e32c66a0e67dcacba1cd8d750379500f7620f3eb2dd96f9ecfc927e8ceb2a631

Analysis

max time kernel
147s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
Size

361KB
MD5

3ecb869afb6181e3cb7f348de9951c7a
SHA1

72258c535d30db3cbc2fee0d44e35eba535e16c3
SHA256

e32c66a0e67dcacba1cd8d750379500f7620f3eb2dd96f9ecfc927e8ceb2a631
SHA512

9a09ad25bc5d26f0bb359fc622080038a59462daebb96a0112d364f53fac09532ee7de87ec931498279011aa5225efcbf45be8e13939baee9e2a4e10971a82f1
SSDEEP

6144:GflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:GflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1672	fzxrmkecwrojhbwt.exe
2896	CreateProcess.exe
2956	gaytqlfdyv.exe
2344	CreateProcess.exe
2688	CreateProcess.exe
1088	i_gaytqlfdyv.exe
1916	CreateProcess.exe
2840	lfaysqkfcx.exe
2680	CreateProcess.exe
3000	CreateProcess.exe
1676	i_lfaysqkfcx.exe
1784	CreateProcess.exe
2456	idxvpnhcau.exe
2172	CreateProcess.exe
2352	CreateProcess.exe
1992	i_idxvpnhcau.exe
2124	CreateProcess.exe
1748	vpnhfzusmk.exe
1028	CreateProcess.exe
1712	CreateProcess.exe
2464	i_vpnhfzusmk.exe
2372	CreateProcess.exe
2836	hfzurmkezw.exe
2748	CreateProcess.exe
2676	CreateProcess.exe
2348	i_hfzurmkezw.exe
2144	CreateProcess.exe
2672	xrpjebwuoj.exe
2772	CreateProcess.exe
2980	CreateProcess.exe
2796	i_xrpjebwuoj.exe
2824	CreateProcess.exe
2968	rojhbwtomg.exe
1560	CreateProcess.exe
1904	CreateProcess.exe
1408	i_rojhbwtomg.exe
1148	CreateProcess.exe
2100	jeywqojdbv.exe
992	CreateProcess.exe
568	CreateProcess.exe
2564	i_jeywqojdbv.exe
704	CreateProcess.exe
2060	vtoigaysnl.exe
2056	CreateProcess.exe
1920	CreateProcess.exe
2072	i_vtoigaysnl.exe
2636	CreateProcess.exe
2784	tnlysqkicx.exe
1952	CreateProcess.exe
3044	CreateProcess.exe
1928	i_tnlysqkicx.exe
2360	CreateProcess.exe
2472	idavpnhfau.exe
2904	CreateProcess.exe
2144	CreateProcess.exe
2152	i_idavpnhfau.exe
2980	CreateProcess.exe
2988	ysnkfcxrpk.exe
1824	CreateProcess.exe
2824	CreateProcess.exe
3012	i_ysnkfcxrpk.exe
3016	CreateProcess.exe
1408	nhcausmhez.exe
1508	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2956	gaytqlfdyv.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2840	lfaysqkfcx.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2456	idxvpnhcau.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1748	vpnhfzusmk.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2836	hfzurmkezw.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2672	xrpjebwuoj.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2968	rojhbwtomg.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2100	jeywqojdbv.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2060	vtoigaysnl.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2784	tnlysqkicx.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2472	idavpnhfau.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2988	ysnkfcxrpk.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1408	nhcausmhez.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2320	kfzxrpjecw.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1620	zuomgeztrl.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1768	pjhbwtomgb.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
772	bytrlgdywq.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2288	ywqoidbvtn.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1292	nlfdysqkic.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2220	cavsnhfzxs.exe
1672	fzxrmkecwrojhbwt.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bytrlgdywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlfdysqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaytqlfdyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfzurmkezw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rojhbwtomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeywqojdbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysnkfcxrpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpjebwuoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjhbwtomgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuomgeztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywqoidbvtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cavsnhfzxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfaysqkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtoigaysnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlysqkicx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idavpnhfau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfzxrpjecw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhcausmhez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fzxrmkecwrojhbwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idxvpnhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnhfzusmk.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2708	ipconfig.exe
972	ipconfig.exe
616	ipconfig.exe
2668	ipconfig.exe
2932	ipconfig.exe
352	ipconfig.exe
2660	ipconfig.exe
1052	ipconfig.exe
2244	ipconfig.exe
1516	ipconfig.exe
2264	ipconfig.exe
840	ipconfig.exe
2628	ipconfig.exe
2908	ipconfig.exe
1720	ipconfig.exe
2292	ipconfig.exe
2728	ipconfig.exe
592	ipconfig.exe
1760	ipconfig.exe
1864	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208c8774491ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BA7C811-893C-11EF-B9F2-E62D5E492327} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000e67879c2ddd5da3419c43575e9ab45f9766423ac561c6026570cd6670eb379e6000000000e800000000200002000000015228162f017649b59d3293d7cfdb6e6c9a704c796baf897717e43d2bbdfc96590000000f72b18fdfe2cf655d4220663729790d24e79212ce07431904e0c8e2cb4c6def5efe802c1e08a9f3119a0abeccebb9f1d76b21e19d5517f1774452b49fe08f2dbbc0af13c3c1a16f36f2378a9b992442d7007d02c9adfa1e2b0400a56f23a585b802727076c4e98dafd4c24692e5f0989a72e339247796906a8a7996f8dddb759e809eba135720db6ea8b353cf36b58b0400000000059e4119c5283b625bda245358822892f9bcd5aca0f89dbd2bc766b60bd2e172831f5d92018efc55d54266d97e81bd317dbdd757f010fdd908ac1c675153b31	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434969754"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000f05200b4a1d81b3215f6017c3cd5a4f4790143fa415ed9af1fab675f830ee873000000000e8000000002000020000000ff7c2360b5824570d696557e40d9279b5dfd4a962fb4cdac88a939d2f0576cd720000000bdf5d836cb8ae2755ddeb3b46a5a0e235807d8416c0b6032b2fef67afba1be644000000027f8b9462bfad0b0b581179f41bd7309b966616931582a159d09170d75e2a1db0a0f971fb7aea462c5b4f4d09c62c52d80c2ac264b71fd80edd16cc0867d393d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
1672	fzxrmkecwrojhbwt.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
2956	gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
1088	i_gaytqlfdyv.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
2840	lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
1676	i_lfaysqkfcx.exe
2456	idxvpnhcau.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	i_gaytqlfdyv.exe
Token: SeDebugPrivilege	1676	i_lfaysqkfcx.exe
Token: SeDebugPrivilege	1992	i_idxvpnhcau.exe
Token: SeDebugPrivilege	2464	i_vpnhfzusmk.exe
Token: SeDebugPrivilege	2348	i_hfzurmkezw.exe
Token: SeDebugPrivilege	2796	i_xrpjebwuoj.exe
Token: SeDebugPrivilege	1408	i_rojhbwtomg.exe
Token: SeDebugPrivilege	2564	i_jeywqojdbv.exe
Token: SeDebugPrivilege	2072	i_vtoigaysnl.exe
Token: SeDebugPrivilege	1928	i_tnlysqkicx.exe
Token: SeDebugPrivilege	2152	i_idavpnhfau.exe
Token: SeDebugPrivilege	3012	i_ysnkfcxrpk.exe
Token: SeDebugPrivilege	532	i_nhcausmhez.exe
Token: SeDebugPrivilege	2596	i_kfzxrpjecw.exe
Token: SeDebugPrivilege	1360	i_zuomgeztrl.exe
Token: SeDebugPrivilege	956	i_pjhbwtomgb.exe
Token: SeDebugPrivilege	1632	i_bytrlgdywq.exe
Token: SeDebugPrivilege	1724	i_ywqoidbvtn.exe
Token: SeDebugPrivilege	2764	i_nlfdysqkic.exe
Token: SeDebugPrivilege	2344	i_cavsnhfzxs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2004	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2004	iexplore.exe
2004	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1672	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	30
PID 1076 wrote to memory of 1672	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	30
PID 1076 wrote to memory of 1672	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	30
PID 1076 wrote to memory of 1672	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	30
PID 1076 wrote to memory of 2004	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	31
PID 1076 wrote to memory of 2004	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	31
PID 1076 wrote to memory of 2004	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	31
PID 1076 wrote to memory of 2004	1076	3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe	31
PID 2004 wrote to memory of 2092	2004	iexplore.exe	32
PID 2004 wrote to memory of 2092	2004	iexplore.exe	32
PID 2004 wrote to memory of 2092	2004	iexplore.exe	32
PID 2004 wrote to memory of 2092	2004	iexplore.exe	32
PID 1672 wrote to memory of 2896	1672	fzxrmkecwrojhbwt.exe	33
PID 1672 wrote to memory of 2896	1672	fzxrmkecwrojhbwt.exe	33
PID 1672 wrote to memory of 2896	1672	fzxrmkecwrojhbwt.exe	33
PID 1672 wrote to memory of 2896	1672	fzxrmkecwrojhbwt.exe	33
PID 2956 wrote to memory of 2344	2956	gaytqlfdyv.exe	36
PID 2956 wrote to memory of 2344	2956	gaytqlfdyv.exe	36
PID 2956 wrote to memory of 2344	2956	gaytqlfdyv.exe	36
PID 2956 wrote to memory of 2344	2956	gaytqlfdyv.exe	36
PID 1672 wrote to memory of 2688	1672	fzxrmkecwrojhbwt.exe	39
PID 1672 wrote to memory of 2688	1672	fzxrmkecwrojhbwt.exe	39
PID 1672 wrote to memory of 2688	1672	fzxrmkecwrojhbwt.exe	39
PID 1672 wrote to memory of 2688	1672	fzxrmkecwrojhbwt.exe	39
PID 1672 wrote to memory of 1916	1672	fzxrmkecwrojhbwt.exe	41
PID 1672 wrote to memory of 1916	1672	fzxrmkecwrojhbwt.exe	41
PID 1672 wrote to memory of 1916	1672	fzxrmkecwrojhbwt.exe	41
PID 1672 wrote to memory of 1916	1672	fzxrmkecwrojhbwt.exe	41
PID 2840 wrote to memory of 2680	2840	lfaysqkfcx.exe	43
PID 2840 wrote to memory of 2680	2840	lfaysqkfcx.exe	43
PID 2840 wrote to memory of 2680	2840	lfaysqkfcx.exe	43
PID 2840 wrote to memory of 2680	2840	lfaysqkfcx.exe	43
PID 1672 wrote to memory of 3000	1672	fzxrmkecwrojhbwt.exe	46
PID 1672 wrote to memory of 3000	1672	fzxrmkecwrojhbwt.exe	46
PID 1672 wrote to memory of 3000	1672	fzxrmkecwrojhbwt.exe	46
PID 1672 wrote to memory of 3000	1672	fzxrmkecwrojhbwt.exe	46
PID 1672 wrote to memory of 1784	1672	fzxrmkecwrojhbwt.exe	49
PID 1672 wrote to memory of 1784	1672	fzxrmkecwrojhbwt.exe	49
PID 1672 wrote to memory of 1784	1672	fzxrmkecwrojhbwt.exe	49
PID 1672 wrote to memory of 1784	1672	fzxrmkecwrojhbwt.exe	49
PID 2456 wrote to memory of 2172	2456	idxvpnhcau.exe	51
PID 2456 wrote to memory of 2172	2456	idxvpnhcau.exe	51
PID 2456 wrote to memory of 2172	2456	idxvpnhcau.exe	51
PID 2456 wrote to memory of 2172	2456	idxvpnhcau.exe	51
PID 1672 wrote to memory of 2352	1672	fzxrmkecwrojhbwt.exe	54
PID 1672 wrote to memory of 2352	1672	fzxrmkecwrojhbwt.exe	54
PID 1672 wrote to memory of 2352	1672	fzxrmkecwrojhbwt.exe	54
PID 1672 wrote to memory of 2352	1672	fzxrmkecwrojhbwt.exe	54
PID 1672 wrote to memory of 2124	1672	fzxrmkecwrojhbwt.exe	56
PID 1672 wrote to memory of 2124	1672	fzxrmkecwrojhbwt.exe	56
PID 1672 wrote to memory of 2124	1672	fzxrmkecwrojhbwt.exe	56
PID 1672 wrote to memory of 2124	1672	fzxrmkecwrojhbwt.exe	56
PID 1748 wrote to memory of 1028	1748	vpnhfzusmk.exe	58
PID 1748 wrote to memory of 1028	1748	vpnhfzusmk.exe	58
PID 1748 wrote to memory of 1028	1748	vpnhfzusmk.exe	58
PID 1748 wrote to memory of 1028	1748	vpnhfzusmk.exe	58
PID 1672 wrote to memory of 1712	1672	fzxrmkecwrojhbwt.exe	61
PID 1672 wrote to memory of 1712	1672	fzxrmkecwrojhbwt.exe	61
PID 1672 wrote to memory of 1712	1672	fzxrmkecwrojhbwt.exe	61
PID 1672 wrote to memory of 1712	1672	fzxrmkecwrojhbwt.exe	61
PID 1672 wrote to memory of 2372	1672	fzxrmkecwrojhbwt.exe	63
PID 1672 wrote to memory of 2372	1672	fzxrmkecwrojhbwt.exe	63
PID 1672 wrote to memory of 2372	1672	fzxrmkecwrojhbwt.exe	63
PID 1672 wrote to memory of 2372	1672	fzxrmkecwrojhbwt.exe	63

C:\Users\Admin\AppData\Local\Temp\3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ecb869afb6181e3cb7f348de9951c7a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Temp\fzxrmkecwrojhbwt.exe
  C:\Temp\fzxrmkecwrojhbwt.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaytqlfdyv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2896
  - - C:\Temp\gaytqlfdyv.exe
      C:\Temp\gaytqlfdyv.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2344
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaytqlfdyv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2688
  - - C:\Temp\i_gaytqlfdyv.exe
      C:\Temp\i_gaytqlfdyv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfaysqkfcx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1916
  - - C:\Temp\lfaysqkfcx.exe
      C:\Temp\lfaysqkfcx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2680
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2932
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfaysqkfcx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3000
  - - C:\Temp\i_lfaysqkfcx.exe
      C:\Temp\i_lfaysqkfcx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idxvpnhcau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1784
  - - C:\Temp\idxvpnhcau.exe
      C:\Temp\idxvpnhcau.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2172
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:840
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idxvpnhcau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2352
  - - C:\Temp\i_idxvpnhcau.exe
      C:\Temp\i_idxvpnhcau.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnhfzusmk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2124
  - - C:\Temp\vpnhfzusmk.exe
      C:\Temp\vpnhfzusmk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1028
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1052
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnhfzusmk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1712
  - - C:\Temp\i_vpnhfzusmk.exe
      C:\Temp\i_vpnhfzusmk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzurmkezw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2372
  - - C:\Temp\hfzurmkezw.exe
      C:\Temp\hfzurmkezw.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2836
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2748
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2628
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzurmkezw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2676
  - - C:\Temp\i_hfzurmkezw.exe
      C:\Temp\i_hfzurmkezw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpjebwuoj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2144
  - - C:\Temp\xrpjebwuoj.exe
      C:\Temp\xrpjebwuoj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2672
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2772
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2728
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpjebwuoj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2980
  - - C:\Temp\i_xrpjebwuoj.exe
      C:\Temp\i_xrpjebwuoj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rojhbwtomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2824
  - - C:\Temp\rojhbwtomg.exe
      C:\Temp\rojhbwtomg.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2968
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1560
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rojhbwtomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1904
  - - C:\Temp\i_rojhbwtomg.exe
      C:\Temp\i_rojhbwtomg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jeywqojdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1148
  - - C:\Temp\jeywqojdbv.exe
      C:\Temp\jeywqojdbv.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:992
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jeywqojdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:568
  - - C:\Temp\i_jeywqojdbv.exe
      C:\Temp\i_jeywqojdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2564
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtoigaysnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:704
  - - C:\Temp\vtoigaysnl.exe
      C:\Temp\vtoigaysnl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2056
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtoigaysnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1920
  - - C:\Temp\i_vtoigaysnl.exe
      C:\Temp\i_vtoigaysnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlysqkicx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2636
  - - C:\Temp\tnlysqkicx.exe
      C:\Temp\tnlysqkicx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2784
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1952
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2660
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlysqkicx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3044
  - - C:\Temp\i_tnlysqkicx.exe
      C:\Temp\i_tnlysqkicx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\idavpnhfau.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2360
  - - C:\Temp\idavpnhfau.exe
      C:\Temp\idavpnhfau.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2472
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2904
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2244
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_idavpnhfau.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2144
  - - C:\Temp\i_idavpnhfau.exe
      C:\Temp\i_idavpnhfau.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ysnkfcxrpk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2980
  - - C:\Temp\ysnkfcxrpk.exe
      C:\Temp\ysnkfcxrpk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1824
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ysnkfcxrpk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2824
  - - C:\Temp\i_ysnkfcxrpk.exe
      C:\Temp\i_ysnkfcxrpk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhcausmhez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3016
  - - C:\Temp\nhcausmhez.exe
      C:\Temp\nhcausmhez.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1408
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1508
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhcausmhez.exe ups_ins
    3⤵
    PID:2160
  - - C:\Temp\i_nhcausmhez.exe
      C:\Temp\i_nhcausmhez.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kfzxrpjecw.exe ups_run
    3⤵
    PID:1100
  - - C:\Temp\kfzxrpjecw.exe
      C:\Temp\kfzxrpjecw.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2564
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kfzxrpjecw.exe ups_ins
    3⤵
    PID:1068
  - - C:\Temp\i_kfzxrpjecw.exe
      C:\Temp\i_kfzxrpjecw.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zuomgeztrl.exe ups_run
    3⤵
    PID:652
  - - C:\Temp\zuomgeztrl.exe
      C:\Temp\zuomgeztrl.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1620
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zuomgeztrl.exe ups_ins
    3⤵
    PID:2064
  - - C:\Temp\i_zuomgeztrl.exe
      C:\Temp\i_zuomgeztrl.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhbwtomgb.exe ups_run
    3⤵
    PID:1364
  - - C:\Temp\pjhbwtomgb.exe
      C:\Temp\pjhbwtomgb.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1768
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1864
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhbwtomgb.exe ups_ins
    3⤵
    PID:908
  - - C:\Temp\i_pjhbwtomgb.exe
      C:\Temp\i_pjhbwtomgb.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:956
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bytrlgdywq.exe ups_run
    3⤵
    PID:2500
  - - C:\Temp\bytrlgdywq.exe
      C:\Temp\bytrlgdywq.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:772
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1784
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bytrlgdywq.exe ups_ins
    3⤵
    PID:2224
  - - C:\Temp\i_bytrlgdywq.exe
      C:\Temp\i_bytrlgdywq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqoidbvtn.exe ups_run
    3⤵
    PID:1980
  - - C:\Temp\ywqoidbvtn.exe
      C:\Temp\ywqoidbvtn.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2288
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1684
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2292
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqoidbvtn.exe ups_ins
    3⤵
    PID:2044
  - - C:\Temp\i_ywqoidbvtn.exe
      C:\Temp\i_ywqoidbvtn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlfdysqkic.exe ups_run
    3⤵
    PID:2380
  - - C:\Temp\nlfdysqkic.exe
      C:\Temp\nlfdysqkic.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1292
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2264
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlfdysqkic.exe ups_ins
    3⤵
    PID:3048
  - - C:\Temp\i_nlfdysqkic.exe
      C:\Temp\i_nlfdysqkic.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cavsnhfzxs.exe ups_run
    3⤵
    PID:2748
  - - C:\Temp\cavsnhfzxs.exe
      C:\Temp\cavsnhfzxs.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2220
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2636
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cavsnhfzxs.exe ups_ins
    3⤵
    PID:3040
  - - C:\Temp\i_cavsnhfzxs.exe
      C:\Temp\i_cavsnhfzxs.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\gaytqlfdyv.exe

Filesize
361KB

MD5
852b74420d79f38d1213263d83b0d8f8

SHA1
5001a50dc407122e0e7b3024566335c83722c386

SHA256
0a9def74cf6752a7ea6857cbe18e69d911044ce5e49a533bddd3284c4391f958

SHA512
641b90f93e3fd20f7b5da0cd70dc12321d3ba9b59c9e25e66648327848c7cf9c9d946f5216bffdb755ad7d391af144a9474ee455d56e230174c938501da8774d

Download Submit
C:\Temp\hfzurmkezw.exe

Filesize
361KB

MD5
4ea872ffc0e42fd8beaee17389671fd3

SHA1
472b0f3bcf0f1275882a4b1f21416cfab884e8c6

SHA256
3e15bf80ceba2961311a120ee75655e1565788994d45d4cf97a33529bc2e2738

SHA512
7207ddc0e61add7aa2cc87e197a3a845ec8573244a480c5276643e772bd1ee039999dae9b9b872fbc2ee902cc2feacf39dcad267aca6de08a28f3a3d7a1d5ef1

Download Submit
C:\Temp\i_gaytqlfdyv.exe

Filesize
361KB

MD5
6e7315875828cec4cf1187198ad5ea26

SHA1
fedf19cf158d46d030f80ac1308286dde494003f

SHA256
04251d997dbee4817d1506439dc7335898c6ada1d56b7dea5c2c735d666775bb

SHA512
85fedcd896dd7d3cf3cb70f4de4fa939a96d875c12ba2e580abc95db29e3bec34e2ccc18c7f2bfc76c2851fccbe160b7948537355868fd274a5b3ff6a529c6db

Download Submit
C:\Temp\i_hfzurmkezw.exe

Filesize
361KB

MD5
5c0ce19f8204bc79e7339e7a89c694c3

SHA1
fd2ac264f3ca353b3f43f6984a32abe6796fc2e9

SHA256
e625be25da465b7f22455f18c8a2cb1503fd3d5ae0f342874f3aaeb0bb63425a

SHA512
b1d5e847259d6149ff4f2df384a9fcebed875ef79a2ac60629d7a635332e25f7952ec44d4e7e96af660cfa08c06347e25ef01621193fc9fd2de1da3fef393ee1

Download Submit
C:\Temp\i_idxvpnhcau.exe

Filesize
361KB

MD5
2f035afacdd3cec3610d5b449427abd6

SHA1
c809530499960afa4cb5ba2784631fe438b2b8f5

SHA256
deaceb0faaf302a7ab4832f7c3e4ada8c8d862ab4e8036b079723850a133281f

SHA512
eee130a0a97f13811d72888b560cd2ce105de6ae8805719adb11a031558d7a4ebe348c4be63a96060369aa5b4f9a046f72180b749e8058654fef9ee336a40f86

Download Submit
C:\Temp\i_lfaysqkfcx.exe

Filesize
361KB

MD5
1ea0de5a50c379924d1e87871d5bbda6

SHA1
d0ff9e15b1dc7593cd393fa18fbde47d529b31be

SHA256
aec480b7bcef14957a155f320f1f9f2aa234107ee3be2ce569d3688add22ec28

SHA512
500e3248b8bdd0a778ec286226c9b3cc0a0c242f66d68acb53103db78ee4df109708892b7006912f80889ed37e542ea4c7397fc2253dcb7eca218bba5f1fc4d3

Download Submit
C:\Temp\i_rojhbwtomg.exe

Filesize
361KB

MD5
f70905592f751c0fa17391ae2d336080

SHA1
2380a657a744028d9fb6093c8b85ff46f63235a0

SHA256
9218cbbfe8592d3000cc4ac894c8f78be978566498e76da0f3a4a203809c05a8

SHA512
4ad5891d463831e48dfc67e61eb88cf557753296145bda6d6fed15e2c06956bd372f02a2725b9e1a4618de8457041ec235bc6d1ecbd3f8d39f62658692b50c16

Download Submit
C:\Temp\i_vpnhfzusmk.exe

Filesize
361KB

MD5
beb04cadfca2735f5fcd39e8d22f2331

SHA1
27f188678462a42be494ae82c5363d8ab6e9f420

SHA256
2a7f06b63c23ff5f67f42d45b194cfdb2a58e3997edf5553698e2af059fab743

SHA512
2ed252b872f35f8250f0e539700bfd898f7c4467dc5b7eb05bfabbecef539fc7027e7d7add23f1a6a2bac245bdb0cae0b27bf9e68b67eb6d06e2d0b81019e37b

Download Submit
C:\Temp\i_xrpjebwuoj.exe

Filesize
361KB

MD5
b165886abf1fff6df734dcae3fe4bec7

SHA1
fa290e6df5ea0491382ac2973717176574fe3bbf

SHA256
d97535aa6cc05e6070ab6b2a530128848106d1c1f470fb44ee953d31c9328c50

SHA512
d7ed7afc8feef9a7f97ae1c3caf6e45c77000aa7f72e7cd9b28d3d491b05e507c80bf7beb60b922e770f7bb8df5a924c9ef8e04e30a366479b22eda9b686792c

Download Submit
C:\Temp\idxvpnhcau.exe

Filesize
361KB

MD5
9d1ab8b5aea1326849405fbfe43feaae

SHA1
72eb799578acccd37ceae2954daf68f4a259f989

SHA256
6fd9ed6ea66fa28e86241b4de891d9ccc0f8f1f87e0ea1321c3c2e0cd3e7a3f7

SHA512
c6fb7cda0288509489144f35ffc95fc8870e8b89018f9b8521a03cad5e5a3fed52806737bfb2ddd78394943053eb761038d3a316f5af152bb5642dc3b13bcc18

Download Submit
C:\Temp\jeywqojdbv.exe

Filesize
361KB

MD5
7b3342e4f01b0d57c8d05325235447f3

SHA1
7f07943326985e6ba89ebef0bf307156587ee2b1

SHA256
39abb26f81538427db0ae197553c3de45df71483bc30cebdb6ac475dbe86b317

SHA512
50f0a8c1d95be65dc83f89e9f33d97472488b7744db8c63d2eb9541ec8e109c158c12ec6d05c9c889e91a2d6c77b0518b9798e34df5855a81e3a2fb1e27d2f5d

Download Submit
C:\Temp\lfaysqkfcx.exe

Filesize
361KB

MD5
7af2d60007b372b835273faabd0547eb

SHA1
db0bb4e31fe60b47739dd8e00f631a9ac2b8de65

SHA256
5790f4792d2708174f63a177f38ca73010d3ad507ba3500a92c6641a9a15297f

SHA512
e203969f2fcbeffd54392a6337b423cd8752067927d0ced3948478770cecf3f90682cfcca7e49ff0c3aa87a73b28b717fdc2362b8695b2f5da1f1d60c5a96a9f

Download Submit
C:\Temp\rojhbwtomg.exe

Filesize
361KB

MD5
88251a2e7973b5054a1491c76bcc3653

SHA1
467e4d6bc6a720941518fdf54dc2f94eac0eb3ea

SHA256
4f9e6205b0c16169fe4df97262dac356cc5e20a6a6f313094e198e97739f8f38

SHA512
362ee94d1d839cdfb7998d9f70755d8827b146e0324f1c14b3b89d9171cbb8af319ed91a8b0a91239a68a371a3494ef9fb1bd946b6d223b37a6c8de755764b6c

Download Submit
C:\Temp\vpnhfzusmk.exe

Filesize
361KB

MD5
29bf654ba5e1ab085a9283468c5ab77e

SHA1
0b2b2ad5823f1d9ca86f82ababd6d072ba094b94

SHA256
18c08059e1f529f3d66b1417796e240178ca14467af13f89b8681b9697d7f443

SHA512
9b91bf80022c6086fd67e595bd98b9c7a8092bda2a442b2a55299623880ee62d06728e9526f961ce727c5ded54f24ceef3449aa318246c988083004792865e21

Download Submit
C:\Temp\xrpjebwuoj.exe

Filesize
361KB

MD5
973c4241a1a317583f4fff652b4e1224

SHA1
ac4bfb46beade4a0e5a5efd1be1d1c2255c7f2d5

SHA256
d5d179fa25da8001c8c1bcce386dc220b84bcca2ba838a49a7625aadc65ad48b

SHA512
8198a4e5f7d94d58b8a45b2813f22be4b3f0b1148b234d9ed42d57868b7bcc658fbb5ba52da64a69dafd0aeae22ced0625340e979b7b2329ef5591d9abf5b725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
924e460ecddfdf9979ec0844da657c0f

SHA1
e0297af4c3e2f4d0bd92808f420bbc16d58e6631

SHA256
22db4a92cfe8d2ec69b63e059b7100fb9ee9170d74385fcfbe9dd3f280a0d5b2

SHA512
b5135f93f68f2ba9acefd41b208644507b4d719c1f702861451a5e791c52e38d19c1c026e7915d8a9cd71b2a122c8c48753008391bee243d9fe77c5e1831ae9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dbbe5df844512f3f63759373e46711e

SHA1
f780fa779ac2bd5bcf188c2015dc52c4fd81455b

SHA256
3d51b832aef7eaa7f820a93f9e2c3249aa909c2d00034f9f86d6e22b16b60ba7

SHA512
c6f967f3507e9a1f438441a2fe782fd04a985ddd8db08a4f3816d35fd1aa1d0bf82334ff9ad678a6c326da13bcf8bf80f8adec0bae8548cc7e87c50e8ca8c6bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31eb37d1f54daa0249ec861826a99456

SHA1
97c7476d7c6401c809faaec9dc94836cc7c0ceab

SHA256
d25638956b7fe2203d43846f5eadca04a6ef332a848306b1f297c666173be74e

SHA512
fec93bfda794027fe89330ca9071fb380c2ca65381fb704398f55d84795628083b2a714885bafea6c74df293270a58c9b17856b7a20b28db195da582e42a86b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c8598169023ae9e2d4c866b7fca2a34

SHA1
94e11523a6f308f4e87af65127a95dc3141f9635

SHA256
e8497a87225e94924dac0f3ff4207d0e332739469c84f3f965e9e8c35bdefb83

SHA512
12d186ec3cdd0d383c0855d231790345489dbeff86ef250af5c3458accba330973e3765307f6df5031a2d1d3230cb48ba0bc2d789e76b1cf5f8d2359c605d914

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25451a93859c9ffa97319150ac721098

SHA1
3dad6d505349a3b221c359b637cf78d6e989e01f

SHA256
fb02bc6b3b1538a7835abd590cbaeeaf1105ec82f8a54fbbe83ab25744b21fc3

SHA512
26e031169c4c275e0ed61fda50e71c73c7fbd17d829c77e27410b29633b5eb52bb935779053920fee4ade8ec96fafe7b38f4147e10c48da8ae8da2c0e15bb488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9f6c34e4ad30b7f3674a443589acc87

SHA1
dbb160ae4729a8ea17461bc29c8a015be9a71fe3

SHA256
da86ab6ca340c3b22f33cf6c3ea318f48869a17386728f8fa0b2a846d139bf34

SHA512
081a8a9f87aaecb9937b5557712e2028e7e55fecd2ac71bbfdd3a7e028718b041070240fd97813e446a7484402c66a5bb001aae011422a5b54cfb40358d6d147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
337e428b12cc3b28f59dc50742c20d60

SHA1
a798f8c2e5faaeda6a472f336ad6c0956708076f

SHA256
63de4089cf886d7edb07a61c1142b17df8e92bd5b9c10c1b7cf043467538bfa7

SHA512
4e8536c716e31322e7ad5f5f5e43af37670d2435a10bd936ff249e8b0d4f2e6b31eecb7679c5bf2b4e2da4687956d01f4a83e1a17cb27432dee884530be58ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed0950bd71423ad97bf4da7bc470fb7

SHA1
a8ead6955b57b92849b9beaf752d895844392b10

SHA256
c33d2e383519c906b68319ed06a8b49f6da8a133f2bd21a73db51d0cb3c2ba1c

SHA512
01262a5ebd74b3d1ab0ac9dbe55d31ec5e593f61d996dd02ae2b4c5022eccffb93305ad3a2f83520a675f74be49f30d08aa4e5262a86c95ada86c60cdfeabfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d46c50f4fd1b3a991e36e6ab48e6c7b6

SHA1
10867604e5f145ca38bcc8914dc643bf95f3e36e

SHA256
e66845b7b41c783c2449c58f2f3d8ddcc52ffa874425db3f36792b3f86026e91

SHA512
c466fc0cbf386fb06c6b7258d9c17481f639ad6c6342420de9d1a658fb5d69c5d7a111628d74ac2e141a4569dab62c2eecb3cdebe9ccd1119fdfe114c78a7d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b496ba49588399e2414db6a7eb18866

SHA1
45de1d446f66bd996b1767c937c3295005a2733a

SHA256
24314f33c1dad10938f5e336943fe9e31565e52a84bf9dddde942d90a03c208b

SHA512
c660de58d973268b66067af1aa7bb37dd32f24963e7650538b20fe5a71a913dd41c9ff986cdb9a6761e67a76bbcb449d974fdfb455933e0fbc50438f6d948dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b4f0bc35f96b29b89ddb32316efd38f

SHA1
e2c21e955005319daf1edf79be54bf08128afb75

SHA256
e9f15743738773749419f364b2b81c99f59c9084143551c09e282e265cee000c

SHA512
c2ba7ef0219c8ce287b3bd9aada6ecb904e18398278f9f9ab95d52285df809edaad32188d5898263102c3344a2152044fda5cdd1ba7ed3b9f6e31706bb5a1e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10d2ffdf4fe2cbb2fdc552dfe8d42e5

SHA1
8f8b47449ba0781c58c8ad7bdd94bfe0dae91f7e

SHA256
da3b8eaa68bfe3c7d8b143fd783d23ad68121669282260d831e207bac4b57353

SHA512
15b7c660167bce0f2a9f0939246d82791781809e66a7277ffb00c834cd870690576fb5f3b24c51ad4dbfe324f4f3426dcf7072cb3b58d207e79508e885eaf68d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bedf1bfb90a79a77a2182914d142ffe

SHA1
beb035216000e8aecf031f9e66515a6a7356e2d4

SHA256
d0eacb4fe69000ab826a2e857dfc9522b90abe5c92305332023c99a0d6105b4c

SHA512
35af72545528481f8333295d58f82689100988f3efa09e732bc61463496c5b9bfebaf802d7ffd115203a53ef5289d2d2691b4adf31de436bc427a6f8ac7c0585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebfdc7dc1751926c1f29b8219501af7c

SHA1
f8dfb71ec778d9b7197147863d108df6714b2b70

SHA256
e39487d0e7b9708e8596e542cd8e9b590127253afd1c22bdba91f76fd0eaec9b

SHA512
75c2ce18579a66f12a65440f000b9c2753a7842ab9f476eb78b89e76de45da24ed785e8bc74b2e60e6023e25b03d9f8ddc68ef26f82adaf5b562f9bf6c79b9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e0b5391d9dc0d68fcfbc9e9fad12f97

SHA1
5ba8d246266ac514e52107406cd75a62bc1b45dc

SHA256
6c9874d4d62d241b07162734625012a7a45d96b3a45c8999e8005611b2b3d287

SHA512
21b36be83ebea6c7fe7778a0cbde75e9423790d537885fa5bbf76a6f459252d393ee2bff9b01ee00c97d9004895c1574c8f9ecb09ea685e9c4f0786da862af6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca7f0b53d2bad4e943e1cdcf417220cb

SHA1
aa3af9caa725507198a3bbeeabc56d74eaf46428

SHA256
b326bd8f9d5d0365c6ef60318c792bcb5d8e76f205140276503341e9368b9841

SHA512
fa148f731769ba0168a3318fb07e38e7cc6cf5031e91b8fd7859601263720039510493815ae2da62faacf4ea9d1d374aa5d13612664882a9370dfab3c6647578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
819e66b297c68090f67c5e482122252d

SHA1
49232bd3e71960f3fe68e45312e67a8be33b9057

SHA256
6a5e18d34ed5c3efb6396f34e84df165393bba8fcfae03b2683ad07d3a1ab3da

SHA512
4649e6e3d289959420eb7705335b51b3b8ad5b75f8f254931afdc6f24f8fd784e9b5cfbfd50461e85e7f20d16f25fd3c264e308f1d21062dcd5a3ee5bdc985b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02406351b06c38466fd2e5bf035e2a26

SHA1
e8b9364dff5c9152f359cff9a186bd97c64d247d

SHA256
0178200df5e17b2f4b77dee3a9cb1fb337e96490b68e54d38a4614245d5b431e

SHA512
f2696b0723e05948171d14011817a64fc04f7cd4997a4e6eb15d5dc1fc91f359dcb1e84b99a4634fcc106fb50d75cc5ab9cd79b063d47acd207d5937f8ddd7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b223f19282044e9aaa6deefd3637cf93

SHA1
4f277f13c5b0a954cab0a80ec81a0443b925b733

SHA256
28baa24a2ed49c06cf7b94067c11d72ceaef75f70485e6e7d594c836a072599d

SHA512
54f3036c039a8e47d0a03311ba07ae15195691fea0164816ad7558abb72a0614ce86ae28d22810626dc38c8b816c2791d93d820d81c282c2198f6b3126c0f57b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1fdaa3c8ecb5a2d0960ca8cfb9bbbcf

SHA1
c9d410add0445742e1acd22ec82ed6a03918be4b

SHA256
f9aedadd878ab18b526be3e94332d83be05973c9b618329737cb148d4fae0afd

SHA512
1d3d90830a3f39570d887d90d36812a6db28910fcfb6a1efb8fa756b5373a11820d961b9d4bcd25c6d8e8054773e5384c6f8789fe9446dc2d1682bbf5238017a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD13A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
a870ddb351df181a7b822973d9ebd65f

SHA1
bdfbbae795285862a80f338870d7dfc0a9625f1d

SHA256
fa48918e197dc7cf73c09e05a069151fd30a6c2f07770de4eb4661d2729070aa

SHA512
52ecb4c183e034792c0886c757d218b7dd34760e0f3f736d30623f33b61e69be7c5e546db10e3dd875ec06e8a4d2747aec17f0d6fda7d8c0aa446198c46b9f13

Download Submit
\Temp\fzxrmkecwrojhbwt.exe

Filesize
361KB

MD5
cd3f2a8531cc712e19aae61728a9a4a2

SHA1
f106daa4f30baeee3cc7968a0f1956aa78bf3f29

SHA256
aafaa17a18bf886f273dc49ec5419852425bdb5b142d22544814e6893712f5e1

SHA512
e2d0dbb03424765d69a97022c4c5d72036fdf7e5a046b369be7969cedb7f63734d123cc274e0d169ee57eba457fb0d55295a730576dc175ab9d9a7c1e5998111

Download Submit