Analysis

  • max time kernel
    149s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 08:55

General

  • Target

    3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe

  • Size

    361KB

  • MD5

    3eede8b06e6a2d4a041c6d2d2a6efc35

  • SHA1

    59caa7b8db93705e8bfc6d81be47e793c49b8a84

  • SHA256

    a38a8a708c10cc37ffad39c9471a238177a411c15a10221195fd42f75774e53f

  • SHA512

    882b6b94619ed6caeffc8c12e70ef8959bc915f35149f19a113aa88afd2dcf31e5ccabafb3236a8e1576361aaf7e8f1ab331e49c1538185f94661b417d31f6f8

  • SSDEEP

    6144:4flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:4flfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3eede8b06e6a2d4a041c6d2d2a6efc35_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Temp\aysqlidavtnlfdxv.exe
      C:\Temp\aysqlidavtnlfdxv.exe run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\lfdyvqniga.exe ups_run
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1456
        • C:\Temp\lfdyvqniga.exe
          C:\Temp\lfdyvqniga.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:992
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2896
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3380
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_lfdyvqniga.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2824
        • C:\Temp\i_lfdyvqniga.exe
          C:\Temp\i_lfdyvqniga.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2972
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\pnhfaxspki.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:5000
        • C:\Temp\pnhfaxspki.exe
          C:\Temp\pnhfaxspki.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2156
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4692
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_pnhfaxspki.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3268
        • C:\Temp\i_pnhfaxspki.exe
          C:\Temp\i_pnhfaxspki.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4724
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\nhfzxspkic.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1764
        • C:\Temp\nhfzxspkic.exe
          C:\Temp\nhfzxspkic.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3972
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2656
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_nhfzxspkic.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1884
        • C:\Temp\i_nhfzxspkic.exe
          C:\Temp\i_nhfzxspkic.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3664
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\pnhfzxrpkh.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4244
        • C:\Temp\pnhfzxrpkh.exe
          C:\Temp\pnhfzxrpkh.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3600
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2572
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_pnhfzxrpkh.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3188
        • C:\Temp\i_pnhfzxrpkh.exe
          C:\Temp\i_pnhfzxrpkh.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\mgezwrpjhb.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4584
        • C:\Temp\mgezwrpjhb.exe
          C:\Temp\mgezwrpjhb.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4020
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:632
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_mgezwrpjhb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4528
        • C:\Temp\i_mgezwrpjhb.exe
          C:\Temp\i_mgezwrpjhb.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1468
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\geywrojgbz.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4696
        • C:\Temp\geywrojgbz.exe
          C:\Temp\geywrojgbz.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2696
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1336
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_geywrojgbz.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3568
        • C:\Temp\i_geywrojgbz.exe
          C:\Temp\i_geywrojgbz.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4364
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\bvtolgeywq.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4860
        • C:\Temp\bvtolgeywq.exe
          C:\Temp\bvtolgeywq.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3376
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4776
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:368
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_bvtolgeywq.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1112
        • C:\Temp\i_bvtolgeywq.exe
          C:\Temp\i_bvtolgeywq.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\eywqoigbyt.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2656
        • C:\Temp\eywqoigbyt.exe
          C:\Temp\eywqoigbyt.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:508
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4864
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4564
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_eywqoigbyt.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2112
        • C:\Temp\i_eywqoigbyt.exe
          C:\Temp\i_eywqoigbyt.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\yvqoigaytq.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4156
        • C:\Temp\yvqoigaytq.exe
          C:\Temp\yvqoigaytq.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4988
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3296
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4788
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_yvqoigaytq.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1148
        • C:\Temp\i_yvqoigaytq.exe
          C:\Temp\i_yvqoigaytq.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:456
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\vpnifaxsqk.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4136
        • C:\Temp\vpnifaxsqk.exe
          C:\Temp\vpnifaxsqk.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1600
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3608
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4416
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_vpnifaxsqk.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1552
        • C:\Temp\i_vpnifaxsqk.exe
          C:\Temp\i_vpnifaxsqk.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4276
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\smkfcxvpnh.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:448
        • C:\Temp\smkfcxvpnh.exe
          C:\Temp\smkfcxvpnh.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1428
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4532
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4556
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_smkfcxvpnh.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1168
        • C:\Temp\i_smkfcxvpnh.exe
          C:\Temp\i_smkfcxvpnh.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4180
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xvpnhfzxsp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1496
        • C:\Temp\xvpnhfzxsp.exe
          C:\Temp\xvpnhfzxsp.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3908
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:5020
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4120
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_xvpnhfzxsp.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1308
        • C:\Temp\i_xvpnhfzxsp.exe
          C:\Temp\i_xvpnhfzxsp.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4568
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\urmkecwupm.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3980
        • C:\Temp\urmkecwupm.exe
          C:\Temp\urmkecwupm.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2316
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3708
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:992
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_urmkecwupm.exe ups_ins
        3⤵
          PID:832
          • C:\Temp\i_urmkecwupm.exe
            C:\Temp\i_urmkecwupm.exe ups_ins
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4852
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\rpjhbztrmj.exe ups_run
          3⤵
            PID:3556
            • C:\Temp\rpjhbztrmj.exe
              C:\Temp\rpjhbztrmj.exe ups_run
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4744
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:1488
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:2384
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_rpjhbztrmj.exe ups_ins
              3⤵
                PID:4184
                • C:\Temp\i_rpjhbztrmj.exe
                  C:\Temp\i_rpjhbztrmj.exe ups_ins
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2156
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\omgeywrojh.exe ups_run
                3⤵
                  PID:872
                  • C:\Temp\omgeywrojh.exe
                    C:\Temp\omgeywrojh.exe ups_run
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1112
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:3304
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:3604
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_omgeywrojh.exe ups_ins
                    3⤵
                      PID:4472
                      • C:\Temp\i_omgeywrojh.exe
                        C:\Temp\i_omgeywrojh.exe ups_ins
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:824
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\trljdbvtol.exe ups_run
                      3⤵
                        PID:2308
                        • C:\Temp\trljdbvtol.exe
                          C:\Temp\trljdbvtol.exe ups_run
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1592
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:4668
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:3404
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_trljdbvtol.exe ups_ins
                          3⤵
                            PID:1828
                            • C:\Temp\i_trljdbvtol.exe
                              C:\Temp\i_trljdbvtol.exe ups_ins
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4764
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\tnlgdywqoi.exe ups_run
                            3⤵
                              PID:4620
                              • C:\Temp\tnlgdywqoi.exe
                                C:\Temp\tnlgdywqoi.exe ups_run
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1144
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:1784
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:1004
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_tnlgdywqoi.exe ups_ins
                                3⤵
                                  PID:3416
                                  • C:\Temp\i_tnlgdywqoi.exe
                                    C:\Temp\i_tnlgdywqoi.exe ups_ins
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3188
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\qlfdxvpnif.exe ups_run
                                  3⤵
                                    PID:4388
                                    • C:\Temp\qlfdxvpnif.exe
                                      C:\Temp\qlfdxvpnif.exe ups_run
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3136
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:2692
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:3608
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_qlfdxvpnif.exe ups_ins
                                      3⤵
                                        PID:1716
                                        • C:\Temp\i_qlfdxvpnif.exe
                                          C:\Temp\i_qlfdxvpnif.exe ups_ins
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4936
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\vpnifaqkic.exe ups_run
                                        3⤵
                                          PID:2532
                                          • C:\Temp\vpnifaqkic.exe
                                            C:\Temp\vpnifaqkic.exe ups_run
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4404
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:4436
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:2408
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_vpnifaqkic.exe ups_ins
                                            3⤵
                                              PID:4016
                                              • C:\Temp\i_vpnifaqkic.exe
                                                C:\Temp\i_vpnifaqkic.exe ups_ins
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4612
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\snkfdxvpnh.exe ups_run
                                              3⤵
                                                PID:920
                                                • C:\Temp\snkfdxvpnh.exe
                                                  C:\Temp\snkfdxvpnh.exe ups_run
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4260
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:2688
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:720
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_snkfdxvpnh.exe ups_ins
                                                  3⤵
                                                    PID:4872
                                                    • C:\Temp\i_snkfdxvpnh.exe
                                                      C:\Temp\i_snkfdxvpnh.exe ups_ins
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2940
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2292
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:17410 /prefetch:2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3748

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Temp\CreateProcess.exe

                                                Filesize

                                                3KB

                                                MD5

                                                c9c3fb5552cdfeb09b591d0cc133c899

                                                SHA1

                                                85a6857a32ea6a3093200f0127da0a73ac39efd4

                                                SHA256

                                                6abea2973f1154aa6ba63efa9a53d7d83d5ce39fb9fb77d2261b7f8b9ed2bdeb

                                                SHA512

                                                41191e22570d3670f931f59712c956127d3c1ae60f0a3d9e4b1a57dcc21d4e8b842d9407eb559f316ce30c140d2603b94f22f9493237797d06f6413baae5e3f1

                                              • C:\Temp\aysqlidavtnlfdxv.exe

                                                Filesize

                                                361KB

                                                MD5

                                                28dba5c3dddd07f1bbd186a6e7cff0a8

                                                SHA1

                                                1ecc01751ea7e1c207041fe4eee3931312fab5a7

                                                SHA256

                                                9a7ca82ae9c890283008eae30b7a059deb283722ca61fe94b02016974ce73c91

                                                SHA512

                                                a0fcadd773f2f520422d478a5f18aa87630b60add58b61a1bc06f4f81d3436073a4f5dd6f1683a89d63dd403277f2fc9deb2eb13cb099514fe86b6aecad1f3cf

                                              • C:\Temp\bvtolgeywq.exe

                                                Filesize

                                                361KB

                                                MD5

                                                c15c70613886f1db7ed25bc6aabb0fe3

                                                SHA1

                                                7cb0f05db620445153e952932d2292b4c51e29e8

                                                SHA256

                                                6de520559012331bad0671809ee4e52bb0484377bedda0d57f8b8d5ec8f9a2a1

                                                SHA512

                                                7d3ed1a8ee64af73e135d95017fe105dde80b7a7e1babb3a6b7d2026bc935c996094607e75ff521ee1152718832e78637b96c974ab94ae961cbabc4cb2752a28

                                              • C:\Temp\eywqoigbyt.exe

                                                Filesize

                                                361KB

                                                MD5

                                                45cacaad6de8f348f96b3ad5d5a18fe8

                                                SHA1

                                                9e3a29260253065ad8b9c745ce71f2cd922ce5a0

                                                SHA256

                                                7103f761e7524f3e62e45d185a287dacbc0908c88ebbac1e8c86b950f3209e32

                                                SHA512

                                                cb1a1e7b8b0ad5d5c3c2e40d2f7812bf2a1a29242c415238bd442651f69f736be321d89bdffee0f228de86c93f4faab5e655e2b0d7d95568581341c9ecb48747

                                              • C:\Temp\geywrojgbz.exe

                                                Filesize

                                                361KB

                                                MD5

                                                7b6ec56864687892a7b849f7d2f50079

                                                SHA1

                                                881e6a238e35d512860648b450f8c15c45c0194b

                                                SHA256

                                                c76c12f2a12000c6eebfcd3a48ef09e21f3a1fc505e3240b767d3cb9db2e73eb

                                                SHA512

                                                72f93884066b5405a9f8e4f1459666c7172549b15cb8e8183e6ba7ac0a986bcb32684e863bcc51e211b8b8218d9acc9a78ead461a02a304745f3b8b1e1502e01

                                              • C:\Temp\i_bvtolgeywq.exe

                                                Filesize

                                                361KB

                                                MD5

                                                58ec7d43912bb5088f7ac01ed9a77579

                                                SHA1

                                                505d2c2a969ba828a7f64dbc71e4e3e733236fd4

                                                SHA256

                                                1076cc75b078ceb612be4f27a9749e8d15caca58d5c945d1deae6491b8ad63bc

                                                SHA512

                                                ce446df06bbd9b28ae13160f62d03593677d900db36dace384f78c79701800859eb193ed6923069ae30e2f60c507e1659bad6ac486ea060d2637d43a8f3265f3

                                              • C:\Temp\i_eywqoigbyt.exe

                                                Filesize

                                                361KB

                                                MD5

                                                154c4a7ffc130bc80aaee9f6b361d112

                                                SHA1

                                                2e85149f1c0005a60e11e277a117edc21d184ca3

                                                SHA256

                                                5e3f20d680c7d5311214421d207803018c08543d43a1d335ddbb830d9c495715

                                                SHA512

                                                2544ca18642f8076e61c77f27d5778840e4fb5f01394790ae4bf976dce2f87bddbb1e1da442c56f07ec0d74ab0f9e8d525f29f65d6bafd6e92c85e3986cb535f

                                              • C:\Temp\i_geywrojgbz.exe

                                                Filesize

                                                361KB

                                                MD5

                                                2809c8e3a30371dc637c6a43db2485a4

                                                SHA1

                                                85e30816e7ca8cf2079ca44879dfbc70fc378fac

                                                SHA256

                                                c7ae45548cdf8e5d7f057e1cd28fbf79d928b0effcc2ef4cbb84b3191de66b82

                                                SHA512

                                                6e9f19dc62353f6589753722e0011b80de90487e4268d5839e5c0e773a60609151d0c67320232e2301a407fb9eb3898ddf27c56346bd1414a1efe88b1f12eb5c

                                              • C:\Temp\i_lfdyvqniga.exe

                                                Filesize

                                                361KB

                                                MD5

                                                9de7c93afbe675d6f380e4bc41acfcfe

                                                SHA1

                                                361cc33ed4692962690ef432f5b3b1c16e19c33b

                                                SHA256

                                                62012c0f6b38596b042814c8e9c603127d77c6f80518e13f791d2a261cccf28a

                                                SHA512

                                                a92d4ba175fde9eacd805ee16337336d54759cd3ab6552df8708a38db218aa7f94d3d8f0de1eb2d55b77f7191a3ab258b3c35e309b9c32de954fe94c5d925bf9

                                              • C:\Temp\i_mgezwrpjhb.exe

                                                Filesize

                                                361KB

                                                MD5

                                                968b4c566a56554ae351c7e239101c3b

                                                SHA1

                                                0e61e92af6cd3d1310393c244c5ccd01d424d60c

                                                SHA256

                                                8b2f58ab893b8a3c40ce2eb6545816f4ed8ee3c843dc7e2bc4bbbc63b5632f03

                                                SHA512

                                                7da2e8c54b07bb0ea5aa71ba24f0d479798ca3619f3565a38e17471cdf0c7f352f6fce72822a5b307cf2697ef1777e8adde4008b7a2b3a74a073c80a5fabe55a

                                              • C:\Temp\i_nhfzxspkic.exe

                                                Filesize

                                                361KB

                                                MD5

                                                0580bd923976d6c24c056da0baff0a2e

                                                SHA1

                                                1f8dcc593e42f9762edefe34acf8e1eba8aa9958

                                                SHA256

                                                c14e4ee22febb2e2956fd57389353fad01d62ce485e4e8d70f996006d8f95f5e

                                                SHA512

                                                3962b6bd98d3dd16b5ee280ff20ef7a9f7c29afa2ba1404342612167455cadc4685fb0a4cd89a2775eb4095d81db530b18e65c579f71479fdde329d371349a51

                                              • C:\Temp\i_pnhfaxspki.exe

                                                Filesize

                                                361KB

                                                MD5

                                                5f5972d0cf6c9b43ff970cfd1f19d407

                                                SHA1

                                                6c3ea24fec42605aab6c84da6ddf1658c50dfcf4

                                                SHA256

                                                938da495f37c0b80f7e1099d1855f68ca4d179941c37e1c8a9f05ed45b300ef1

                                                SHA512

                                                522c991f01f2d030aa08c5e05a3cd8bb3225e395b20ed63fb8f14b7b7d6c5f9f54e83edf4935f3becb2580c2f31e085dad3aa501c337349b265ee3315f3c8409

                                              • C:\Temp\i_pnhfzxrpkh.exe

                                                Filesize

                                                361KB

                                                MD5

                                                e23b37088b65a056a852d66523084aa5

                                                SHA1

                                                654b4248814b82087287646fa868427be52b31e8

                                                SHA256

                                                8d7522aff8a7f5113606594477fad6e7123a12c836d881c42d0d2ef2bd78f2ca

                                                SHA512

                                                22401517da9014580b5bd9e78cf91b4bdce9f38637c65275e42a1bcbefc5e9160857234420b6dbf3bd7a5f941cfdf9147cd90c64f824f8fe45a6e1180d4b4418

                                              • C:\Temp\lfdyvqniga.exe

                                                Filesize

                                                361KB

                                                MD5

                                                39e1cb209dada7411e61bca94163bcdd

                                                SHA1

                                                3a2a413a45cf78135f67f56f86d9c00d8b7d23aa

                                                SHA256

                                                1bb0174e8ef825a5a39a8a9ea6ab460b79faebc9ade9441d5410894529188887

                                                SHA512

                                                6918b7e1b63bb1172cd16c8f44e5daae6cbe629dfd8d25b87959eaaeb5e059e6ce55f77001ef59d438420568a74f5590c3d75d2e27121c876e7a1a8d2812bc2e

                                              • C:\Temp\mgezwrpjhb.exe

                                                Filesize

                                                361KB

                                                MD5

                                                ae62d7574bd6cd76e1b28bd5801daa8a

                                                SHA1

                                                336ac8af18160d4024d59a3399072827462dc779

                                                SHA256

                                                bb949b2e46b5a6a75e91f44ac95f98716d8553ced73d7dbb1326b0cb25ccc6f9

                                                SHA512

                                                d1b9048b4c559b0d5965d4ed95ba5f248a85173a2e3bad714595e13aba71a5128cb6782c8b4641f8ecd33f0a9eee14a35bc93138dee739400a90f74686064bcb

                                              • C:\Temp\nhfzxspkic.exe

                                                Filesize

                                                361KB

                                                MD5

                                                231fa8e5cd2acc4461460fcbb45a926b

                                                SHA1

                                                a0a01e15e8ddc95b1531daa2208d34f7c8496121

                                                SHA256

                                                6e95da6672000a2e27392fb5db491aca75959ad77db5798c1bfb06bd4c989023

                                                SHA512

                                                31c8ce9816034a9143a1d3e419ade720a87c15d1910dfb15f9dd1a6311d851b175b02578f308ade0f1cb631bbc18d58020066cf769530e5e0a627a838785f8ba

                                              • C:\Temp\pnhfaxspki.exe

                                                Filesize

                                                361KB

                                                MD5

                                                3d9b02ffef463ccd86af3a0f245c07ad

                                                SHA1

                                                6eb133806415084698e574c9e41f50783d7c6803

                                                SHA256

                                                3b855efad843ecbc06db322ac0d0f783a572a2ad47340c5e8be53567289a951e

                                                SHA512

                                                6adfd8770c29d2ff3ef53ff93a85c0f872a2098bf463c50d85851987d5f208244739e09ca48d00abdeb55a5d1872c3f07745f25f3cf7900bcc060a1dbaf2f3bf

                                              • C:\Temp\pnhfzxrpkh.exe

                                                Filesize

                                                361KB

                                                MD5

                                                67ba51f335dfcac1f0e7f346cf022600

                                                SHA1

                                                8a991fd2d11567d5901c3bb9a057ab01f4b2801b

                                                SHA256

                                                e744da2d0522be8e82e990eb157e1d00ceda09547d72d30750f1d95bce33579f

                                                SHA512

                                                6ac372af7c0c6933a2dabca38c4acc269a4c6e373d4ca79153db36383273c65145fadefa606b78cf1031763a095c4dbe1fd64faadfa230f0ba99de45a00bfcc9

                                              • C:\Temp\yvqoigaytq.exe

                                                Filesize

                                                361KB

                                                MD5

                                                95d5d77611edb5dcc8655306bcad6737

                                                SHA1

                                                5e94b2fbcd57e634564d04d6d8a1a5ccad0df730

                                                SHA256

                                                3700fd09ec479a32bf60d2e41e137199b6c019d9b2bd8fe9eaee99938682c174

                                                SHA512

                                                b73db3f361ec6766582593e92427a0d41e7ded0abbcd6d5e892913f675ce471126fdbfc02fd53979637ec4e0679da7a0dbf3cb1ff7a418f0e353cb424306e960

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\suggestions[1].en-US

                                                Filesize

                                                17KB

                                                MD5

                                                5a34cb996293fde2cb7a4ac89587393a

                                                SHA1

                                                3c96c993500690d1a77873cd62bc639b3a10653f

                                                SHA256

                                                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                SHA512

                                                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee