Token: SeDebugPrivilege	2664	i_bvtnlgdywq.exe
Token: SeDebugPrivilege	5052	i_ysqlidbvtn.exe
Token: SeDebugPrivilege	2252	i_vqnifaysqk.exe
Token: SeDebugPrivilege	2972	i_ausnkfdxvp.exe
Token: SeDebugPrivilege	3920	i_xvpnhfzxsp.exe
Token: SeDebugPrivilege	3644	i_xrpjhczusm.exe
Token: SeDebugPrivilege	4676	i_cwupezwrpj.exe
Token: SeDebugPrivilege	3924	i_ztrmjecwuo.exe
Token: SeDebugPrivilege	4648	i_trljdbvtol.exe
Token: SeDebugPrivilege	4040	i_qoigaytqlj.exe
Token: SeDebugPrivilege	3364	i_ysqlidavtn.exe
Token: SeDebugPrivilege	3124	i_ysqkidavtn.exe
Token: SeDebugPrivilege	1352	i_xsqkicausn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4700	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4700	iexplore.exe
4700	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 628	4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe	86
PID 4972 wrote to memory of 628	4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe	86
PID 4972 wrote to memory of 628	4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe	86
PID 4972 wrote to memory of 4700	4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe	87
PID 4972 wrote to memory of 4700	4972	3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe	87
PID 4700 wrote to memory of 1936	4700	iexplore.exe	88
PID 4700 wrote to memory of 1936	4700	iexplore.exe	88
PID 4700 wrote to memory of 1936	4700	iexplore.exe	88
PID 628 wrote to memory of 1224	628	nlfdxvqnigaysqki.exe	89
PID 628 wrote to memory of 1224	628	nlfdxvqnigaysqki.exe	89
PID 628 wrote to memory of 1224	628	nlfdxvqnigaysqki.exe	89
PID 1084 wrote to memory of 1116	1084	yvqnigaysq.exe	92
PID 1084 wrote to memory of 1116	1084	yvqnigaysq.exe	92
PID 1084 wrote to memory of 1116	1084	yvqnigaysq.exe	92
PID 628 wrote to memory of 5004	628	nlfdxvqnigaysqki.exe	95
PID 628 wrote to memory of 5004	628	nlfdxvqnigaysqki.exe	95
PID 628 wrote to memory of 5004	628	nlfdxvqnigaysqki.exe	95
PID 628 wrote to memory of 4188	628	nlfdxvqnigaysqki.exe	97
PID 628 wrote to memory of 4188	628	nlfdxvqnigaysqki.exe	97
PID 628 wrote to memory of 4188	628	nlfdxvqnigaysqki.exe	97
PID 2144 wrote to memory of 3892	2144	kfdxvpnifa.exe	99
PID 2144 wrote to memory of 3892	2144	kfdxvpnifa.exe	99
PID 2144 wrote to memory of 3892	2144	kfdxvpnifa.exe	99
PID 628 wrote to memory of 2992	628	nlfdxvqnigaysqki.exe	102
PID 628 wrote to memory of 2992	628	nlfdxvqnigaysqki.exe	102
PID 628 wrote to memory of 2992	628	nlfdxvqnigaysqki.exe	102
PID 628 wrote to memory of 1584	628	nlfdxvqnigaysqki.exe	104
PID 628 wrote to memory of 1584	628	nlfdxvqnigaysqki.exe	104
PID 628 wrote to memory of 1584	628	nlfdxvqnigaysqki.exe	104
PID 4144 wrote to memory of 3372	4144	mkfcxvpnhf.exe	106
PID 4144 wrote to memory of 3372	4144	mkfcxvpnhf.exe	106
PID 4144 wrote to memory of 3372	4144	mkfcxvpnhf.exe	106
PID 628 wrote to memory of 700	628	nlfdxvqnigaysqki.exe	109
PID 628 wrote to memory of 700	628	nlfdxvqnigaysqki.exe	109
PID 628 wrote to memory of 700	628	nlfdxvqnigaysqki.exe	109
PID 628 wrote to memory of 1824	628	nlfdxvqnigaysqki.exe	111
PID 628 wrote to memory of 1824	628	nlfdxvqnigaysqki.exe	111
PID 628 wrote to memory of 1824	628	nlfdxvqnigaysqki.exe	111
PID 1756 wrote to memory of 5040	1756	khcausmkec.exe	113
PID 1756 wrote to memory of 5040	1756	khcausmkec.exe	113
PID 1756 wrote to memory of 5040	1756	khcausmkec.exe	113
PID 628 wrote to memory of 4040	628	nlfdxvqnigaysqki.exe	118
PID 628 wrote to memory of 4040	628	nlfdxvqnigaysqki.exe	118
PID 628 wrote to memory of 4040	628	nlfdxvqnigaysqki.exe	118
PID 628 wrote to memory of 2096	628	nlfdxvqnigaysqki.exe	121
PID 628 wrote to memory of 2096	628	nlfdxvqnigaysqki.exe	121
PID 628 wrote to memory of 2096	628	nlfdxvqnigaysqki.exe	121
PID 1808 wrote to memory of 4484	1808	hbzurmkecw.exe	123
PID 1808 wrote to memory of 4484	1808	hbzurmkecw.exe	123
PID 1808 wrote to memory of 4484	1808	hbzurmkecw.exe	123
PID 628 wrote to memory of 3340	628	nlfdxvqnigaysqki.exe	126
PID 628 wrote to memory of 3340	628	nlfdxvqnigaysqki.exe	126
PID 628 wrote to memory of 3340	628	nlfdxvqnigaysqki.exe	126
PID 628 wrote to memory of 4488	628	nlfdxvqnigaysqki.exe	128
PID 628 wrote to memory of 4488	628	nlfdxvqnigaysqki.exe	128
PID 628 wrote to memory of 4488	628	nlfdxvqnigaysqki.exe	128
PID 2260 wrote to memory of 4332	2260	ezwrojhbzt.exe	130
PID 2260 wrote to memory of 4332	2260	ezwrojhbzt.exe	130
PID 2260 wrote to memory of 4332	2260	ezwrojhbzt.exe	130
PID 628 wrote to memory of 2136	628	nlfdxvqnigaysqki.exe	133
PID 628 wrote to memory of 2136	628	nlfdxvqnigaysqki.exe	133
PID 628 wrote to memory of 2136	628	nlfdxvqnigaysqki.exe	133
PID 628 wrote to memory of 5056	628	nlfdxvqnigaysqki.exe	135
PID 628 wrote to memory of 5056	628	nlfdxvqnigaysqki.exe	135

