a38a8a708c10cc37ffad39c9471a238177a411c15a10221195fd42f75774e53f

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
Size

361KB
MD5

3eede8b06e6a2d4a041c6d2d2a6efc35
SHA1

59caa7b8db93705e8bfc6d81be47e793c49b8a84
SHA256

a38a8a708c10cc37ffad39c9471a238177a411c15a10221195fd42f75774e53f
SHA512

882b6b94619ed6caeffc8c12e70ef8959bc915f35149f19a113aa88afd2dcf31e5ccabafb3236a8e1576361aaf7e8f1ab331e49c1538185f94661b417d31f6f8
SSDEEP

6144:4flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:4flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3716	aysqlidavtnlfdxv.exe
1456	CreateProcess.exe
992	lfdyvqniga.exe
2896	CreateProcess.exe
2824	CreateProcess.exe
2972	i_lfdyvqniga.exe
5000	CreateProcess.exe
4744	pnhfaxspki.exe
2156	CreateProcess.exe
3268	CreateProcess.exe
4724	i_pnhfaxspki.exe
1764	CreateProcess.exe
2568	nhfzxspkic.exe
3972	CreateProcess.exe
1884	CreateProcess.exe
3664	i_nhfzxspkic.exe
4244	CreateProcess.exe
4156	pnhfzxrpkh.exe
3600	CreateProcess.exe
3188	CreateProcess.exe
2352	i_pnhfzxrpkh.exe
4584	CreateProcess.exe
2380	mgezwrpjhb.exe
4020	CreateProcess.exe
4528	CreateProcess.exe
1468	i_mgezwrpjhb.exe
4696	CreateProcess.exe
1116	geywrojgbz.exe
2696	CreateProcess.exe
3568	CreateProcess.exe
4364	i_geywrojgbz.exe
4860	CreateProcess.exe
3376	bvtolgeywq.exe
4776	CreateProcess.exe
1112	CreateProcess.exe
4652	i_bvtolgeywq.exe
2656	CreateProcess.exe
508	eywqoigbyt.exe
4864	CreateProcess.exe
2112	CreateProcess.exe
1712	i_eywqoigbyt.exe
4156	CreateProcess.exe
4988	yvqoigaytq.exe
3296	CreateProcess.exe
1148	CreateProcess.exe
456	i_yvqoigaytq.exe
4136	CreateProcess.exe
1600	vpnifaxsqk.exe
3608	CreateProcess.exe
1552	CreateProcess.exe
4276	i_vpnifaxsqk.exe
448	CreateProcess.exe
1428	smkfcxvpnh.exe
4532	CreateProcess.exe
1168	CreateProcess.exe
4180	i_smkfcxvpnh.exe
1496	CreateProcess.exe
3908	xvpnhfzxsp.exe
5020	CreateProcess.exe
1308	CreateProcess.exe
4568	i_xvpnhfzxsp.exe
3980	CreateProcess.exe
2316	urmkecwupm.exe
3708	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trljdbvtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhfzxspkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xvpnhfzxsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rpjhbztrmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smkfcxvpnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_omgeywrojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_trljdbvtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_lfdyvqniga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bvtolgeywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvqoigaytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgezwrpjhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_yvqoigaytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnifaqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnhfaxspki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlfdxvpnif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nhfzxspkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_tnlgdywqoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omgeywrojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vpnifaqkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_snkfdxvpnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aysqlidavtnlfdxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnifaxsqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_urmkecwupm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_mgezwrpjhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_eywqoigbyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vpnifaxsqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_smkfcxvpnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_pnhfaxspki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnhfzxrpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_pnhfzxrpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpjhbztrmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_qlfdxvpnif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_geywrojgbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtolgeywq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snkfdxvpnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urmkecwupm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlgdywqoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfdyvqniga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geywrojgbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvpnhfzxsp.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3380	ipconfig.exe
2572	ipconfig.exe
4120	ipconfig.exe
992	ipconfig.exe
3604	ipconfig.exe
4564	ipconfig.exe
4416	ipconfig.exe
4556	ipconfig.exe
2384	ipconfig.exe
3404	ipconfig.exe
1004	ipconfig.exe
2408	ipconfig.exe
4692	ipconfig.exe
632	ipconfig.exe
368	ipconfig.exe
4788	ipconfig.exe
3608	ipconfig.exe
720	ipconfig.exe
2656	ipconfig.exe
1336	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2898697535"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a455ad4d1ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D86B5FCC-8940-11EF-A4B7-E26222BAF6A3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137101"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc00000000020000000000106600000001000020000000f096fdabbba9d9a683c827c64f91097b2e569e247c0fb1ad6178d18a02c33456000000000e8000000002000020000000a85d613d86b9fcbad3cf8a3b40f4492d44c7357c44a66d12df9a0dc93f3d852420000000b7dfcc1897db576f846ae031f0d88791a2349b96c6cc6b6ab53deb73f9f37e1340000000841c679da41634e20444b96461388c637be15857ccb1666a095cb28f08a74cfebb532ea75e3e97c9e73777fc062cb0221901a9fd47aa7d1c78a27ac5b7ca80db	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0074cad4d1ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137101"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137101"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435574682"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2898697535"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc00000000020000000000106600000001000020000000cd9b8bed8b0242aa5f25753165146073efce817bebf1c13acef24f557bd7144e000000000e8000000002000020000000561a2022cae73135aadc269e30492b7d5fb967e69b8c306bcae2a7773b6b1d59200000006cafb425fd138abf7a9b01a8cfdd1182b3d6172d6b25a2e8024473f1448a97d840000000333f3f4adb5fb3060484cb325d45837a00614e4f048bc018b975e6bb0b241883aef9cd3345d19c789112d783673972a6ec177a10ee71d243c062438f1d284d14	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2901978742"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3716	aysqlidavtnlfdxv.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	i_lfdyvqniga.exe
Token: SeDebugPrivilege	4724	i_pnhfaxspki.exe
Token: SeDebugPrivilege	3664	i_nhfzxspkic.exe
Token: SeDebugPrivilege	2352	i_pnhfzxrpkh.exe
Token: SeDebugPrivilege	1468	i_mgezwrpjhb.exe
Token: SeDebugPrivilege	4364	i_geywrojgbz.exe
Token: SeDebugPrivilege	4652	i_bvtolgeywq.exe
Token: SeDebugPrivilege	1712	i_eywqoigbyt.exe
Token: SeDebugPrivilege	456	i_yvqoigaytq.exe
Token: SeDebugPrivilege	4276	i_vpnifaxsqk.exe
Token: SeDebugPrivilege	4180	i_smkfcxvpnh.exe
Token: SeDebugPrivilege	4568	i_xvpnhfzxsp.exe
Token: SeDebugPrivilege	4852	i_urmkecwupm.exe
Token: SeDebugPrivilege	2156	i_rpjhbztrmj.exe
Token: SeDebugPrivilege	824	i_omgeywrojh.exe
Token: SeDebugPrivilege	4764	i_trljdbvtol.exe
Token: SeDebugPrivilege	3188	i_tnlgdywqoi.exe
Token: SeDebugPrivilege	4936	i_qlfdxvpnif.exe
Token: SeDebugPrivilege	4612	i_vpnifaqkic.exe
Token: SeDebugPrivilege	2940	i_snkfdxvpnh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2292	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2292	iexplore.exe
2292	iexplore.exe
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 3716	3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	86
PID 3668 wrote to memory of 3716	3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	86
PID 3668 wrote to memory of 3716	3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	86
PID 3668 wrote to memory of 2292	3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	87
PID 3668 wrote to memory of 2292	3668	3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe	87
PID 2292 wrote to memory of 3748	2292	iexplore.exe	88
PID 2292 wrote to memory of 3748	2292	iexplore.exe	88
PID 2292 wrote to memory of 3748	2292	iexplore.exe	88
PID 3716 wrote to memory of 1456	3716	aysqlidavtnlfdxv.exe	89
PID 3716 wrote to memory of 1456	3716	aysqlidavtnlfdxv.exe	89
PID 3716 wrote to memory of 1456	3716	aysqlidavtnlfdxv.exe	89
PID 992 wrote to memory of 2896	992	lfdyvqniga.exe	92
PID 992 wrote to memory of 2896	992	lfdyvqniga.exe	92
PID 992 wrote to memory of 2896	992	lfdyvqniga.exe	92
PID 3716 wrote to memory of 2824	3716	aysqlidavtnlfdxv.exe	95
PID 3716 wrote to memory of 2824	3716	aysqlidavtnlfdxv.exe	95
PID 3716 wrote to memory of 2824	3716	aysqlidavtnlfdxv.exe	95
PID 3716 wrote to memory of 5000	3716	aysqlidavtnlfdxv.exe	97
PID 3716 wrote to memory of 5000	3716	aysqlidavtnlfdxv.exe	97
PID 3716 wrote to memory of 5000	3716	aysqlidavtnlfdxv.exe	97
PID 4744 wrote to memory of 2156	4744	pnhfaxspki.exe	99
PID 4744 wrote to memory of 2156	4744	pnhfaxspki.exe	99
PID 4744 wrote to memory of 2156	4744	pnhfaxspki.exe	99
PID 3716 wrote to memory of 3268	3716	aysqlidavtnlfdxv.exe	102
PID 3716 wrote to memory of 3268	3716	aysqlidavtnlfdxv.exe	102
PID 3716 wrote to memory of 3268	3716	aysqlidavtnlfdxv.exe	102
PID 3716 wrote to memory of 1764	3716	aysqlidavtnlfdxv.exe	104
PID 3716 wrote to memory of 1764	3716	aysqlidavtnlfdxv.exe	104
PID 3716 wrote to memory of 1764	3716	aysqlidavtnlfdxv.exe	104
PID 2568 wrote to memory of 3972	2568	nhfzxspkic.exe	106
PID 2568 wrote to memory of 3972	2568	nhfzxspkic.exe	106
PID 2568 wrote to memory of 3972	2568	nhfzxspkic.exe	106
PID 3716 wrote to memory of 1884	3716	aysqlidavtnlfdxv.exe	109
PID 3716 wrote to memory of 1884	3716	aysqlidavtnlfdxv.exe	109
PID 3716 wrote to memory of 1884	3716	aysqlidavtnlfdxv.exe	109
PID 3716 wrote to memory of 4244	3716	aysqlidavtnlfdxv.exe	111
PID 3716 wrote to memory of 4244	3716	aysqlidavtnlfdxv.exe	111
PID 3716 wrote to memory of 4244	3716	aysqlidavtnlfdxv.exe	111
PID 4156 wrote to memory of 3600	4156	pnhfzxrpkh.exe	113
PID 4156 wrote to memory of 3600	4156	pnhfzxrpkh.exe	113
PID 4156 wrote to memory of 3600	4156	pnhfzxrpkh.exe	113
PID 3716 wrote to memory of 3188	3716	aysqlidavtnlfdxv.exe	118
PID 3716 wrote to memory of 3188	3716	aysqlidavtnlfdxv.exe	118
PID 3716 wrote to memory of 3188	3716	aysqlidavtnlfdxv.exe	118
PID 3716 wrote to memory of 4584	3716	aysqlidavtnlfdxv.exe	120
PID 3716 wrote to memory of 4584	3716	aysqlidavtnlfdxv.exe	120
PID 3716 wrote to memory of 4584	3716	aysqlidavtnlfdxv.exe	120
PID 2380 wrote to memory of 4020	2380	mgezwrpjhb.exe	122
PID 2380 wrote to memory of 4020	2380	mgezwrpjhb.exe	122
PID 2380 wrote to memory of 4020	2380	mgezwrpjhb.exe	122
PID 3716 wrote to memory of 4528	3716	aysqlidavtnlfdxv.exe	125
PID 3716 wrote to memory of 4528	3716	aysqlidavtnlfdxv.exe	125
PID 3716 wrote to memory of 4528	3716	aysqlidavtnlfdxv.exe	125
PID 3716 wrote to memory of 4696	3716	aysqlidavtnlfdxv.exe	129
PID 3716 wrote to memory of 4696	3716	aysqlidavtnlfdxv.exe	129
PID 3716 wrote to memory of 4696	3716	aysqlidavtnlfdxv.exe	129
PID 1116 wrote to memory of 2696	1116	geywrojgbz.exe	131
PID 1116 wrote to memory of 2696	1116	geywrojgbz.exe	131
PID 1116 wrote to memory of 2696	1116	geywrojgbz.exe	131
PID 3716 wrote to memory of 3568	3716	aysqlidavtnlfdxv.exe	134
PID 3716 wrote to memory of 3568	3716	aysqlidavtnlfdxv.exe	134
PID 3716 wrote to memory of 3568	3716	aysqlidavtnlfdxv.exe	134
PID 3716 wrote to memory of 4860	3716	aysqlidavtnlfdxv.exe	136
PID 3716 wrote to memory of 4860	3716	aysqlidavtnlfdxv.exe	136

C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Temp\aysqlidavtnlfdxv.exe
  C:\Temp\aysqlidavtnlfdxv.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lfdyvqniga.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1456
  - - C:\Temp\lfdyvqniga.exe
      C:\Temp\lfdyvqniga.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2896
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lfdyvqniga.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2824
  - - C:\Temp\i_lfdyvqniga.exe
      C:\Temp\i_lfdyvqniga.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhfaxspki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5000
  - - C:\Temp\pnhfaxspki.exe
      C:\Temp\pnhfaxspki.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2156
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhfaxspki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3268
  - - C:\Temp\i_pnhfaxspki.exe
      C:\Temp\i_pnhfaxspki.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4724
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfzxspkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1764
  - - C:\Temp\nhfzxspkic.exe
      C:\Temp\nhfzxspkic.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3972
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfzxspkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1884
  - - C:\Temp\i_nhfzxspkic.exe
      C:\Temp\i_nhfzxspkic.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3664
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhfzxrpkh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4244
  - - C:\Temp\pnhfzxrpkh.exe
      C:\Temp\pnhfzxrpkh.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3600
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2572
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhfzxrpkh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3188
  - - C:\Temp\i_pnhfzxrpkh.exe
      C:\Temp\i_pnhfzxrpkh.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgezwrpjhb.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4584
  - - C:\Temp\mgezwrpjhb.exe
      C:\Temp\mgezwrpjhb.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgezwrpjhb.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4528
  - - C:\Temp\i_mgezwrpjhb.exe
      C:\Temp\i_mgezwrpjhb.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywrojgbz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4696
  - - C:\Temp\geywrojgbz.exe
      C:\Temp\geywrojgbz.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywrojgbz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3568
  - - C:\Temp\i_geywrojgbz.exe
      C:\Temp\i_geywrojgbz.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bvtolgeywq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4860
  - - C:\Temp\bvtolgeywq.exe
      C:\Temp\bvtolgeywq.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3376
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4776
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:368
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bvtolgeywq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1112
  - - C:\Temp\i_bvtolgeywq.exe
      C:\Temp\i_bvtolgeywq.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4652
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2656
  - - C:\Temp\eywqoigbyt.exe
      C:\Temp\eywqoigbyt.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:508
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4864
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4564
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2112
  - - C:\Temp\i_eywqoigbyt.exe
      C:\Temp\i_eywqoigbyt.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4156
  - - C:\Temp\yvqoigaytq.exe
      C:\Temp\yvqoigaytq.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3296
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4788
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1148
  - - C:\Temp\i_yvqoigaytq.exe
      C:\Temp\i_yvqoigaytq.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifaxsqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4136
  - - C:\Temp\vpnifaxsqk.exe
      C:\Temp\vpnifaxsqk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3608
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4416
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifaxsqk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1552
  - - C:\Temp\i_vpnifaxsqk.exe
      C:\Temp\i_vpnifaxsqk.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4276
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkfcxvpnh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:448
  - - C:\Temp\smkfcxvpnh.exe
      C:\Temp\smkfcxvpnh.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1428
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4532
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkfcxvpnh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1168
  - - C:\Temp\i_smkfcxvpnh.exe
      C:\Temp\i_smkfcxvpnh.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4180
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xvpnhfzxsp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1496
  - - C:\Temp\xvpnhfzxsp.exe
      C:\Temp\xvpnhfzxsp.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3908
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5020
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4120
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xvpnhfzxsp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1308
  - - C:\Temp\i_xvpnhfzxsp.exe
      C:\Temp\i_xvpnhfzxsp.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4568
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\urmkecwupm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3980
  - - C:\Temp\urmkecwupm.exe
      C:\Temp\urmkecwupm.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2316
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3708
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_urmkecwupm.exe ups_ins
    3⤵
    PID:832
  - - C:\Temp\i_urmkecwupm.exe
      C:\Temp\i_urmkecwupm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhbztrmj.exe ups_run
    3⤵
    PID:3556
  - - C:\Temp\rpjhbztrmj.exe
      C:\Temp\rpjhbztrmj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1488
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2384
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhbztrmj.exe ups_ins
    3⤵
    PID:4184
  - - C:\Temp\i_rpjhbztrmj.exe
      C:\Temp\i_rpjhbztrmj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\omgeywrojh.exe ups_run
    3⤵
    PID:872
  - - C:\Temp\omgeywrojh.exe
      C:\Temp\omgeywrojh.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3304
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3604
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_omgeywrojh.exe ups_ins
    3⤵
    PID:4472
  - - C:\Temp\i_omgeywrojh.exe
      C:\Temp\i_omgeywrojh.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:824
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trljdbvtol.exe ups_run
    3⤵
    PID:2308
  - - C:\Temp\trljdbvtol.exe
      C:\Temp\trljdbvtol.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4668
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trljdbvtol.exe ups_ins
    3⤵
    PID:1828
  - - C:\Temp\i_trljdbvtol.exe
      C:\Temp\i_trljdbvtol.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlgdywqoi.exe ups_run
    3⤵
    PID:4620
  - - C:\Temp\tnlgdywqoi.exe
      C:\Temp\tnlgdywqoi.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1784
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1004
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlgdywqoi.exe ups_ins
    3⤵
    PID:3416
  - - C:\Temp\i_tnlgdywqoi.exe
      C:\Temp\i_tnlgdywqoi.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3188
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qlfdxvpnif.exe ups_run
    3⤵
    PID:4388
  - - C:\Temp\qlfdxvpnif.exe
      C:\Temp\qlfdxvpnif.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3136
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qlfdxvpnif.exe ups_ins
    3⤵
    PID:1716
  - - C:\Temp\i_qlfdxvpnif.exe
      C:\Temp\i_qlfdxvpnif.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnifaqkic.exe ups_run
    3⤵
    PID:2532
  - - C:\Temp\vpnifaqkic.exe
      C:\Temp\vpnifaqkic.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4436
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnifaqkic.exe ups_ins
    3⤵
    PID:4016
  - - C:\Temp\i_vpnifaqkic.exe
      C:\Temp\i_vpnifaqkic.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfdxvpnh.exe ups_run
    3⤵
    PID:920
  - - C:\Temp\snkfdxvpnh.exe
      C:\Temp\snkfdxvpnh.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4260
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2688
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:720
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfdxvpnh.exe ups_ins
    3⤵
    PID:4872
  - - C:\Temp\i_snkfdxvpnh.exe
      C:\Temp\i_snkfdxvpnh.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
c9c3fb5552cdfeb09b591d0cc133c899

SHA1
85a6857a32ea6a3093200f0127da0a73ac39efd4

SHA256
6abea2973f1154aa6ba63efa9a53d7d83d5ce39fb9fb77d2261b7f8b9ed2bdeb

SHA512
41191e22570d3670f931f59712c956127d3c1ae60f0a3d9e4b1a57dcc21d4e8b842d9407eb559f316ce30c140d2603b94f22f9493237797d06f6413baae5e3f1

Download Submit
C:\Temp\aysqlidavtnlfdxv.exe

Filesize
361KB

MD5
28dba5c3dddd07f1bbd186a6e7cff0a8

SHA1
1ecc01751ea7e1c207041fe4eee3931312fab5a7

SHA256
9a7ca82ae9c890283008eae30b7a059deb283722ca61fe94b02016974ce73c91

SHA512
a0fcadd773f2f520422d478a5f18aa87630b60add58b61a1bc06f4f81d3436073a4f5dd6f1683a89d63dd403277f2fc9deb2eb13cb099514fe86b6aecad1f3cf

Download Submit
C:\Temp\bvtolgeywq.exe

Filesize
361KB

MD5
c15c70613886f1db7ed25bc6aabb0fe3

SHA1
7cb0f05db620445153e952932d2292b4c51e29e8

SHA256
6de520559012331bad0671809ee4e52bb0484377bedda0d57f8b8d5ec8f9a2a1

SHA512
7d3ed1a8ee64af73e135d95017fe105dde80b7a7e1babb3a6b7d2026bc935c996094607e75ff521ee1152718832e78637b96c974ab94ae961cbabc4cb2752a28

Download Submit
C:\Temp\eywqoigbyt.exe

Filesize
361KB

MD5
45cacaad6de8f348f96b3ad5d5a18fe8

SHA1
9e3a29260253065ad8b9c745ce71f2cd922ce5a0

SHA256
7103f761e7524f3e62e45d185a287dacbc0908c88ebbac1e8c86b950f3209e32

SHA512
cb1a1e7b8b0ad5d5c3c2e40d2f7812bf2a1a29242c415238bd442651f69f736be321d89bdffee0f228de86c93f4faab5e655e2b0d7d95568581341c9ecb48747

Download Submit
C:\Temp\geywrojgbz.exe

Filesize
361KB

MD5
7b6ec56864687892a7b849f7d2f50079

SHA1
881e6a238e35d512860648b450f8c15c45c0194b

SHA256
c76c12f2a12000c6eebfcd3a48ef09e21f3a1fc505e3240b767d3cb9db2e73eb

SHA512
72f93884066b5405a9f8e4f1459666c7172549b15cb8e8183e6ba7ac0a986bcb32684e863bcc51e211b8b8218d9acc9a78ead461a02a304745f3b8b1e1502e01

Download Submit
C:\Temp\i_bvtolgeywq.exe

Filesize
361KB

MD5
58ec7d43912bb5088f7ac01ed9a77579

SHA1
505d2c2a969ba828a7f64dbc71e4e3e733236fd4

SHA256
1076cc75b078ceb612be4f27a9749e8d15caca58d5c945d1deae6491b8ad63bc

SHA512
ce446df06bbd9b28ae13160f62d03593677d900db36dace384f78c79701800859eb193ed6923069ae30e2f60c507e1659bad6ac486ea060d2637d43a8f3265f3

Download Submit
C:\Temp\i_eywqoigbyt.exe

Filesize
361KB

MD5
154c4a7ffc130bc80aaee9f6b361d112

SHA1
2e85149f1c0005a60e11e277a117edc21d184ca3

SHA256
5e3f20d680c7d5311214421d207803018c08543d43a1d335ddbb830d9c495715

SHA512
2544ca18642f8076e61c77f27d5778840e4fb5f01394790ae4bf976dce2f87bddbb1e1da442c56f07ec0d74ab0f9e8d525f29f65d6bafd6e92c85e3986cb535f

Download Submit
C:\Temp\i_geywrojgbz.exe

Filesize
361KB

MD5
2809c8e3a30371dc637c6a43db2485a4

SHA1
85e30816e7ca8cf2079ca44879dfbc70fc378fac

SHA256
c7ae45548cdf8e5d7f057e1cd28fbf79d928b0effcc2ef4cbb84b3191de66b82

SHA512
6e9f19dc62353f6589753722e0011b80de90487e4268d5839e5c0e773a60609151d0c67320232e2301a407fb9eb3898ddf27c56346bd1414a1efe88b1f12eb5c

Download Submit
C:\Temp\i_lfdyvqniga.exe

Filesize
361KB

MD5
9de7c93afbe675d6f380e4bc41acfcfe

SHA1
361cc33ed4692962690ef432f5b3b1c16e19c33b

SHA256
62012c0f6b38596b042814c8e9c603127d77c6f80518e13f791d2a261cccf28a

SHA512
a92d4ba175fde9eacd805ee16337336d54759cd3ab6552df8708a38db218aa7f94d3d8f0de1eb2d55b77f7191a3ab258b3c35e309b9c32de954fe94c5d925bf9

Download Submit
C:\Temp\i_mgezwrpjhb.exe

Filesize
361KB

MD5
968b4c566a56554ae351c7e239101c3b

SHA1
0e61e92af6cd3d1310393c244c5ccd01d424d60c

SHA256
8b2f58ab893b8a3c40ce2eb6545816f4ed8ee3c843dc7e2bc4bbbc63b5632f03

SHA512
7da2e8c54b07bb0ea5aa71ba24f0d479798ca3619f3565a38e17471cdf0c7f352f6fce72822a5b307cf2697ef1777e8adde4008b7a2b3a74a073c80a5fabe55a

Download Submit
C:\Temp\i_nhfzxspkic.exe

Filesize
361KB

MD5
0580bd923976d6c24c056da0baff0a2e

SHA1
1f8dcc593e42f9762edefe34acf8e1eba8aa9958

SHA256
c14e4ee22febb2e2956fd57389353fad01d62ce485e4e8d70f996006d8f95f5e

SHA512
3962b6bd98d3dd16b5ee280ff20ef7a9f7c29afa2ba1404342612167455cadc4685fb0a4cd89a2775eb4095d81db530b18e65c579f71479fdde329d371349a51

Download Submit
C:\Temp\i_pnhfaxspki.exe

Filesize
361KB

MD5
5f5972d0cf6c9b43ff970cfd1f19d407

SHA1
6c3ea24fec42605aab6c84da6ddf1658c50dfcf4

SHA256
938da495f37c0b80f7e1099d1855f68ca4d179941c37e1c8a9f05ed45b300ef1

SHA512
522c991f01f2d030aa08c5e05a3cd8bb3225e395b20ed63fb8f14b7b7d6c5f9f54e83edf4935f3becb2580c2f31e085dad3aa501c337349b265ee3315f3c8409

Download Submit
C:\Temp\i_pnhfzxrpkh.exe

Filesize
361KB

MD5
e23b37088b65a056a852d66523084aa5

SHA1
654b4248814b82087287646fa868427be52b31e8

SHA256
8d7522aff8a7f5113606594477fad6e7123a12c836d881c42d0d2ef2bd78f2ca

SHA512
22401517da9014580b5bd9e78cf91b4bdce9f38637c65275e42a1bcbefc5e9160857234420b6dbf3bd7a5f941cfdf9147cd90c64f824f8fe45a6e1180d4b4418

Download Submit
C:\Temp\lfdyvqniga.exe

Filesize
361KB

MD5
39e1cb209dada7411e61bca94163bcdd

SHA1
3a2a413a45cf78135f67f56f86d9c00d8b7d23aa

SHA256
1bb0174e8ef825a5a39a8a9ea6ab460b79faebc9ade9441d5410894529188887

SHA512
6918b7e1b63bb1172cd16c8f44e5daae6cbe629dfd8d25b87959eaaeb5e059e6ce55f77001ef59d438420568a74f5590c3d75d2e27121c876e7a1a8d2812bc2e

Download Submit
C:\Temp\mgezwrpjhb.exe

Filesize
361KB

MD5
ae62d7574bd6cd76e1b28bd5801daa8a

SHA1
336ac8af18160d4024d59a3399072827462dc779

SHA256
bb949b2e46b5a6a75e91f44ac95f98716d8553ced73d7dbb1326b0cb25ccc6f9

SHA512
d1b9048b4c559b0d5965d4ed95ba5f248a85173a2e3bad714595e13aba71a5128cb6782c8b4641f8ecd33f0a9eee14a35bc93138dee739400a90f74686064bcb

Download Submit
C:\Temp\nhfzxspkic.exe

Filesize
361KB

MD5
231fa8e5cd2acc4461460fcbb45a926b

SHA1
a0a01e15e8ddc95b1531daa2208d34f7c8496121

SHA256
6e95da6672000a2e27392fb5db491aca75959ad77db5798c1bfb06bd4c989023

SHA512
31c8ce9816034a9143a1d3e419ade720a87c15d1910dfb15f9dd1a6311d851b175b02578f308ade0f1cb631bbc18d58020066cf769530e5e0a627a838785f8ba

Download Submit
C:\Temp\pnhfaxspki.exe

Filesize
361KB

MD5
3d9b02ffef463ccd86af3a0f245c07ad

SHA1
6eb133806415084698e574c9e41f50783d7c6803

SHA256
3b855efad843ecbc06db322ac0d0f783a572a2ad47340c5e8be53567289a951e

SHA512
6adfd8770c29d2ff3ef53ff93a85c0f872a2098bf463c50d85851987d5f208244739e09ca48d00abdeb55a5d1872c3f07745f25f3cf7900bcc060a1dbaf2f3bf

Download Submit
C:\Temp\pnhfzxrpkh.exe

Filesize
361KB

MD5
67ba51f335dfcac1f0e7f346cf022600

SHA1
8a991fd2d11567d5901c3bb9a057ab01f4b2801b

SHA256
e744da2d0522be8e82e990eb157e1d00ceda09547d72d30750f1d95bce33579f

SHA512
6ac372af7c0c6933a2dabca38c4acc269a4c6e373d4ca79153db36383273c65145fadefa606b78cf1031763a095c4dbe1fd64faadfa230f0ba99de45a00bfcc9

Download Submit
C:\Temp\yvqoigaytq.exe

Filesize
361KB

MD5
95d5d77611edb5dcc8655306bcad6737

SHA1
5e94b2fbcd57e634564d04d6d8a1a5ccad0df730

SHA256
3700fd09ec479a32bf60d2e41e137199b6c019d9b2bd8fe9eaee99938682c174

SHA512
b73db3f361ec6766582593e92427a0d41e7ded0abbcd6d5e892913f675ce471126fdbfc02fd53979637ec4e0679da7a0dbf3cb1ff7a418f0e353cb424306e960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit