Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 20:34

General

  • Target

    JaffaCakes118_437309d104ca341348f98d56425358fc.exe

  • Size

    361KB

  • MD5

    437309d104ca341348f98d56425358fc

  • SHA1

    41494a4c7d122570ea1d14f1ba9605b0242134f5

  • SHA256

    6d131c347e95abc7aedf92773ee5b94593279c62bf02528365544a663bf0826c

  • SHA512

    8e140990002713aacdb5a5c42e2cf39c911f0660b75ec9a7da6ebc3e29a1dd56018d3dc3c2150e4e8ecf176a33caafb603b830cad57a7da7b482d405f5416973

  • SSDEEP

    6144:WflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:WflfAsiVGjSGecvX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 20 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Temp\dxvpnifaysqkicav.exe
      C:\Temp\dxvpnifaysqkicav.exe run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kicavpnhfa.exe ups_run
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3824
        • C:\Temp\kicavpnhfa.exe
          C:\Temp\kicavpnhfa.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3588
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1304
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kicavpnhfa.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4128
        • C:\Temp\i_kicavpnhfa.exe
          C:\Temp\i_kicavpnhfa.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3264
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\kfzxrpkhcz.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2680
        • C:\Temp\kfzxrpkhcz.exe
          C:\Temp\kfzxrpkhcz.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2616
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1644
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_kfzxrpkhcz.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2012
        • C:\Temp\i_kfzxrpkhcz.exe
          C:\Temp\i_kfzxrpkhcz.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1472
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zusmkecwup.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4644
        • C:\Temp\zusmkecwup.exe
          C:\Temp\zusmkecwup.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1556
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4052
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zusmkecwup.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1796
        • C:\Temp\i_zusmkecwup.exe
          C:\Temp\i_zusmkecwup.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2860
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zxrpjhczur.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2024
        • C:\Temp\zxrpjhczur.exe
          C:\Temp\zxrpjhczur.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:3852
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:2976
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zxrpjhczur.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2404
        • C:\Temp\i_zxrpjhczur.exe
          C:\Temp\i_zxrpjhczur.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:228
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\trljebwuom.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1508
        • C:\Temp\trljebwuom.exe
          C:\Temp\trljebwuom.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:940
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:3548
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_trljebwuom.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1368
        • C:\Temp\i_trljebwuom.exe
          C:\Temp\i_trljebwuom.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5048
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ojgbztrljd.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:3864
        • C:\Temp\ojgbztrljd.exe
          C:\Temp\ojgbztrljd.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4412
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:688
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ojgbztrljd.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4340
        • C:\Temp\i_ojgbztrljd.exe
          C:\Temp\i_ojgbztrljd.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4936
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\oigtqljdbv.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2008
        • C:\Temp\oigtqljdbv.exe
          C:\Temp\oigtqljdbv.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:904
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1152
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4460
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_oigtqljdbv.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4124
        • C:\Temp\i_oigtqljdbv.exe
          C:\Temp\i_oigtqljdbv.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\fdyvqnigay.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:180
        • C:\Temp\fdyvqnigay.exe
          C:\Temp\fdyvqnigay.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4856
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4828
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:316
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_fdyvqnigay.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:3892
        • C:\Temp\i_fdyvqnigay.exe
          C:\Temp\i_fdyvqnigay.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5084
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\axsqkicaus.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:940
        • C:\Temp\axsqkicaus.exe
          C:\Temp\axsqkicaus.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2784
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4676
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4404
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_axsqkicaus.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2396