C:\Users\Admin\AppData\Local\Temp\3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d22ace956dc88fbdd82f947835613a0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Temp\nlfdxvqnigaysqki.exe
  C:\Temp\nlfdxvqnigaysqki.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\yvqnigaysq.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1224
  - - C:\Temp\yvqnigaysq.exe
      C:\Temp\yvqnigaysq.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1116
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4960
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_yvqnigaysq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5004
  - - C:\Temp\i_yvqnigaysq.exe
      C:\Temp\i_yvqnigaysq.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfdxvpnifa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4188
  - - C:\Temp\kfdxvpnifa.exe
      C:\Temp\kfdxvpnifa.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3892
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4520
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnifa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2992
  - - C:\Temp\i_kfdxvpnifa.exe
      C:\Temp\i_kfdxvpnifa.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mkfcxvpnhf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1584
  - - C:\Temp\mkfcxvpnhf.exe
      C:\Temp\mkfcxvpnhf.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3372
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mkfcxvpnhf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:700
  - - C:\Temp\i_mkfcxvpnhf.exe
      C:\Temp\i_mkfcxvpnhf.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\khcausmkec.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1824
  - - C:\Temp\khcausmkec.exe
      C:\Temp\khcausmkec.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_khcausmkec.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4040
  - - C:\Temp\i_khcausmkec.exe
      C:\Temp\i_khcausmkec.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3604
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hbzurmkecw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2096
  - - C:\Temp\hbzurmkecw.exe
      C:\Temp\hbzurmkecw.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4484
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hbzurmkecw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3340
  - - C:\Temp\i_hbzurmkecw.exe
      C:\Temp\i_hbzurmkecw.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ezwrojhbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4488
  - - C:\Temp\ezwrojhbzt.exe
      C:\Temp\ezwrojhbzt.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4332
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ezwrojhbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2136
  - - C:\Temp\i_ezwrojhbzt.exe
      C:\Temp\i_ezwrojhbzt.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbwtomgeyw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5056
  - - C:\Temp\dbwtomgeyw.exe
      C:\Temp\dbwtomgeyw.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3232
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbwtomgeyw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1164
  - - C:\Temp\i_dbwtomgeyw.exe
      C:\Temp\i_dbwtomgeyw.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtnlgdywq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3632
  - - C:\Temp\bvtnlgdywq.exe
      C:\Temp\bvtnlgdywq.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:656
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2548
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtnlgdywq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4808
  - - C:\Temp\i_bvtnlgdywq.exe
      C:\Temp\i_bvtnlgdywq.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysqlidbvtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4988
  - - C:\Temp\ysqlidbvtn.exe
      C:\Temp\ysqlidbvtn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3112
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4088
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1744
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysqlidbvtn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1568
  - - C:\Temp\i_ysqlidbvtn.exe
      C:\Temp\i_ysqlidbvtn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnifaysqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2824
  - - C:\Temp\vqnifaysqk.exe
      C:\Temp\vqnifaysqk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4156
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1732
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnifaysqk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3772
  - - C:\Temp\i_vqnifaysqk.exe
      C:\Temp\i_vqnifaysqk.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausnkfdxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4560
  - - C:\Temp\ausnkfdxvp.exe
      C:\Temp\ausnkfdxvp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1344
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:536
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2648
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausnkfdxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2468
  - - C:\Temp\i_ausnkfdxvp.exe
      C:\Temp\i_ausnkfdxvp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpnhfzxsp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5020
  - - C:\Temp\xvpnhfzxsp.exe
      C:\Temp\xvpnhfzxsp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3932
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5112
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4832
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpnhfzxsp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1296
  - - C:\Temp\i_xvpnhfzxsp.exe
      C:\Temp\i_xvpnhfzxsp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjhczusm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:736
  - - C:\Temp\xrpjhczusm.exe
      C:\Temp\xrpjhczusm.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4944
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1856
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2136
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczusm.exe ups_ins
    3⤵
    PID:5000
  - - C:\Temp\i_xrpjhczusm.exe
      C:\Temp\i_xrpjhczusm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3644
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cwupezwrpj.exe ups_run
    3⤵
    PID:2940
  - - C:\Temp\cwupezwrpj.exe
      C:\Temp\cwupezwrpj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4956
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4568
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cwupezwrpj.exe ups_ins
    3⤵
    PID:1604
  - - C:\Temp\i_cwupezwrpj.exe
      C:\Temp\i_cwupezwrpj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ztrmjecwuo.exe ups_run
    3⤵
    PID:1524
  - - C:\Temp\ztrmjecwuo.exe
      C:\Temp\ztrmjecwuo.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:704
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:656
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ztrmjecwuo.exe ups_ins
    3⤵
    PID:1120
  - - C:\Temp\i_ztrmjecwuo.exe
      C:\Temp\i_ztrmjecwuo.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trljdbvtol.exe ups_run
    3⤵
    PID:996
  - - C:\Temp\trljdbvtol.exe
      C:\Temp\trljdbvtol.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2312
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1688
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1940
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trljdbvtol.exe ups_ins
    3⤵
    PID:2216
  - - C:\Temp\i_trljdbvtol.exe
      C:\Temp\i_trljdbvtol.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qoigaytqlj.exe ups_run
    3⤵
    PID:3056
  - - C:\Temp\qoigaytqlj.exe
      C:\Temp\qoigaytqlj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2008
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:5040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4924
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qoigaytqlj.exe ups_ins
    3⤵
    PID:4452
  - - C:\Temp\i_qoigaytqlj.exe
      C:\Temp\i_qoigaytqlj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysqlidavtn.exe ups_run
    3⤵
    PID:1636
  - - C:\Temp\ysqlidavtn.exe
      C:\Temp\ysqlidavtn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3832
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1732
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysqlidavtn.exe ups_ins
    3⤵
    PID:220
  - - C:\Temp\i_ysqlidavtn.exe
      C:\Temp\i_ysqlidavtn.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysqkidavtn.exe ups_run
    3⤵
    PID:2892
  - - C:\Temp\ysqkidavtn.exe
      C:\Temp\ysqkidavtn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3484
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3732
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysqkidavtn.exe ups_ins
    3⤵
    PID:3080
  - - C:\Temp\i_ysqkidavtn.exe
      C:\Temp\i_ysqkidavtn.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsqkicausn.exe ups_run
    3⤵
    PID:452
  - - C:\Temp\xsqkicausn.exe
      C:\Temp\xsqkicausn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4120
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4508
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsqkicausn.exe ups_ins
    3⤵
    PID:2360
  - - C:\Temp\i_xsqkicausn.exe
      C:\Temp\i_xsqkicausn.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4700 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2458b1f464562cb1b9e66328845f0132

SHA1
341cf33126013c6e9e3fc1b341c04e22ba0cbd58

SHA256
ee77abdcb330a0eeb8630243094f0da30f0569cace96c7d1b87b6f7e4505923c

SHA512
6951d13771613bac33f99d1d6b69d096feaca17f805b39f9cc3ac8d3acbff229a4a9024742d9f77ef4612a4d5d861516174354542bc51c41ce513f1be0940c57

Download Submit
C:\Temp\bvtnlgdywq.exe

Filesize
361KB

MD5
d79cd656803637129cc77c18f4e35280

SHA1
a57c607d4409f9772daabadbc2bc7faf48040010

SHA256
bba42efab95ab5f7bbf3e0f553e1a056a9cbd00fb0ce2082e8a3e362b1b4f695

SHA512
eb1178217cc36c4bc0515028f562f5bfb75480f26df2db9efdce137ed9df6e5e543f4bd98d7f0664a0a8e4065d5966287fec44a6ea462763f02aaa440448e4d8

Download Submit
C:\Temp\dbwtomgeyw.exe

Filesize
361KB

MD5
5f23f9a04cce1ed7d6c8df0ab0350297

SHA1
bb57b60c62e7c2650c8d254bda575bada8aefe44

SHA256
3d425cbc8c0705a0a03fdd3a5576ae400ea0a5da4fe586fc1da879dc8e26bf26

SHA512
3d0588f798eeea7666e20e1963885153fdd50266070cfd79da562676ded4af6364506f7c16adf366591f0c70996b6eb1dad4116587ef3fbf53ab7848f4701f3e

Download Submit
C:\Temp\ezwrojhbzt.exe

Filesize
361KB

MD5
86d38bf9427c9b7442d1d760f1dff01e

SHA1
1d9f569ed88aedbf00a5748c8e0c90514b22c53f

SHA256
c4f7a2600b6d4e413c322ea662bc1c9804079f803ac0d20a18f2756725e6464a

SHA512
208c09ca5d54b5a89a9aaf43beb3e0abeb369fabde46a7e33d6b2ea13be12ed09cfa46fb5182788cd419d876f802375cc15d74333f3f14ea8727afca930bddda

Download Submit
C:\Temp\hbzurmkecw.exe

Filesize
361KB

MD5
1944d0f716ba4655c4bb8c60678d340f

SHA1
e577aab472c8d41624025ce5b7d9ba1c4ae2ece9

SHA256
b918d13829a3a27bb3d9e2f5ac70a46bd278ed976473c30f9acc8acb2b5bcf1a

SHA512
e3fe54c2193e23088a9d71f3defd31cd85a51231e1617e5a4b8c899ef0e37d1494a6a395c26ea3c704b011d6a8665f8291c1e858fc800c157014dede0f146493

Download Submit
C:\Temp\i_bvtnlgdywq.exe

Filesize
361KB

MD5
65414a7b00b9b476f2204d9ec78613db

SHA1
9efee9a97a28df2ebf12fec4bf92867a938131de

SHA256
49f929b1bb40851b636bae6779fe6d8c8e5c4a1dc2a8db8e4152a32d0d36f7a1

SHA512
0a222c8230b8f8867b88d6cd3beaf8e7c856a1c8deea944649ecb0c5c41f1db12b92424b3ba20bc0677d8f7b58498b7aca0f02ede95ccf77767d25e7d3f13615

Download Submit
C:\Temp\i_dbwtomgeyw.exe

Filesize
361KB

MD5
c56104199bdbae5a2c535c88f86954df

SHA1
e9637b03454eb182c078209d6dd5609971bb8e0c

SHA256
08013671ea5395208f35ada37dc607684be22680f82c2c866067dd47be2cd2e1

SHA512
16e54f12f73035623e67ec16ea18f318d3524c4c2112da23213399a65aa34a8ffe88359f51723f0c7bcf7be3b6d55eb201b360e04b333504c8251db56e5f8138

Download Submit
C:\Temp\i_ezwrojhbzt.exe

Filesize
361KB

MD5
26de63d05c555a6afa04ff91e41439fc

SHA1
74259b3ba45458ccb8bf2456b4a2eeb9e6df8edb

SHA256
b02cd208fd9466c65b174213b2aed8453ac012637aae41a44cf9163a9f98980f

SHA512
fc403fd6f4f20f171505d1ecd34dfe2eb3878e7abcb3792a7f75b7b4781d3dd62ae5b7875b045a235a97e9717f589d10497f0f6452fc7e83c9144234fdcddf75

Download Submit
C:\Temp\i_hbzurmkecw.exe

Filesize
361KB

MD5
f3e47050e0f73dd8e2bbca04922200db

SHA1
9266703017358843bbee3a6578e91350eb69b070

SHA256
846552d8ec7afeb0aa3f4740942063fd8618161df7389287486b591d233aa72d

SHA512
99b0d74a27c730572df5176aae4f850f57b9d4d7e07a4738ae43adc12028b6bd03c405e4052f50f679da6f4aecfe365bdb46b2961c2450c0a1ea65575e1f738f

Download Submit
C:\Temp\i_kfdxvpnifa.exe

Filesize
361KB

MD5
a973c372be614fe3b62f4d5750ad4965

SHA1
5cf71af89c3161d0b9ed7170767f7cdb39e64a35

SHA256
bc84dfdd5ce626b22aae613b3ad701276b7fdc0f77dfa95926d2a6197baf8fec

SHA512
5bea789bfad11808c36071c80da3790d001f431b96903d894233463042da22b20455da4202ceef856776450dac395554e8d9995e86d86b583174f87679461571

Download Submit
C:\Temp\i_khcausmkec.exe

Filesize
361KB

MD5
078bcfc43224421933732ef242355dca

SHA1
0a4920aea770399db718ca0c31b5f71f232ad015

SHA256
5a11ea316343886e8f2c0a967277c2d5910eb201759c2a4a3180ff8e0bf0c8bc

SHA512
f05a58d8246aed0d5145aba02d0a9f0c92f99e3711ec6d35c16c872588711f263d4b34e868346586d4ce27115d6ac1a781cfab49f69da3319e59a39be3895545

Download Submit
C:\Temp\i_mkfcxvpnhf.exe

Filesize
361KB

MD5
835e6cb6983dbf37f721455f5fe7e987

SHA1
17f98fdf22d4e43e3cb0069940053bcb365dc6b5

SHA256
453ff54fec9acb757ddb4370300a61eae80238f01d8757908e9c0c09a7aa9992

SHA512
be1ce2152fb1a3bac77093ad0866a317082af493d6cf02c02846e06ee3d5949ac55b68bfd37a742e4b68e124602af2238d5471d93909ebe7bc2ae37ebb8ba214

Download Submit
C:\Temp\i_yvqnigaysq.exe

Filesize
361KB

MD5
eaa4758ef43dc43f066949df0925b962

SHA1
6981fccf4f9a618faf8f4d883b282659516b2958

SHA256
6a8ed9802c8f85e3d6cfb928b361a9e981c5aa7644beeb749c0446785fd6bc95

SHA512
013153c4ecbc5c41a16454d26112d62aed9b73e502f3747bf3e52fa5be8282b12be30149cc0c2071e1a5947449fcffca227f59e33426488200651de264d12a87

Download Submit
C:\Temp\kfdxvpnifa.exe

Filesize
361KB

MD5
2664864c9da5905c5d12b7bd965debf0

SHA1
eb7029573deecc623277825efb396139265b8859

SHA256
84974058cef09e17470734e394500897000a7493cff5e3c6b6b8ed60253ea243

SHA512
20d8072d1933f610f54ec8c6b73a2d43b7e5500cc58b8261ae71af6c844ed9da276bfb3e07dd4666f517cead56afbf9ec8fe94b08d87d8d3de574cc63e39a3d6

Download Submit
C:\Temp\khcausmkec.exe

Filesize
361KB

MD5
ecbc7f6a57db5d4c0370b1c6842613f6

SHA1
af184d4e2de9f304ab76511065f0236e9de53e2a

SHA256
85a0bf3fec48ed56698f20af5d8e1f850162a58b52ed05c5cb63bb5ce2d589ba

SHA512
5a29d1a77880464231665a87273b9d5e00a17d58993f24ce1a029f1e0d851b57110880fcb220800278bdee1d6f9dc4adf0afada4cca3c08b17308cef39fa0259

Download Submit
C:\Temp\mkfcxvpnhf.exe

Filesize
361KB

MD5
444fc5b1dbecc57de334205b69344a08

SHA1
d7aee1370caed8a928cc049c26aaecee3ce12c5d

SHA256
e0e8caf957d5e1ab0523a02f70ece1674c4e6835a04bf0a16b07a8c7084ff90c

SHA512
647bcb1ff886c837df668d17ee7cb99bbf1256a6a985650ecf56f7d5174bc6df24a6fafc7698241248d151eb0a54062fd65db130aa7b22a0c1013e5a9bee5e82

Download Submit
C:\Temp\nlfdxvqnigaysqki.exe

Filesize
361KB

MD5
fffb92c9990838fc6cce9dd359897c2f

SHA1
70fa7268a99477e37094b92070127432dd6fc76b

SHA256
b621f7a25073e889ee9f147ac4a3efff0bdf1278dbcfc241eb79291c06fecb57

SHA512
a972cb2874beb0bf710907144c9716354d6dfe1a553230b471c921a6f9b8db13880beb020aaade0cf0719e8194524259c67eb5f1d5e17cc715c5a760eb560a08

Download Submit
C:\Temp\ysqlidbvtn.exe

Filesize
361KB

MD5
8e7cb7bb1107df6916c95535cd3c036e

SHA1
01a208763c7363650ff13367ef584f0cf2ebef57

SHA256
20b65d1f85999d5a67931921e37b9c2c6b66cec8cdc215c70c41743b253cc65a

SHA512
1d23683520b4c8b0c2c6cfcd24f8af7beb4eafc3323f146e9073fde19f2566c4dfc706b5c202d6d2c60423ba40a4d744db65d2d87f69c5e4900ae11e4671aa4f

Download Submit
C:\Temp\yvqnigaysq.exe

Filesize
361KB

MD5
7d3a95a9b14c51dab99f0f3a7f5c60ac

SHA1
4a31bd3ac7f92a36d7cc557be47ab653cc95d271

SHA256
bb279b8bf12a0543d65c4aa9d24872668ad54705ecac86122320b5b8574d80e0

SHA512
977b879a22ad6bff56a8d3bcc11e70d4c0bd04da6bb89e70a5c49e2da282860eafac265f5f41c55189fc4be04a05ffdca2e3dba9df2a867974be6b21e523aeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2621.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit