ddd9978ef11edfacecf9ac57a86d4ec218bc24dad86f26d2c69c17ab5541d42d

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 09:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
Size

361KB
MD5

3f03acbaca93bec975e9dea876673f95
SHA1

4a1ed739535af0ea95614f60cafa612f101a7fff
SHA256

ddd9978ef11edfacecf9ac57a86d4ec218bc24dad86f26d2c69c17ab5541d42d
SHA512

147af7e191a775cb9cf3ea7cce7bab66954a92f654dae223ccff038fc75b59fd3ab0ce8c6619cfbf05826c6dc3e4e1e15481b4e3f1b5791c1d01688711104dd0
SSDEEP

6144:+flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:+flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1468	dbvtnlfdyvqoigay.exe
3480	CreateProcess.exe
4296	nlfdyvqnig.exe
1812	CreateProcess.exe
2684	CreateProcess.exe
2480	i_nlfdyvqnig.exe
628	CreateProcess.exe
3448	usnlfdxvpn.exe
1116	CreateProcess.exe
2164	CreateProcess.exe
4020	i_usnlfdxvpn.exe
2268	CreateProcess.exe
4056	ausmkfcxvp.exe
2296	CreateProcess.exe
3280	CreateProcess.exe
1456	i_ausmkfcxvp.exe
4964	CreateProcess.exe
4704	xrpkhcausm.exe
4304	CreateProcess.exe
3428	CreateProcess.exe
504	i_xrpkhcausm.exe
3832	CreateProcess.exe
4088	rmjecwuomh.exe
2312	CreateProcess.exe
1780	CreateProcess.exe
3936	i_rmjecwuomh.exe
908	CreateProcess.exe
1520	ljebwuomge.exe
3768	CreateProcess.exe
1296	CreateProcess.exe
1592	i_ljebwuomge.exe
3800	CreateProcess.exe
728	rljdbwtomg.exe
3108	CreateProcess.exe
1364	CreateProcess.exe
3532	i_rljdbwtomg.exe
4664	CreateProcess.exe
4364	lgeywqoigb.exe
2984	CreateProcess.exe
2724	CreateProcess.exe
2740	i_lgeywqoigb.exe
4940	CreateProcess.exe
912	jdyvqoigay.exe
4660	CreateProcess.exe
3600	CreateProcess.exe
1000	i_jdyvqoigay.exe
504	CreateProcess.exe
3428	davtnlfdxv.exe
4644	CreateProcess.exe
4584	CreateProcess.exe
3104	i_davtnlfdxv.exe
744	CreateProcess.exe
4516	kfdxvpnifa.exe
1388	CreateProcess.exe
4088	CreateProcess.exe
4656	i_kfdxvpnifa.exe
1984	CreateProcess.exe
4460	hcausmkecx.exe
1504	CreateProcess.exe
376	CreateProcess.exe
4296	i_hcausmkecx.exe
3244	CreateProcess.exe
1588	ecwupmhfzx.exe
4588	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nlfdyvqnig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ljebwuomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jhbzurmbwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfdxvpnifa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nhfaxsqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdyvqnig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xrpkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgeywqoigb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jgbztrljeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nigaysqlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ausmkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jdyvqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_jhbztrmjec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_hcausmkecx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhbzurmbwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigaysqlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rljdbwtomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rljdbwtomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_davtnlfdxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_kfdxvpnifa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_gdywqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nifaysqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	davtnlfdxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgbztrljeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ausmkfcxvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rmjecwuomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdyvqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljebwuomge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_lgeywqoigb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcausmkecx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhbztrmjec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdywqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usnlfdxvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_usnlfdxvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ecwupmhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nifaysqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhfaxsqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvtnlfdyvqoigay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmjecwuomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecwupmhfzx.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2196	ipconfig.exe
5084	ipconfig.exe
2480	ipconfig.exe
3084	ipconfig.exe
4496	ipconfig.exe
2456	ipconfig.exe
2184	ipconfig.exe
1496	ipconfig.exe
5048	ipconfig.exe
4336	ipconfig.exe
4804	ipconfig.exe
4548	ipconfig.exe
4336	ipconfig.exe
2288	ipconfig.exe
2368	ipconfig.exe
2884	ipconfig.exe
4704	ipconfig.exe
4320	ipconfig.exe
1428	ipconfig.exe
1968	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435575882"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2017749626"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000059801c1fdebea9a611f7efa004b1c0cb2d38fda729f5f62721c89b38e0e9a939000000000e800000000200002000000069b3eedf7d5a54ad0537365303794a71b4c2c4a3331a6565b3efe0b935694a6f200000000421ed1c8032742c47d0f0e856d453c7d49e275ff566c6f966a3f5d47b4cb74340000000db562fe150f210ce632ea90e9500fd18cd89a74dd579c4f2ea254bd4dd77b15c90bfe0399e47c5d07c4f006cdb3a46bb93db3e0e20dd40fed6222c6132d5b0e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000071869385e80ca338328e02f0a76fbfe636fc54ad8a44237640626c453ab0647c000000000e8000000002000020000000735e20365a78fb391a9bb21aeabf71a4b207c79002d4d06708490d25f1c8dc7420000000375714356187f566377fc4d832315976cde3cfe1a72231c8b3a7ab90004e380c40000000881aaa162681baab84da87816b98618155f43755160b6894899cb56e8764acd67c69fb1b8c1cd2c9ae313f2dea2eb79a9b564fe3b8c5f3c3120fbc2b927bf973	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137104"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e49e78501ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137104"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137104"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A3AB2D73-8943-11EF-ADF2-6AACA39217E0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2014311613"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002a9a78501ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2014311613"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
1468	dbvtnlfdyvqoigay.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	i_nlfdyvqnig.exe
Token: SeDebugPrivilege	4020	i_usnlfdxvpn.exe
Token: SeDebugPrivilege	1456	i_ausmkfcxvp.exe
Token: SeDebugPrivilege	504	i_xrpkhcausm.exe
Token: SeDebugPrivilege	3936	i_rmjecwuomh.exe
Token: SeDebugPrivilege	1592	i_ljebwuomge.exe
Token: SeDebugPrivilege	3532	i_rljdbwtomg.exe
Token: SeDebugPrivilege	2740	i_lgeywqoigb.exe
Token: SeDebugPrivilege	1000	i_jdyvqoigay.exe
Token: SeDebugPrivilege	3104	i_davtnlfdxv.exe
Token: SeDebugPrivilege	4656	i_kfdxvpnifa.exe
Token: SeDebugPrivilege	4296	i_hcausmkecx.exe
Token: SeDebugPrivilege	1192	i_ecwupmhfzx.exe
Token: SeDebugPrivilege	1364	i_jhbzurmbwu.exe
Token: SeDebugPrivilege	2608	i_jhbztrmjec.exe
Token: SeDebugPrivilege	4508	i_jgbztrljeb.exe
Token: SeDebugPrivilege	4176	i_gdywqoigay.exe
Token: SeDebugPrivilege	360	i_nigaysqlid.exe
Token: SeDebugPrivilege	2272	i_nifaysqkic.exe
Token: SeDebugPrivilege	932	i_nhfaxsqkic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1120	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1120	iexplore.exe
1120	iexplore.exe
4976	IEXPLORE.EXE
4976	IEXPLORE.EXE
4976	IEXPLORE.EXE
4976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1468	2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe	86
PID 2264 wrote to memory of 1468	2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe	86
PID 2264 wrote to memory of 1468	2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe	86
PID 2264 wrote to memory of 1120	2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe	87
PID 2264 wrote to memory of 1120	2264	3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe	87
PID 1120 wrote to memory of 4976	1120	iexplore.exe	88
PID 1120 wrote to memory of 4976	1120	iexplore.exe	88
PID 1120 wrote to memory of 4976	1120	iexplore.exe	88
PID 1468 wrote to memory of 3480	1468	dbvtnlfdyvqoigay.exe	89
PID 1468 wrote to memory of 3480	1468	dbvtnlfdyvqoigay.exe	89
PID 1468 wrote to memory of 3480	1468	dbvtnlfdyvqoigay.exe	89
PID 4296 wrote to memory of 1812	4296	nlfdyvqnig.exe	92
PID 4296 wrote to memory of 1812	4296	nlfdyvqnig.exe	92
PID 4296 wrote to memory of 1812	4296	nlfdyvqnig.exe	92
PID 1468 wrote to memory of 2684	1468	dbvtnlfdyvqoigay.exe	95
PID 1468 wrote to memory of 2684	1468	dbvtnlfdyvqoigay.exe	95
PID 1468 wrote to memory of 2684	1468	dbvtnlfdyvqoigay.exe	95
PID 1468 wrote to memory of 628	1468	dbvtnlfdyvqoigay.exe	97
PID 1468 wrote to memory of 628	1468	dbvtnlfdyvqoigay.exe	97
PID 1468 wrote to memory of 628	1468	dbvtnlfdyvqoigay.exe	97
PID 3448 wrote to memory of 1116	3448	usnlfdxvpn.exe	99
PID 3448 wrote to memory of 1116	3448	usnlfdxvpn.exe	99
PID 3448 wrote to memory of 1116	3448	usnlfdxvpn.exe	99
PID 1468 wrote to memory of 2164	1468	dbvtnlfdyvqoigay.exe	102
PID 1468 wrote to memory of 2164	1468	dbvtnlfdyvqoigay.exe	102
PID 1468 wrote to memory of 2164	1468	dbvtnlfdyvqoigay.exe	102
PID 1468 wrote to memory of 2268	1468	dbvtnlfdyvqoigay.exe	104
PID 1468 wrote to memory of 2268	1468	dbvtnlfdyvqoigay.exe	104
PID 1468 wrote to memory of 2268	1468	dbvtnlfdyvqoigay.exe	104
PID 4056 wrote to memory of 2296	4056	ausmkfcxvp.exe	106
PID 4056 wrote to memory of 2296	4056	ausmkfcxvp.exe	106
PID 4056 wrote to memory of 2296	4056	ausmkfcxvp.exe	106
PID 1468 wrote to memory of 3280	1468	dbvtnlfdyvqoigay.exe	109
PID 1468 wrote to memory of 3280	1468	dbvtnlfdyvqoigay.exe	109
PID 1468 wrote to memory of 3280	1468	dbvtnlfdyvqoigay.exe	109
PID 1468 wrote to memory of 4964	1468	dbvtnlfdyvqoigay.exe	111
PID 1468 wrote to memory of 4964	1468	dbvtnlfdyvqoigay.exe	111
PID 1468 wrote to memory of 4964	1468	dbvtnlfdyvqoigay.exe	111
PID 4704 wrote to memory of 4304	4704	xrpkhcausm.exe	113
PID 4704 wrote to memory of 4304	4704	xrpkhcausm.exe	113
PID 4704 wrote to memory of 4304	4704	xrpkhcausm.exe	113
PID 1468 wrote to memory of 3428	1468	dbvtnlfdyvqoigay.exe	118
PID 1468 wrote to memory of 3428	1468	dbvtnlfdyvqoigay.exe	118
PID 1468 wrote to memory of 3428	1468	dbvtnlfdyvqoigay.exe	118
PID 1468 wrote to memory of 3832	1468	dbvtnlfdyvqoigay.exe	120
PID 1468 wrote to memory of 3832	1468	dbvtnlfdyvqoigay.exe	120
PID 1468 wrote to memory of 3832	1468	dbvtnlfdyvqoigay.exe	120
PID 4088 wrote to memory of 2312	4088	rmjecwuomh.exe	122
PID 4088 wrote to memory of 2312	4088	rmjecwuomh.exe	122
PID 4088 wrote to memory of 2312	4088	rmjecwuomh.exe	122
PID 1468 wrote to memory of 1780	1468	dbvtnlfdyvqoigay.exe	125
PID 1468 wrote to memory of 1780	1468	dbvtnlfdyvqoigay.exe	125
PID 1468 wrote to memory of 1780	1468	dbvtnlfdyvqoigay.exe	125
PID 1468 wrote to memory of 908	1468	dbvtnlfdyvqoigay.exe	128
PID 1468 wrote to memory of 908	1468	dbvtnlfdyvqoigay.exe	128
PID 1468 wrote to memory of 908	1468	dbvtnlfdyvqoigay.exe	128
PID 1520 wrote to memory of 3768	1520	ljebwuomge.exe	130
PID 1520 wrote to memory of 3768	1520	ljebwuomge.exe	130
PID 1520 wrote to memory of 3768	1520	ljebwuomge.exe	130
PID 1468 wrote to memory of 1296	1468	dbvtnlfdyvqoigay.exe	133
PID 1468 wrote to memory of 1296	1468	dbvtnlfdyvqoigay.exe	133
PID 1468 wrote to memory of 1296	1468	dbvtnlfdyvqoigay.exe	133
PID 1468 wrote to memory of 3800	1468	dbvtnlfdyvqoigay.exe	135
PID 1468 wrote to memory of 3800	1468	dbvtnlfdyvqoigay.exe	135

C:\Users\Admin\AppData\Local\Temp\3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f03acbaca93bec975e9dea876673f95_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Temp\dbvtnlfdyvqoigay.exe
  C:\Temp\dbvtnlfdyvqoigay.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdyvqnig.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3480
  - - C:\Temp\nlfdyvqnig.exe
      C:\Temp\nlfdyvqnig.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1812
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdyvqnig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2684
  - - C:\Temp\i_nlfdyvqnig.exe
      C:\Temp\i_nlfdyvqnig.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usnlfdxvpn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:628
  - - C:\Temp\usnlfdxvpn.exe
      C:\Temp\usnlfdxvpn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1116
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4804
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usnlfdxvpn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2164
  - - C:\Temp\i_usnlfdxvpn.exe
      C:\Temp\i_usnlfdxvpn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausmkfcxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2268
  - - C:\Temp\ausmkfcxvp.exe
      C:\Temp\ausmkfcxvp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2296
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4548
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausmkfcxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3280
  - - C:\Temp\i_ausmkfcxvp.exe
      C:\Temp\i_ausmkfcxvp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcausm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4964
  - - C:\Temp\xrpkhcausm.exe
      C:\Temp\xrpkhcausm.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2184
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcausm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3428
  - - C:\Temp\i_xrpkhcausm.exe
      C:\Temp\i_xrpkhcausm.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:504
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmjecwuomh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3832
  - - C:\Temp\rmjecwuomh.exe
      C:\Temp\rmjecwuomh.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2312
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmjecwuomh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1780
  - - C:\Temp\i_rmjecwuomh.exe
      C:\Temp\i_rmjecwuomh.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljebwuomge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:908
  - - C:\Temp\ljebwuomge.exe
      C:\Temp\ljebwuomge.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3768
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljebwuomge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1296
  - - C:\Temp\i_ljebwuomge.exe
      C:\Temp\i_ljebwuomge.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljdbwtomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3800
  - - C:\Temp\rljdbwtomg.exe
      C:\Temp\rljdbwtomg.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:728
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3108
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2196
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljdbwtomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1364
  - - C:\Temp\i_rljdbwtomg.exe
      C:\Temp\i_rljdbwtomg.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgeywqoigb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4664
  - - C:\Temp\lgeywqoigb.exe
      C:\Temp\lgeywqoigb.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4364
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2984
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgeywqoigb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2724
  - - C:\Temp\i_lgeywqoigb.exe
      C:\Temp\i_lgeywqoigb.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdyvqoigay.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4940
  - - C:\Temp\jdyvqoigay.exe
      C:\Temp\jdyvqoigay.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4660
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4704
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdyvqoigay.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3600
  - - C:\Temp\i_jdyvqoigay.exe
      C:\Temp\i_jdyvqoigay.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\davtnlfdxv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:504
  - - C:\Temp\davtnlfdxv.exe
      C:\Temp\davtnlfdxv.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3428
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4644
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_davtnlfdxv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4584
  - - C:\Temp\i_davtnlfdxv.exe
      C:\Temp\i_davtnlfdxv.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3104
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfdxvpnifa.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:744
  - - C:\Temp\kfdxvpnifa.exe
      C:\Temp\kfdxvpnifa.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4516
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1388
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfdxvpnifa.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4088
  - - C:\Temp\i_kfdxvpnifa.exe
      C:\Temp\i_kfdxvpnifa.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hcausmkecx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1984
  - - C:\Temp\hcausmkecx.exe
      C:\Temp\hcausmkecx.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4460
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1504
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5048
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hcausmkecx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:376
  - - C:\Temp\i_hcausmkecx.exe
      C:\Temp\i_hcausmkecx.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwupmhfzx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3244
  - - C:\Temp\ecwupmhfzx.exe
      C:\Temp\ecwupmhfzx.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1588
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4588
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2480
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwupmhfzx.exe ups_ins
    3⤵
    PID:364
  - - C:\Temp\i_ecwupmhfzx.exe
      C:\Temp\i_ecwupmhfzx.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbzurmbwu.exe ups_run
    3⤵
    PID:4352
  - - C:\Temp\jhbzurmbwu.exe
      C:\Temp\jhbzurmbwu.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4576
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4556
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2368
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbzurmbwu.exe ups_ins
    3⤵
    PID:3532
  - - C:\Temp\i_jhbzurmbwu.exe
      C:\Temp\i_jhbzurmbwu.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbztrmjec.exe ups_run
    3⤵
    PID:4792
  - - C:\Temp\jhbztrmjec.exe
      C:\Temp\jhbztrmjec.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:5060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2632
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1428
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbztrmjec.exe ups_ins
    3⤵
    PID:4652
  - - C:\Temp\i_jhbztrmjec.exe
      C:\Temp\i_jhbztrmjec.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbztrljeb.exe ups_run
    3⤵
    PID:1072
  - - C:\Temp\jgbztrljeb.exe
      C:\Temp\jgbztrljeb.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4476
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3560
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbztrljeb.exe ups_ins
    3⤵
    PID:2724
  - - C:\Temp\i_jgbztrljeb.exe
      C:\Temp\i_jgbztrljeb.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gdywqoigay.exe ups_run
    3⤵
    PID:4360
  - - C:\Temp\gdywqoigay.exe
      C:\Temp\gdywqoigay.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4940
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gdywqoigay.exe ups_ins
    3⤵
    PID:2936
  - - C:\Temp\i_gdywqoigay.exe
      C:\Temp\i_gdywqoigay.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4176
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nigaysqlid.exe ups_run
    3⤵
    PID:1972
  - - C:\Temp\nigaysqlid.exe
      C:\Temp\nigaysqlid.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4132
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1688
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nigaysqlid.exe ups_ins
    3⤵
    PID:4424
  - - C:\Temp\i_nigaysqlid.exe
      C:\Temp\i_nigaysqlid.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:360
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nifaysqkic.exe ups_run
    3⤵
    PID:3256
  - - C:\Temp\nifaysqkic.exe
      C:\Temp\nifaysqkic.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:5000
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4396
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nifaysqkic.exe ups_ins
    3⤵
    PID:2152
  - - C:\Temp\i_nifaysqkic.exe
      C:\Temp\i_nifaysqkic.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2272
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfaxsqkic.exe ups_run
    3⤵
    PID:2784
  - - C:\Temp\nhfaxsqkic.exe
      C:\Temp\nhfaxsqkic.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3756
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3296
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfaxsqkic.exe ups_ins
    3⤵
    PID:4596
  - - C:\Temp\i_nhfaxsqkic.exe
      C:\Temp\i_nhfaxsqkic.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
9725025f8e818b02e996036d9b3d1d68

SHA1
120750c7eaa20b1751328464b62df872ba832379

SHA256
d8369a94c1d2ff03f6aa231c67c0bf598663fd77d1521de6ecd750ac61620606

SHA512
c08dc0b4ca13e0d2975fc8d06065b7f808ae8169ba9c55b4fefd8e5b3a6bec626f633585562497b8c24fc9408c88a30a77dc62d7f829f7d392af2aad412d88ab

Download Submit
C:\Temp\ausmkfcxvp.exe

Filesize
361KB

MD5
801334e7b8630f682575ce020af512ee

SHA1
046abfc66160bb30a718322f08cde39cfc08fd6d

SHA256
50fd9f40d26de9f0035e1aa7b1b66af4d3fc3cbd8b4c06645c8052a022893d7e

SHA512
e68a97b69a70a51f98163900eac0c7dc055ab6eee8ccebb1c8d7743373ff87405ebe28bf7d48120b55031bf93da59620d42d90b135f56400f21bd596ad3ca86b

Download Submit
C:\Temp\dbvtnlfdyvqoigay.exe

Filesize
361KB

MD5
c62fdb26b13be7386ca0155899e5f2d9

SHA1
dd10975563172921d4db70e593eba9277d30a604

SHA256
473f871a5a672323a8ce4549c8dc0d93ad0775b451a96600e222e1d6f6104fa5

SHA512
f92d8ff783711f8e218ecf4bf0b2f55fb4490fceaade3baaf7fc9e9d392162b2501cb59ffeae962fbd94214d75cb8c5866d3d0e2e184913bf3d9f902182867d9

Download Submit
C:\Temp\i_ausmkfcxvp.exe

Filesize
361KB

MD5
590620d191f9e5bc94356783f9414a95

SHA1
9fac261c7076d39fb3b1a1401a07380e4139c73d

SHA256
6c69877ac9e74862d6b9d0d23bfa53e05600dc8fde12ce02c31d28f7ea86ecff

SHA512
c00ae8e0367e5d1635316a14f93f449729757a48c135378dc728f96f1676b07df1336981da086bc337e4de0c1ee516228f79e6f5b49c766b25ae1e9bcd6fe718

Download Submit
C:\Temp\i_lgeywqoigb.exe

Filesize
361KB

MD5
23c0e2f0afc791c44c15b3e2e268e804

SHA1
61dc1ae39cd89392e34800ae3a980b6ca0ab6bdd

SHA256
fd57dc2761344a2ebce5e6833847e7cd6ef909c273308b898f92897baeef8aca

SHA512
1184b9d59b74bbec7444092ada5c2521b9bad7523ddb901c0bf36017babed9600402374d26965d5e90fc0c4ebc9d212a4ca6e5f5cf2af6d60dd761a9edd35f4d

Download Submit
C:\Temp\i_ljebwuomge.exe

Filesize
361KB

MD5
af55b563dd86a0972d8cf7d56c1a5627

SHA1
fb9025adb931a18b27dbda8979b21c4949537df7

SHA256
c68c16ade2f163bab73a20035ca8ef08745163545e20f7f41f3085c980fe563a

SHA512
94691da04d4e26dc7f46d8b2f17ed40ce4606352d8bfffabec5e06254ec69762cc7b9631455a4632f60754cdebd4dde4382b8fecebb1012e27af70f3d14f13c7

Download Submit
C:\Temp\i_nlfdyvqnig.exe

Filesize
361KB

MD5
2ef858696b7ed5ebc354c0dedbaaa7a0

SHA1
0aa0f3d716a2c359c35362abf8caeaeaab329b44

SHA256
b2a63a73678bb25aedec6c8848e5410fbea64e130374f5792e271921fa8bc887

SHA512
a57bac93a18c356b25cf5b449b3731730b1c2d6b8fceb033d731b109b3c175db29be48da560ad4eea47d9360e0c85fdadc07e19db86b523c574fd1977de45801

Download Submit
C:\Temp\i_rljdbwtomg.exe

Filesize
361KB

MD5
69b6ef4e97227f8f52adde010b2e6fd2

SHA1
3057ed3b3b74c052fc7aad0f053fa092d3cd500d

SHA256
e44affa96c6fcb89ff2087d33e70888756e80440dd6b38a83b6420e9552740ff

SHA512
c6eb460c329e36012acb0798d7f1b6d4405cf544192443d4a3d4f6decee279e7781e3be4704e4fd80b414bef1369d2b612c5eecd30b71b35e62490e83bd215fb

Download Submit
C:\Temp\i_rmjecwuomh.exe

Filesize
361KB

MD5
32d4af9961ad483db52aabf8f5345ad3

SHA1
ced1008cf2d8f373ff783b121cef4412328b72d7

SHA256
de62ae0432702d561066a8998093db7d15337c58be54564cc8a503315300486b

SHA512
0763eae8b1a650c63d464a70ddd4711aee4487fd62dc2615a84fb669eb4a63d5afdd9276a0a3eaea11293b3e5aaaef893416416cec8c71b4ccb4546d0ac73fa1

Download Submit
C:\Temp\i_usnlfdxvpn.exe

Filesize
361KB

MD5
f1289d127fe33e5ccb3c93b99ed1798d

SHA1
5f383500ced9cbb62df46e0f1cd0ba1905fed899

SHA256
adac16042db05094774b4ff7461406175249068c78e5456d3cc7d024e9e34950

SHA512
ce233553c3b1edcbef3e764bc8995187f6687ab0a9847c9d16940336172f59edea7d12b65a7afe51a0bcaebdf0424a6a31b3096eb561d96befca59113772bbfc

Download Submit
C:\Temp\i_xrpkhcausm.exe

Filesize
361KB

MD5
8d97885ab03a40d49a86325dba4e13f2

SHA1
2e012fac02f17ea8b7ba3423e8ae15394cc373c9

SHA256
db07ff586d66acbf150b7e16022ae68880c2b4efa3d213505ba676604bb276fe

SHA512
9d1fb3d405b0426cc95a3b82bedbbfa537332f3400bdd78b7c8527985078f21c4b6617b6cb0892fc10c3372657fbdc173794e2fae17615de311814df6ce950cf

Download Submit
C:\Temp\jdyvqoigay.exe

Filesize
361KB

MD5
3d32003703d1ec5fd009158bc5e95104

SHA1
b6069c370ab416b2d9af851bafd669b940c213ed

SHA256
bc3a52d7bc2cb30822d1b2c22500cb4644f76e8654678c2e48a6c16095c196e4

SHA512
42ecb3928149c828f6b2862eeb73160ebffbe299f962a316d6176d675714a5b738f2101ba3acf650c79f2a69cc8645f9e854860cd655afe02776142f52b942d6

Download Submit
C:\Temp\lgeywqoigb.exe

Filesize
361KB

MD5
90ce3325f87776e1309a1950d9dca4db

SHA1
49e18c928b3fc0e8fcd41b94d5af52200834790b

SHA256
032139a7faca12b494dad00638e89315f48a3fceb47ee5c9e514dc73d2a24b1f

SHA512
577d30498ef357699b7ed5e5c314e983c7a9545a8eeebc4d18efd64e41a60070f85431bc421c021652da3c4e6ef6f97b9f9a13447681407e9481aea561a757f5

Download Submit
C:\Temp\ljebwuomge.exe

Filesize
361KB

MD5
4d25bb2b2852bed647e89435ff3a1874

SHA1
729b157b95f4036c4ea46ae3d364b35c3a8a6f01

SHA256
e62fe0a16359a27327d5fdbf64409ff5f6d367deeee7c2d9e6d419a61598259f

SHA512
b436d30b65aa3f22b145c948f884c05c15b4b49d3355902c06aabf0410061560189c08907a7bf276e7358a108b0cd6854b5e02b18d79c3e7db93527cc8630f43

Download Submit
C:\Temp\nlfdyvqnig.exe

Filesize
361KB

MD5
a8efd225ab19ee076cceb067400d3d4d

SHA1
b379ea0fc5bc4382b52654f4191fd3046943f2e7

SHA256
1e8dc8538c5dfb0692ec9d1a6e2cf4552deb663f316d70163b4c930943c208e6

SHA512
18f27470629c143bef3c006ed8fa051ea1d96e5b0581fd86ba2eadf119d0aad429a66a08140d542d54c8b5038ea19ceb8ab93c7cfe297afe888ea171701b0533

Download Submit
C:\Temp\rljdbwtomg.exe

Filesize
361KB

MD5
b8340adfa1437892ecc75e8a9f65e9ad

SHA1
a0c296988aef2671b69cc3000cc638bdc0b07d1f

SHA256
1c151a298b33e6a4312f98c085e60500951728c289f3f924a4a49bf4a28dddd7

SHA512
5966da3c36f0c19f65bba529e68a29b49009ae0fde1a1e6c901e53785a4861ac5d3ccb72006c5a160cee58665f177afd078549ce996ccd1bcc5a9ab422676274

Download Submit
C:\Temp\rmjecwuomh.exe

Filesize
361KB

MD5
125a10098eb4157bccb83242019eab1f

SHA1
0562e0fceb8594dc5ab9c54a850d6912df852c75

SHA256
738942e1d97d543b03bcdc1b929846502515799388c0d39eed150a5121af4432

SHA512
200306fd7e287d3f5b54e7013fbd9d69c03286d36a81bb6d477cdf388612052d2b5816cbd1d4f9a6b1d7e171d7dd3fe21a94d9693adc2e1e71e60e158af7284e

Download Submit
C:\Temp\usnlfdxvpn.exe

Filesize
361KB

MD5
0b227904c2dcd56b17beabbb75faef38

SHA1
eca3bec0503ccc99c75067b813e2499c2105ca79

SHA256
7cf28be9a5a7d4fd3d50b600d7b6ed4c5d484f60fd34eeae68dc02d7b69ae985

SHA512
3180b94aa2641082189b25beac6923e286a189195bc2ff2c77ac0664e1431f585a8d5c4d034994b8f5896afa4a7d883b9684b0e0e980c35f6dda6646af317ae4

Download Submit
C:\Temp\xrpkhcausm.exe

Filesize
361KB

MD5
6f345b3f2979fa60482c6c0ada3221b0

SHA1
58cfe667f091ae09d2ac9d26e29ab03c68dbd0e1

SHA256
c96889943d5f9c3c2f8e3cfa228d7f9333a046510b0a37de1cf15db7a13e4313

SHA512
5c30d444b97e1dc61d158f1a7975b31a1779db0fa359b8bc868f45ebab65bb65fb98aee5491917edbca2eb23daafec2f1b054069aa49167945e01237ce7ae0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit