Analysis

  • max time kernel
    147s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 09:15

General

  • Target

    3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe

  • Size

    361KB

  • MD5

    3f03acbaca93bec975e9dea876673f95

  • SHA1

    4a1ed739535af0ea95614f60cafa612f101a7fff

  • SHA256

    ddd9978ef11edfacecf9ac57a86d4ec218bc24dad86f26d2c69c17ab5541d42d

  • SHA512

    147af7e191a775cb9cf3ea7cce7bab66954a92f654dae223ccff038fc75b59fd3ab0ce8c6619cfbf05826c6dc3e4e1e15481b4e3f1b5791c1d01688711104dd0

  • SSDEEP

    6144:+flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:+flfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 62 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Temp\ecwupjhbzuomgeyt.exe
      C:\Temp\ecwupjhbzuomgeyt.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\igaytnlfdy.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2864
        • C:\Temp\igaytnlfdy.exe
          C:\Temp\igaytnlfdy.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2264
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2664
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_igaytnlfdy.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2908
        • C:\Temp\i_igaytnlfdy.exe
          C:\Temp\i_igaytnlfdy.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ifaysmkfcx.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2956
        • C:\Temp\ifaysmkfcx.exe
          C:\Temp\ifaysmkfcx.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1560
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2204
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ifaysmkfcx.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2868
        • C:\Temp\i_ifaysmkfcx.exe
          C:\Temp\i_ifaysmkfcx.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xsmkecxrpj.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:900
        • C:\Temp\xsmkecxrpj.exe
          C:\Temp\xsmkecxrpj.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1276
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2304
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_xsmkecxrpj.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:780
        • C:\Temp\i_xsmkecxrpj.exe
          C:\Temp\i_xsmkecxrpj.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1912
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\khcauomhez.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2152
        • C:\Temp\khcauomhez.exe
          C:\Temp\khcauomhez.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2348
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1600
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_khcauomhez.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1288
        • C:\Temp\i_khcauomhez.exe
          C:\Temp\i_khcauomhez.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\fzxrmjecwr.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2856
        • C:\Temp\fzxrmjecwr.exe
          C:\Temp\fzxrmjecwr.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2244
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1240
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2672
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_fzxrmjecwr.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2872
        • C:\Temp\i_fzxrmjecwr.exe
          C:\Temp\i_fzxrmjecwr.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\rojhbwtomg.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2680
        • C:\Temp\rojhbwtomg.exe
          C:\Temp\rojhbwtomg.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2648
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2192
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2888
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_rojhbwtomg.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1116
        • C:\Temp\i_rojhbwtomg.exe
          C:\Temp\i_rojhbwtomg.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\bytrlgdyvq.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2956
        • C:\Temp\bytrlgdyvq.exe
          C:\Temp\bytrlgdyvq.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2736
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2772
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2724
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_bytrlgdyvq.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2356
        • C:\Temp\i_bytrlgdyvq.exe
          C:\Temp\i_bytrlgdyvq.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\nlgdysqkid.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2456
        • C:\Temp\nlgdysqkid.exe
          C:\Temp\nlgdysqkid.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1452
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2428
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2116
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_nlgdysqkid.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1564
        • C:\Temp\i_nlgdysqkid.exe
          C:\Temp\i_nlgdysqkid.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:984
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\lfdyvqkica.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1188
        • C:\Temp\lfdyvqkica.exe
          C:\Temp\lfdyvqkica.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:332
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2380
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1088
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_lfdyvqkica.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1576
        • C:\Temp\i_lfdyvqkica.exe
          C:\Temp\i_lfdyvqkica.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2068
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ysqkfcxvpk.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2916
        • C:\Temp\ysqkfcxvpk.exe
          C:\Temp\ysqkfcxvpk.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2360
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2660
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1740
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ysqkfcxvpk.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1620
        • C:\Temp\i_ysqkfcxvpk.exe
          C:\Temp\i_ysqkfcxvpk.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kicaupmhfz.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2748
        • C:\Temp\kicaupmhfz.exe
          C:\Temp\kicaupmhfz.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1932
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2652
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2752
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kicaupmhfz.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2648
        • C:\Temp\i_kicaupmhfz.exe
          C:\Temp\i_kicaupmhfz.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2680
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zurmkezwrp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2100
        • C:\Temp\zurmkezwrp.exe
          C:\Temp\zurmkezwrp.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1560
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1676
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2452
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zurmkezwrp.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2968
        • C:\Temp\i_zurmkezwrp.exe
          C:\Temp\i_zurmkezwrp.exe ups_ins
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2736
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\wupjhbzuom.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2880
        • C:\Temp\wupjhbzuom.exe
          C:\Temp\wupjhbzuom.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2384
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2696
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2236
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_wupjhbzuom.exe ups_ins
        3⤵
          PID:1452
          • C:\Temp\i_wupjhbzuom.exe
            C:\Temp\i_wupjhbzuom.exe ups_ins
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\mjeywrojdb.exe ups_run
          3⤵
            PID:3036
            • C:\Temp\mjeywrojdb.exe
              C:\Temp\mjeywrojdb.exe ups_run
              4⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1444
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:1580
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:2432
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_mjeywrojdb.exe ups_ins
              3⤵
                PID:1412
                • C:\Temp\i_mjeywrojdb.exe
                  C:\Temp\i_mjeywrojdb.exe ups_ins
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1244
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\bztolgeysq.exe ups_run
                3⤵
                  PID:2220
                  • C:\Temp\bztolgeysq.exe
                    C:\Temp\bztolgeysq.exe ups_run
                    4⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:832
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:1084
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:1968
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_bztolgeysq.exe ups_ins
                    3⤵
                      PID:1296
                      • C:\Temp\i_bztolgeysq.exe
                        C:\Temp\i_bztolgeysq.exe ups_ins
                        4⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2344
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\ytrlgdyvqk.exe ups_run
                      3⤵
                        PID:1472
                        • C:\Temp\ytrlgdyvqk.exe
                          C:\Temp\ytrlgdyvqk.exe ups_run
                          4⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:1684
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:980
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:1708
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_ytrlgdyvqk.exe ups_ins
                          3⤵
                            PID:1724
                            • C:\Temp\i_ytrlgdyvqk.exe
                              C:\Temp\i_ytrlgdyvqk.exe ups_ins
                              4⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1704
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\oigaytnlfd.exe ups_run
                            3⤵
                              PID:1276
                              • C:\Temp\oigaytnlfd.exe
                                C:\Temp\oigaytnlfd.exe ups_run
                                4⤵
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:2732
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:908
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:2364
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_oigaytnlfd.exe ups_ins
                                3⤵
                                  PID:568
                                  • C:\Temp\i_oigaytnlfd.exe
                                    C:\Temp\i_oigaytnlfd.exe ups_ins
                                    4⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2472
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\dxvqnicaus.exe ups_run
                                  3⤵
                                    PID:1948
                                    • C:\Temp\dxvqnicaus.exe
                                      C:\Temp\dxvqnicaus.exe ups_run
                                      4⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:1800
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:1804
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:2436
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_dxvqnicaus.exe ups_ins
                                      3⤵
                                        PID:1588
                                        • C:\Temp\i_dxvqnicaus.exe
                                          C:\Temp\i_dxvqnicaus.exe ups_ins
                                          4⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:992
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\snkfcxrpkh.exe ups_run
                                        3⤵
                                          PID:1572
                                          • C:\Temp\snkfcxrpkh.exe
                                            C:\Temp\snkfcxrpkh.exe ups_run
                                            4⤵
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:1288
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:2248
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:448
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_snkfcxrpkh.exe ups_ins
                                            3⤵
                                              PID:2720
                                              • C:\Temp\i_snkfcxrpkh.exe
                                                C:\Temp\i_snkfcxrpkh.exe ups_ins
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1756
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\pnhfzusmke.exe ups_run
                                              3⤵
                                                PID:2852
                                                • C:\Temp\pnhfzusmke.exe
                                                  C:\Temp\pnhfzusmke.exe ups_run
                                                  4⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2996
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:2916
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:2920
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_pnhfzusmke.exe ups_ins
                                                  3⤵
                                                    PID:2816
                                                    • C:\Temp\i_pnhfzusmke.exe
                                                      C:\Temp\i_pnhfzusmke.exe ups_ins
                                                      4⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2668
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1624
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2820

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Temp\bytrlgdyvq.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      e21cc52a0bc6536d3b845627732aedf4

                                                      SHA1

                                                      d7299740d514ce85c4d3682a4eab251e0e7286fd

                                                      SHA256

                                                      d944f81731a31ba26c6b0dfb764ff8352221a937d4c1c68c00201f72aa1778be

                                                      SHA512

                                                      b85391e425da59bba5982eb63c50f2ff7ccc64ab01d22c253a74150dca6a665c69a87767e328e1f9590a024e9743db1573626f3af64fd746e737ead57fff7cd4

                                                    • C:\Temp\fzxrmjecwr.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      d20254d2bdb8621b3218c0d2fdf7089a

                                                      SHA1

                                                      676c5f5f91f780e6b368e2f2ef1dce93677fcadc

                                                      SHA256

                                                      132455b539df5ce2f049e062f80a05250cf9226c2bd0d4d26a0383368e29612a

                                                      SHA512

                                                      28e3e0b0253ce0b945d91eca41339f42611993fea96621bb0b0a19b7b549aee001c4f3bf693fc9ccacde35e0d36dcbdb218096b77f3732a763152e962de81f94

                                                    • C:\Temp\i_bytrlgdyvq.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      4f9b6bf26b524a4c736095a567778c80

                                                      SHA1

                                                      d801803a66cc2f3ab9bfc1e9c3ed305afe131580

                                                      SHA256

                                                      5e36fb6380e4c4f4281384f2193bbf07ccf413c7bef8cf5ceaf213405887ef7d

                                                      SHA512

                                                      a366bc95ea2cd5109b5557b5f4e2a81571b74ea59c47dabb6f229c7c84052c639c2cb8a16b970e18b0b2e7305d9dcc5646fe42297b43f2ece592e18f7dcaeec2

                                                    • C:\Temp\i_fzxrmjecwr.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b0dede7ca4b2b38674160e9d9d35d343

                                                      SHA1

                                                      49f36e41133c87943e20129448ad026b02d582e1

                                                      SHA256

                                                      518fbcf342f267489b67fb907a635796e93d8e8e940ee70acf534d41054a3ef6

                                                      SHA512

                                                      b681d5e03de7e3e3ebcd117bc323814585eebde9703977093f5475b871158e6c4ad584d53225542e3eee21d342694521619fcf92a19a5043b4889cc2d4150bc3

                                                    • C:\Temp\i_ifaysmkfcx.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      a7c0e52cfe8e4bd433ce839cf1a6de0c

                                                      SHA1

                                                      5f8240a40c5687a9570e7c1b963a3da9725839b0

                                                      SHA256

                                                      c1d1395e124c8ad7a530782a8a9b23d2c83ab10c196096fdd528d0d93bb407fc

                                                      SHA512

                                                      382f46e64a16694d769f9415afcc0eee680383f06e39d26e7b570b42edbbcfb784f645d64af2d0b3dcc6a08a7b9d2ec413091a8b82d07c4517e92c245c9f1580

                                                    • C:\Temp\i_igaytnlfdy.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      6a954c44107377afab952859e2a6cb2c

                                                      SHA1

                                                      0d578ef8e3ed025846cd02a5d0c6e45b1104f0ac

                                                      SHA256

                                                      2d857d0cd908eebba05c6446c3d3ac4336863e97440a47a4d7fef80bd117a2f9

                                                      SHA512

                                                      6f6879fc233d3acf4f769423a6481b3da29ca2e93dbbe597e5152cb185a49b261f92f1594170f188fa232db4a4ab85dd4f6833b67fa7ca5d145843f833bbae3c

                                                    • C:\Temp\i_khcauomhez.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      93abdaa54718f520db5e8fb6a172b0c4

                                                      SHA1

                                                      631c9935c7f819357ce6060935d36b6e0ac0103f

                                                      SHA256

                                                      036c7a8d496e157a7da38320c3ed0dbe344a9f6ff182411507561b3c3a76d46b

                                                      SHA512

                                                      51d74f016788568329da1742b18ce036e280eecf296b4b26bf526d949399f2cbf994bdab2e5b8abb9b0c0c4ceb9243a4769d56af9f04caa46f553ba319aa3535

                                                    • C:\Temp\i_rojhbwtomg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      07395a1aa12e2478b2f3312a94a4e060

                                                      SHA1

                                                      21377041bba2177765e2369e1f6d0156b6044500

                                                      SHA256

                                                      2d5d95e72776ea8956152730c95d2cc9adea17edf775c3948e9921d7765217aa

                                                      SHA512

                                                      a1c7a4197a9a734a2bf13c38b2f1801349bfb492e8f6f95b1d5c08f9797734e2ca80f8b5a2eb7f8731d3271cb3bc987e598e6e1f6bcc8041c302e905a42841eb

                                                    • C:\Temp\i_xsmkecxrpj.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      95672342871b55605af51e6fa6abb3eb

                                                      SHA1

                                                      02f4a1d06adc296eb2b1fcf5fad382a30343d924

                                                      SHA256

                                                      6e3476b187538235b23bb1d2dee7d63b611733925cf979c037934ed1d2cc3851

                                                      SHA512

                                                      d8be53006d816f9ef2d12ef0e109891e3318575157ce7ba3a051d794cf644c730a61b2ee876dcebaa9220becc6a71752c9b4aac7717fb3efca0a83b64c3ad68e

                                                    • C:\Temp\ifaysmkfcx.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      94d0d5bebc93f4cef18b29bec0b63620

                                                      SHA1

                                                      31e7ebfc5a45dca09bd2dd565fede7cdf3474f3d

                                                      SHA256

                                                      7636950ce2436468a11cbdcc337b15eef8379901da31fb4bf6cb0d1b0e8a53f8

                                                      SHA512

                                                      fb17aed49af71640891d0c5f2139eeee20476786cfd808b270a1c4f11b39a81d043c5cc119705976318eb292709b5119a37d6d376ca5211085b61c44bf556779

                                                    • C:\Temp\igaytnlfdy.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      84a5a042c2b5dfefd4c7ea218d3dfe23

                                                      SHA1

                                                      f029972b11ea1796b3ff8f1a9a0ed5ac5653cf0a

                                                      SHA256

                                                      e77dfaab8813c48d80028745991e03030d5fe413faf96f4de27e5fffc64fdab9

                                                      SHA512

                                                      e91e44ad89537e3954536918b5a0c6181ed08691adf20b6ab6cab5428eeaf4c0a18a91cfb9dc21c753ec096e981c90389244c4152bc204ce791f7abf34193e4e

                                                    • C:\Temp\khcauomhez.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      53012e6a5175c05fd42584c7eff7f80e

                                                      SHA1

                                                      008b8322de2d62051c6e92eda2781ee586fe5a02

                                                      SHA256

                                                      1bc09c3b00703e96325bf9692c79efbfc6f8544960f15dc248871535df99ec6d

                                                      SHA512

                                                      f4dc05728801b7c13b1084a2ad65594b0be56568642e30a7bdad07dbc2f80858cdd2f005b244408528c8e01c1a30f713663c8558fdebecb390d26b92f409663a

                                                    • C:\Temp\nlgdysqkid.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      cdac6df0941ec8523c7235a7e3a974f8

                                                      SHA1

                                                      fa3e69e914d56098f504cbfe12c802af0d6ee667

                                                      SHA256

                                                      16ae59f555a56ddee3f4727ec2c2945ed35d578c90a5bea51795fb9f6c2cba64

                                                      SHA512

                                                      6c62fb04a891fa5e37e484f57b96e3edb0d6b97e168a3529157ffdaae8bc5326c32045a2bdcb65169536b29df8db1a1d2a2a429475cd65665994dbd17f506f57

                                                    • C:\Temp\rojhbwtomg.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      5d34a1ccb5e8607faffa0f1febfa80de

                                                      SHA1

                                                      aaddc020dbb255a91d28a1118db4f203dc3ff417

                                                      SHA256

                                                      c5ccf205806a8c5dd0ed145d1f5681b8b4c61830bffb898d3305271ea1cd4c5f

                                                      SHA512

                                                      ff8951d83cac8ec69bef0ed0b790561a73e13775d59571fec3bd6cd5262eee6b7c5439ad148bfbd535b339f6dabcbfdcb8040a5208acfabeb1095bb1663dbd42

                                                    • C:\Temp\xsmkecxrpj.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b2818afc3778ca32ae24c4c249f384fb

                                                      SHA1

                                                      e292636384ce4df69eb16d4c4a122106f41a7ecf

                                                      SHA256

                                                      bf688f3db9db6050049d0c05651b93f06d73b2da68dd6b553dfa77bcaff42369

                                                      SHA512

                                                      9f217f72a1f0f53e19e13cfa0918201aa37c823a0fb308d2d784fe1d3a2494c55e1426aa0e2e6c29e4a7ff475573c43764942ac09a54d01d39b81a0c675a6e41

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      0236e0a6fc872e8a4bbbf12c7d550921

                                                      SHA1

                                                      38e3e462f1e3d5785c939d2abc5098061a4e3728

                                                      SHA256

                                                      e5fd29de61649f5821b97c78fd8291e58a826c9ff50a7e2374b4662ca5f8a2b0

                                                      SHA512

                                                      97aa97b7b2627373e4c2fdad3b5a4bb8c1c3e0286219adbb0b47b1609f932b11a0ac9972693d9d9256b34296343deb7369d1c3aab25768d577b1a86ac0ab7631

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b24f3b9043bf391451ff35751c8c9f8e

                                                      SHA1

                                                      76bdb237ef4f84a6beef36cda3cb0df5d1c467d3

                                                      SHA256

                                                      6c2b1802bfe58e764ae44157483f090a03c55422f6ac11e3981c3438e6e971a8

                                                      SHA512

                                                      4dbd5379679ecfd9f487d25c311ab44362a84b9634b09fff871f1497dd9aab9c6416c5fc5a103c07acf8ba54c09c43f050267d1a47e3104c35d01b9f3c3b29b7

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9fe5728b0baf63faa091feaa84a6df49

                                                      SHA1

                                                      1bc9bfc560a59e155241b5ebd7a1674fd3622afd

                                                      SHA256

                                                      1ca6b91001e014c5476f76436ad59a85236b0aba69612f2972487f3f82cc36e4

                                                      SHA512

                                                      7b62bba30013a3b68f31e9f31ec76c981cb0c1a34c025a70dc600485a43c8fd817bacdac4390ae0e1214994104c1b2c2c1f61abefaccc33d3737d1ab37b8dd6c

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      3c34f2552706afff384866d3ec617d49

                                                      SHA1

                                                      7e98211cb0cfa59f1088dcd11d76ad1e37080b1b

                                                      SHA256

                                                      01278d0b8a31267ee5df56a9dab9ff3eb42767bdf25b2e3844990a174346b22b

                                                      SHA512

                                                      2a530a026418c6a5e62444f2da502303cca63d90d1de8b33cc7973dd5af0db8e398996d8361136445fb42f6672938e753d7d804fd84a6177ae94fd2d053a66a4

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      909e22919a5a25b4fbbe6c4f1cdf10fa

                                                      SHA1

                                                      7768e2af09dcbfa86c3041c45200cb5238f70220

                                                      SHA256

                                                      cda84895821fb585ca493b8121623ece1be889eeef5b124bdda99b6e976f7dc5

                                                      SHA512

                                                      caeabb3ef69bf3ce36f1460d7198cf88d842b18dff0b938644ab9d6674ed72e25a6bd3257247b7d51a62814b74aae0a24eea17963038c88b43e1529c0f0c39e8

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      f68f5186ad70c5c87603890c692e6802

                                                      SHA1

                                                      f0e50f3931632be9e17dc2366292b9cd1de09726

                                                      SHA256

                                                      6ebbb2d6e51730fc81ed6edd1fc37dd82339af190105af443d891e15856634b3

                                                      SHA512

                                                      a8ea76528867eb14e01c7c6afa71a7ed5766ef27d96d35ecb2272c88ac214b5414b5687b6f436cdf59cf8542346c5da204a75eec96d21fcd55f697c44ff1b2b5

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      7b1b38bf0669d8c51a382a1eaea7fd18

                                                      SHA1

                                                      6d64ef8e8a85da3a4f392a6578288e9757ed2456

                                                      SHA256

                                                      a750be5328b95880f216acd57376d2e7110fd51d6f352ea1d0414995eab2bc68

                                                      SHA512

                                                      b5e85ae91a6e0f422f9f061a243cdf1c98bbf93f3a1adbadaab4a12ee388175c0ee2113058484d16b6ed608c854606900bba799124e66bca6fc7153df0c250b9

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      74a7a61028abb7e98b239aa3dc78aee4

                                                      SHA1

                                                      f7ac0db65c8f3b861bbf9ba8951726fbc6c6f8f3

                                                      SHA256

                                                      58435791c32f51317ebccb3cd0d91243061e31091129a7c7230278b43cf70a97

                                                      SHA512

                                                      a4af5324bd6106d9887e24b5bb658a37821872bc3d8d7f512043a385293cb3ed2632d433c082bb3cf503e1b3429fe3262f51618b5118e002aba9ba36ec7c7ec9

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      f81ec68169851e4ad704b6373f4ab087

                                                      SHA1

                                                      826ae100fb78f277160076328b80946e9a073c04

                                                      SHA256

                                                      fb7947ad1fd287c6b33022d05c6b5103ee6d6ad5c01054af306c7e01c06b0648

                                                      SHA512

                                                      dd98393ffcbdaa2c3c04c5a5c78a22ea73508f1e05858ac143c54814a86e2f6e346918177920ad4bc65bdf0bb1703e678be2f5316cfbf7ce16fa8bc880ea809d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b7e0b4d86fd1fc5d048a4a4f871f711f

                                                      SHA1

                                                      a96a89df1cd0e880e76a34d4a89e35bacff51ae1

                                                      SHA256

                                                      f49b2175d7f4b6e281dc62317526d0fa9eec424b8d5da708c5c550cf45f846e5

                                                      SHA512

                                                      6ade1914820c5fc4e53ad32fe980478a51b36de9cf22b623257e00963d14b1d32272e2b85c4417c8122ebd57dbc6ccc26b70a93ced62fdc915a26bb7e4343d9d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      4f178ba33738ac89c5a4fe30467c8b24

                                                      SHA1

                                                      6acc00e6b0ad5a4d9050a37b95b5bfb8aa84f891

                                                      SHA256

                                                      232572123f4185bd262cb8cff4322713ac666884337d893a99953c37374464ca

                                                      SHA512

                                                      f5ef0d0bbc9f619dcfab01e09bf2148b17181b8e88fb10a056d8fe99eb6dbe47fd8d92c6aff1712dc92da46dd3ec40432e06c47916803cfac6bf03e97942f6d2

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      66db018413b2c5732bc526d99f5de006

                                                      SHA1

                                                      65b9061ae780d162d1e5c10e0e59bbc0ffab8d7f

                                                      SHA256

                                                      00e398bcd8a7b84edd0d92544a4203ffa841b5247627c71409311051376d7bc5

                                                      SHA512

                                                      334ec5f8f533eb7473194d9da2ef09f107295e9d1798c9d87696bd0126dd5bf474e1028a6b92a0e1799fbcc56a8ca5b315d1e67f1239ad2ac00ffc0029720081

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      0b1e45e863a12e42d4cbc0c7892b14a0

                                                      SHA1

                                                      f62f1aa2b9f83f8aae86d0c57b62953c6b6d6522

                                                      SHA256

                                                      2268fef95df43e6a6af22623bd2b8c898685a85a6f47eebe950fb530150e19c1

                                                      SHA512

                                                      221bb2a77a9582018745889127dd78f06b4d4c6b9d2d1af4f1db374e0991028bca1f9b833e93df49c1d18cf431b1631d2a31be19549ef94193db6429614a3729

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      6d26095b7514383de35cecb207acc65d

                                                      SHA1

                                                      b5f384197bd2c3e3b79a8dd97fc3750efede5153

                                                      SHA256

                                                      1a79cc5df32f7df2ff979d0dacab7e66404676e01eff176b4845b056c7eab8fb

                                                      SHA512

                                                      5863f1f52a105ecda166a67d09471ab19fbe89c97b4ccebed72f4bc96d0ddc2cdc363dc8037c3125e4578a8f9d767a98162d16e981a5ac15815297bf251ccca2

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      9f13abda233325f4b77ace032fe23da6

                                                      SHA1

                                                      d0ebdf2ee259b83f3f6013af60be293305a526bb

                                                      SHA256

                                                      8e09e80e849b9c390f508523a5803f02cf6cce0c7e7cc685f6e59325079350ac

                                                      SHA512

                                                      dab2c5a0450416b3e171fa2975b2a4820daeaaba1db1982255702fe842f34320a4f70ae6932caf6352bde64fd27a65c63ab4cf7c88ccc11de11d53cfb1b2f4b0

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      4e51acc6810b20c31d11d0fe35943253

                                                      SHA1

                                                      539902c5e2222de730f479e69a7c9e6ecd944636

                                                      SHA256

                                                      038cc26700465a757430a569faf325ffae14e53ae3b3c289f3522488ba0055c2

                                                      SHA512

                                                      67a55191dd50355868677ded8edbc4bbda360c352d07e0295938a2ac244912758435a274d06be18d6c4111272bee85f82317c6e8c9a293b128a61076e38dbc9f

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      c90069fbdf4b7ac59e1216e524ed9eb6

                                                      SHA1

                                                      66d9eb01fb17a3c643078705c4b1ea13f9ce0979

                                                      SHA256

                                                      4020bb93442efc487bcdc6882473e3c140018feb18aa746d1d7161001fae5558

                                                      SHA512

                                                      3452d4463216e30af09eb3939a76573bc62467a5e5728115071259ab9c189a9954c3fc4aa0f5bc20a5b516866bbbf13be8ab1ee8fdbaae2063c8b041d2646331

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      34d3a81056b3eb15480aebacce924ecc

                                                      SHA1

                                                      268221166c1773cc684186991b03008e99436a1a

                                                      SHA256

                                                      5fa852e0ece93ee2579ca5fb70cab6f185eab9d0731835f2d2bc48ce1bc15f88

                                                      SHA512

                                                      3fa3902c0853990ed37a6b6cd4591567449792a64518e4e272fc8359de149c3ee16b5fa11cb5a8382af0cb323e1b1aa73c5dbdab6c4170a81a18d1a6444c7fab

                                                    • C:\Users\Admin\AppData\Local\Temp\CabBEFD.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\TarBF4F.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • \Temp\CreateProcess.exe

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      e7e9298cf7b44209f020f05009f20432

                                                      SHA1

                                                      772bd3116808d11bea30c77bbe336f8cf7ad5b9c

                                                      SHA256

                                                      a010478021d31ad737dd8cdf0567dddb350f8959aef3c2f43f9b089dbdb61a8a

                                                      SHA512

                                                      805b7efe89b724188c66b809ee35f92e15e37575d41d8cc2e5cdd1699dee600c8110cceb4864a9a19f968753da429a1ae01969b455686900a36b8091d92413e2

                                                    • \Temp\ecwupjhbzuomgeyt.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      f314c3f8921698d0b814dd50ed67d1ab

                                                      SHA1

                                                      ae38fcf1abb3465159951d104cdf1bd98e3cfa02

                                                      SHA256

                                                      aa48fd0d30eb322b512caad3f5b8b98337578f30290024bb996df84bc7c589ea

                                                      SHA512

                                                      273cc3f680d04a089eefbc911f9abc06c31b0c65f8db7616420cd82688a5af22c4557d8a2a11a6f4fc3ddb70421e099fe422acfb0a500ed671270237c86da5f7