        • C:\Temp\i_axsqkicaus.exe
          C:\Temp\i_axsqkicaus.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:5048
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\usmkfcxvpn.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2904
        • C:\Temp\usmkfcxvpn.exe
          C:\Temp\usmkfcxvpn.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1944
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4408
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4232
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_usmkfcxvpn.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1296
        • C:\Temp\i_usmkfcxvpn.exe
          C:\Temp\i_usmkfcxvpn.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\zxspkicamk.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2684
        • C:\Temp\zxspkicamk.exe
          C:\Temp\zxspkicamk.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3580
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1628
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1808
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_zxspkicamk.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:2912
        • C:\Temp\i_zxspkicamk.exe
          C:\Temp\i_zxspkicamk.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3880
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xrpjhczusm.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:4356
        • C:\Temp\xrpjhczusm.exe
          C:\Temp\xrpjhczusm.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1304
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:2024
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:4104
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczusm.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:4272
        • C:\Temp\i_xrpjhczusm.exe
          C:\Temp\i_xrpjhczusm.exe ups_ins
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\uomgezwroj.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:2388
        • C:\Temp\uomgezwroj.exe
          C:\Temp\uomgezwroj.exe ups_run
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3836
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:4596
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1664
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_uomgezwroj.exe ups_ins
        3⤵
          PID:2920
          • C:\Temp\i_uomgezwroj.exe
            C:\Temp\i_uomgezwroj.exe ups_ins
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3308
        • C:\temp\CreateProcess.exe
          C:\temp\CreateProcess.exe C:\Temp\rljdbwtomg.exe ups_run
          3⤵
            PID:1644
            • C:\Temp\rljdbwtomg.exe
              C:\Temp\rljdbwtomg.exe ups_run
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2392
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                5⤵
                  PID:3428
                  • C:\windows\system32\ipconfig.exe
                    C:\windows\system32\ipconfig.exe /release
                    6⤵
                    • Gathers network information
                    PID:2944
            • C:\temp\CreateProcess.exe
              C:\temp\CreateProcess.exe C:\Temp\i_rljdbwtomg.exe ups_ins
              3⤵
                PID:4368
                • C:\Temp\i_rljdbwtomg.exe
                  C:\Temp\i_rljdbwtomg.exe ups_ins
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4324
              • C:\temp\CreateProcess.exe
                C:\temp\CreateProcess.exe C:\Temp\wqoigbytql.exe ups_run
                3⤵
                  PID:3864
                  • C:\Temp\wqoigbytql.exe
                    C:\Temp\wqoigbytql.exe ups_run
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2948
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                      5⤵
                        PID:2728
                        • C:\windows\system32\ipconfig.exe
                          C:\windows\system32\ipconfig.exe /release
                          6⤵
                          • Gathers network information
                          PID:4600
                  • C:\temp\CreateProcess.exe
                    C:\temp\CreateProcess.exe C:\Temp\i_wqoigbytql.exe ups_ins
                    3⤵
                      PID:4668
                      • C:\Temp\i_wqoigbytql.exe
                        C:\Temp\i_wqoigbytql.exe ups_ins
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3200
                    • C:\temp\CreateProcess.exe
                      C:\temp\CreateProcess.exe C:\Temp\tnlfdyvqoi.exe ups_run
                      3⤵
                        PID:3824
                        • C:\Temp\tnlfdyvqoi.exe
                          C:\Temp\tnlfdyvqoi.exe ups_run
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1796
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                            5⤵
                              PID:2856
                              • C:\windows\system32\ipconfig.exe
                                C:\windows\system32\ipconfig.exe /release
                                6⤵
                                • Gathers network information
                                PID:1040
                        • C:\temp\CreateProcess.exe
                          C:\temp\CreateProcess.exe C:\Temp\i_tnlfdyvqoi.exe ups_ins
                          3⤵
                            PID:4736
                            • C:\Temp\i_tnlfdyvqoi.exe
                              C:\Temp\i_tnlfdyvqoi.exe ups_ins
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2152
                          • C:\temp\CreateProcess.exe
                            C:\temp\CreateProcess.exe C:\Temp\qnigaysqki.exe ups_run
                            3⤵
                              PID:4356
                              • C:\Temp\qnigaysqki.exe
                                C:\Temp\qnigaysqki.exe ups_run
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:4844
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                  5⤵
                                    PID:1128
                                    • C:\windows\system32\ipconfig.exe
                                      C:\windows\system32\ipconfig.exe /release
                                      6⤵
                                      • Gathers network information
                                      PID:116
                              • C:\temp\CreateProcess.exe
                                C:\temp\CreateProcess.exe C:\Temp\i_qnigaysqki.exe ups_ins
                                3⤵
                                  PID:4988
                                  • C:\Temp\i_qnigaysqki.exe
                                    C:\Temp\i_qnigaysqki.exe ups_ins
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2440
                                • C:\temp\CreateProcess.exe
                                  C:\temp\CreateProcess.exe C:\Temp\qkicausnkf.exe ups_run
                                  3⤵
                                    PID:1664
                                    • C:\Temp\qkicausnkf.exe
                                      C:\Temp\qkicausnkf.exe ups_run
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4596
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                        5⤵
                                          PID:3508
                                          • C:\windows\system32\ipconfig.exe
                                            C:\windows\system32\ipconfig.exe /release
                                            6⤵
                                            • Gathers network information
                                            PID:4952
                                    • C:\temp\CreateProcess.exe
                                      C:\temp\CreateProcess.exe C:\Temp\i_qkicausnkf.exe ups_ins
                                      3⤵
                                        PID:1268
                                        • C:\Temp\i_qkicausnkf.exe
                                          C:\Temp\i_qkicausnkf.exe ups_ins
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3308
                                      • C:\temp\CreateProcess.exe
                                        C:\temp\CreateProcess.exe C:\Temp\upnhfzxspk.exe ups_run
                                        3⤵
                                          PID:1448
                                          • C:\Temp\upnhfzxspk.exe
                                            C:\Temp\upnhfzxspk.exe ups_run
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4064
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                              5⤵
                                                PID:1644
                                                • C:\windows\system32\ipconfig.exe
                                                  C:\windows\system32\ipconfig.exe /release
                                                  6⤵
                                                  • Gathers network information
                                                  PID:3088
                                          • C:\temp\CreateProcess.exe
                                            C:\temp\CreateProcess.exe C:\Temp\i_upnhfzxspk.exe ups_ins
                                            3⤵
                                              PID:2160
                                              • C:\Temp\i_upnhfzxspk.exe
                                                C:\Temp\i_upnhfzxspk.exe ups_ins
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3136
                                            • C:\temp\CreateProcess.exe
                                              C:\temp\CreateProcess.exe C:\Temp\smkecwupmh.exe ups_run
                                              3⤵
                                                PID:4576
                                                • C:\Temp\smkecwupmh.exe
                                                  C:\Temp\smkecwupmh.exe ups_run
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2284
                                                  • C:\temp\CreateProcess.exe
                                                    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
                                                    5⤵
                                                      PID:3092
                                                      • C:\windows\system32\ipconfig.exe
                                                        C:\windows\system32\ipconfig.exe /release
                                                        6⤵
                                                        • Gathers network information
                                                        PID:3324
                                                • C:\temp\CreateProcess.exe
                                                  C:\temp\CreateProcess.exe C:\Temp\i_smkecwupmh.exe ups_ins
                                                  3⤵
                                                    PID:432
                                                    • C:\Temp\i_smkecwupmh.exe
                                                      C:\Temp\i_smkecwupmh.exe ups_ins
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4960
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3468
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3468 CREDAT:17410 /prefetch:2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2100

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Temp\CreateProcess.exe

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      e055efecfbdc7954ce003c795f5ed9c1

                                                      SHA1

                                                      c79876cf3c73987494e466d2b248d114fb1003af

                                                      SHA256

                                                      cb2a34c2ddc6ccd8a96f9fbea6519d0c96d35b6f55d88fb627fd3f4c03ffb14d

                                                      SHA512

                                                      1a1b2a5eefc2feebb316cb28fde689c44dd05651bcd5597dc4a693402c7c804fd8b42ed8d06fa604bde20ed8dca79ad6cc15d1f876de027474842da1b66c3c86

                                                    • C:\Temp\axsqkicaus.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      5963e1a593218ede50f6b7462c712cb3

                                                      SHA1

                                                      fbc1c43c413fa06edce2f068df8ece8f343936ab

                                                      SHA256

                                                      529d16f04eeb74c7d2d6b83b3554b991067be82e644062f0cdca2b20c3d86f05

                                                      SHA512

                                                      ce981fe0fd6e3a3bf358543b55a67e0550e0d88df7f28a6dc6609a190ec246b1ac7ed6f593ebf5fa188b884b7c90b6722921ff3a624e466d5576d518e8e84f03

                                                    • C:\Temp\dxvpnifaysqkicav.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      44def011da7bae1dae45f92e128fa85f

                                                      SHA1

                                                      76d04f9856441bed55e1811270db0baa6ef02ff3

                                                      SHA256

                                                      de5acecc1da4f49fd7f63018c91cfacb38d125d83d5a2ef7faefecbcb65fca86

                                                      SHA512

                                                      6086342f564d3ba422c88858642beacf61040f0b1afd75d3377bcfd7a24bdc3c7ca499a265c5feeda14180a6380be8141d7e5a07d2db2a3a334040dff661db54

                                                    • C:\Temp\fdyvqnigay.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      58465a3829aacecb339116e0ca18231a

                                                      SHA1

                                                      59550dd82da6c132796a4db4cf2e6997c6abb6fe

                                                      SHA256

                                                      8f45c652ccd9be314e94f00438d5fd6fe1c58814b4bc614072148ccbc3b6bcaa

                                                      SHA512

                                                      fd44f38774d2f3ee52f1a749e68bbcf958d8615cd7922e9e83e8aefdcfb1605b6226bdb9bea970e37415b8090f74c9392ead45de889d5f1d9bcac5d843afb5f5

                                                    • C:\Temp\i_fdyvqnigay.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      aa761150fbda80ffdd70eea31ab8cc1b

                                                      SHA1

                                                      468ac6f41fe96a7de0148f44cc6ff659cd57ec60

                                                      SHA256

                                                      7f10660512d634b73f5852f1b42d99b4a56cc6d37cd0c2af1eb34e4462577a91

                                                      SHA512

                                                      b2ee4ecca02c7252f5ff4ecea84dda93f9bfbfe2146d255b7493793c51aa2334b55f4e4c90eafd0c866d79969dad752969955c61c00b9f156c45690daf93ce75

                                                    • C:\Temp\i_kfzxrpkhcz.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      835e6cb6983dbf37f721455f5fe7e987

                                                      SHA1

                                                      17f98fdf22d4e43e3cb0069940053bcb365dc6b5

                                                      SHA256

                                                      453ff54fec9acb757ddb4370300a61eae80238f01d8757908e9c0c09a7aa9992

                                                      SHA512

                                                      be1ce2152fb1a3bac77093ad0866a317082af493d6cf02c02846e06ee3d5949ac55b68bfd37a742e4b68e124602af2238d5471d93909ebe7bc2ae37ebb8ba214

                                                    • C:\Temp\i_kicavpnhfa.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      b16e64309bc17abb42371096ef067195

                                                      SHA1

                                                      de243f1013861c96c2a4a2141e56b8e5659496f3

                                                      SHA256

                                                      e1efc058c0b97b1d51a639151e67d0603c201418eeef78d91dbfe304562d96ca

                                                      SHA512

                                                      0339d41682609d623d95b80423a8b056869b5dbbad1cdca09537b370404dcd6855b0b2ce5e0058a979088b0b04fbb0cb3a205755a7a7d443820c4f4ab6f7f53f

                                                    • C:\Temp\i_oigtqljdbv.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      0c996175f2139bf4482dfd083f1f6a1f

                                                      SHA1

                                                      20aa3cd0121b2ab6268733a3fad07c9c392536a1

                                                      SHA256

                                                      f5312915557ea3a872cccf5c2ee41eb4060cfd4565b8011621338812e1b6d231

                                                      SHA512

                                                      b118bdc6d9adbe67f3fd9424cc2e81ba98e9ab15fc61b5c492eea90661376da1f3969f7503fff71a4a3d480f686fcfc076ddc79998ca97b93e3dab63b8c3a0dc

                                                    • C:\Temp\i_ojgbztrljd.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      c8f9438ea7b2f682190840e9594715ee

                                                      SHA1

                                                      f9f06b3a74e473a50dc837ff16d12b4f63c1e0bd

                                                      SHA256

                                                      a1cfac4ae8324d561c13bf04c25c1bdae171ff13260427f95961b8e7c8404305

                                                      SHA512

                                                      c5ebaaa78a44107b1e5eb7d1b22d45913ccf2d8aa9fad14ee85f46a844d61aba452efc9d7d6e7e5d5e548765b06736ca95caa1cef548636f8b7590445c64ee21

                                                    • C:\Temp\i_trljebwuom.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      be8784cd03175a75202a939c18f97a21

                                                      SHA1

                                                      476904db3d427225d0ebd6aeb4b98d69a8f31e14

                                                      SHA256

                                                      45d8169b998290b9b6eebf682b25c2687874983a7304b35bde76687b21ae8a0f

                                                      SHA512

                                                      65c375f52b984a516700b51360d8be307bc04f77a18180a13fadbe1c92c94f9fbbaf9cf1f9c73c3c756be304ac2ea19f94db7d0f4e2ad09ad20721b642093d19

                                                    • C:\Temp\i_zusmkecwup.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      7754ca99a9614c62b630fe050626ba48

                                                      SHA1

                                                      d9f4d3079a9ce932b0acb9aef1eed2dab8f41f49

                                                      SHA256

                                                      1fef18d0139349b965aec7716b6732107c212a7c8670a866e0049a30d03aa8ec

                                                      SHA512

                                                      673c91a3f2703d59f9bb86061bd9690eda986cb8d2f81840af0531b0830e187ae22542b5ecb1d78d9bb24505438b58420cd857e6fd8e142090db765165d54a7f

                                                    • C:\Temp\i_zxrpjhczur.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      36ed5c47843368dcc32845f3f11f6e06

                                                      SHA1

                                                      4498e5419bc9521fd1ddc06900926612352c901f

                                                      SHA256

                                                      36b5dbcf7f3ba7663124749e61af020dc9721b4353a252b8b0c6c1c886cee444

                                                      SHA512

                                                      ade4a67e2c23abf7f291584f8f585ce7f371279a9a22ba3790541ff1b42000f0053d6628fac563c2ef53ae7e5dfd0294d9d6817741a65a69853679dbd6e53b08

                                                    • C:\Temp\kfzxrpkhcz.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      d09cdde38b767563387ba2dba4187488

                                                      SHA1

                                                      04457550875c9c8e04b93804374a7ba702382d59

                                                      SHA256

                                                      1d8f9c461d6cb9e71d366568390aa016ba7d39cb6a2535318dada169c8e144ed

                                                      SHA512

                                                      d600c363e20a8e43f447acd709d549887858ca9284de1a9e8266ee49c19bbcdc8e06c0344a652f59068eec992df3fd973556ff77602e07736b2ac2b31d72dabb

                                                    • C:\Temp\kicavpnhfa.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      530796522950afebfdc8f2bdbb279e49

                                                      SHA1

                                                      f9fd78a75543bce2d17fe1575b58b2c914ed44a4

                                                      SHA256

                                                      9a41e3958ccc92deeb851a33f8a32162ed709223243b1f29b0a9c67fb08cf2a9

                                                      SHA512

                                                      9b86ed072aa023ab851e9a0bf86777d1f41afe485a4b1a50a54513566578afff62697eeb1cf8d40599b63eebcf1ff121fa0c6ea0561b32e13b7bb247b7362956

                                                    • C:\Temp\oigtqljdbv.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      42d32ef19a5c561546319de1e7708be2

                                                      SHA1

                                                      bc36567b8bdf0c02f0668b19fb5c2000f4d1961e

                                                      SHA256

                                                      9abe1a4dae12b1dd0f33678d0fa41a1964d411fe7adefa0433ab1aa2c84d52b2

                                                      SHA512

                                                      e8f358cd9b43afcd0a4308f14af70e94da11b1fb1cf3a10097a00b15a9508e3bd4747c9f205175ea38e48218614a49a33678dd585243368560813b650e7efffc

                                                    • C:\Temp\ojgbztrljd.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      999f6444aa8fe09d220bfdc1fe513f22

                                                      SHA1

                                                      ad04fb5096ea2a5d642b2d395e7bbbe16b6010d6

                                                      SHA256

                                                      b29267dcad1c23d32bb4e5265e9cd168de9227078f699e7d3048ac23064800a8

                                                      SHA512

                                                      2fde865bc28ce683c688fa863413d0f51fc3142c8080ec4bcdca12c2fa2ce376309f393d96f267fac54e7e0c870eec26bd0d7c5bad76a80c104570f294a48dae

                                                    • C:\Temp\trljebwuom.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      63552f86aa0ac58f737c21a1b2453e35

                                                      SHA1

                                                      77c7836e1df23fa5b0f75db957a22c46bf7f2b0f

                                                      SHA256

                                                      500f4eccdd7555c2f8d07e04a6ba4825ccee89414ac9f9c65fd0f58a1b9cb55b

                                                      SHA512

                                                      9258abb36c26d8d2eb6e2f2e1515400a0c92cbb0ff41d8dfe6586d105c6e5689933f6f67e2f74f334f57a66d5d20041a9cd3170ac90e1ff737bbaf47f34dfda5

                                                    • C:\Temp\zusmkecwup.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      9739d6217c3d16edda951e570c7fe103

                                                      SHA1

                                                      b6d8afb168b8d7e5d0f9f962df9e77677a0a7286

                                                      SHA256

                                                      5070fa3741cf35c73d55a5afba7b28c460234d7a1a44791db098e4f29fdf832d

                                                      SHA512

                                                      ae9caa342dd819f96c249a3a4e2d3b233d2f2c853a28c0591eac2b8310f55083bbec5a53d218b104cd4a59d970545ff63e1e70ba41c80ccc9b517b828797d12c

                                                    • C:\Temp\zxrpjhczur.exe

                                                      Filesize

                                                      361KB

                                                      MD5

                                                      91970ad64ee323f5b95af40f413922ec

                                                      SHA1

                                                      6d09bf0d515ea78842b6febefc4c979ca544e77f

                                                      SHA256

                                                      07b79cd1c24e41c6f24795162d7e5656d46d9663fed13fa57bf8d4e24d986b8f

                                                      SHA512

                                                      aa82136a12cd01e84d527e4d48d49e4658f99da4fd8012066533058dd1477e33f771715231e7166e9ac62536e589f98d770b952005326c09c586f743afb72c7d

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                                      Filesize

                                                      471B

                                                      MD5

                                                      65ff4e1a660b03c192195dc09416d8a8

                                                      SHA1

                                                      c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9

                                                      SHA256

                                                      25f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2

                                                      SHA512

                                                      3efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                                      Filesize

                                                      404B

                                                      MD5

                                                      bd4fd3d4277e6b560fe9824b76237114

                                                      SHA1

                                                      dc1f3500398cff1040cef8e053aa76b33c33da15

                                                      SHA256

                                                      ffec78fd67cf61e5dd5a2735d04c423e700f6ab348ca789d36a2734aa99a6636

                                                      SHA512

                                                      ffb5a07b2601eda753284322519b85aca75d6f820e69152cffaba775dac5336254919ea05a4dc118859e4b1ad83e10942c2a588028c4c1151f587d0603bf76ce

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\suggestions[1].en-US

                                                      Filesize

                                                      17KB

                                                      MD5

                                                      5a34cb996293fde2cb7a4ac89587393a

                                                      SHA1

                                                      3c96c993500690d1a77873cd62bc639b3a10653f

                                                      SHA256

                                                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                      SHA512

                                                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee