Analysis Overview
SHA256
d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165
Threat Level: Known bad
The file f672d1603b04f6a1bb2c1168429768de_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 18:55
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 18:55
Reported
2024-04-17 18:58
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2492 240593296
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1852 240595265
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 5040 240595546
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3812 240597343
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4676 240599406
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1912 240600703
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4900 240601953
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1968 240603296
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3584 240604750
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4016 240606171
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4288 240607515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3084 240608875
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2976 240610265
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2356 240611625
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3472 240612937
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3460 240614234
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4492 240615562
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1052 240616984
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4392 240618234
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1860 240619468
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1108 240620734
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 716 240622046
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1464 240623312
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4988 240624593
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3104 240625859
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3676 240627125
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4348 240628375
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3196 240629625
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2568 240630828
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4472 240632078
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 892 240633406
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4800 240634687
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4620 240635953
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3152 240637265
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4904 240638515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4160 240639828
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4836 240641078
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1716 240642375
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4272 240643625
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3912 240644890
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4188 240646281
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4636 240647515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1948 240648781
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 832 240650062
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1708 240651453
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1840 240652703
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4896 240653953
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3248 240655218
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1512 240656500
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1868 240657781
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4420 240659015
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1972 240660421
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3760 240661625
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2604 240662890
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3864 240664203
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4256 240665500
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 392 240666796
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3352 240668140
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4580 240669531
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4808 240670875
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4536 240672187
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1100 240673437
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3476 240674750
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4136 240676031
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4208 240677375
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3080 240678656
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4296 240679906
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2016 240681156
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4944 240682468
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3796 240683781
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2400 240685156
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3032 240686515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3076 240687734
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4364 240689015
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4240 240690312
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3640 240691562
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4312 240692984
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2384 240694328
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3692 240695562
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3488 240696843
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2008 240698046
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3976 240699359
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2172 240700562
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3280 240701812
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1720 240703093
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 556 240704421
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2520 240705687
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 8 240707062
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1936 240708265
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4180 240709578
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 440 240710828
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4020 240712093
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3704 240713390
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2436 240714593
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3404 240715906
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3140 240717250
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2460 240718625
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2044 240719859
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4788 240721078
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3868 240722328
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4836 240723562
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2184 240724765
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2884 240726015
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3820 240727281
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2248 240728515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2456 240729750
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4036 240731000
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3204 240732296
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2692 240733515
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4992 240734796
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 840 240736062
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2768 240737406
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3312 240738593
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 368 240739859
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4464 240741062
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3256 240742281
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.58.22.2.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.57.22.2.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/432-0-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/432-2-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/432-4-0x0000000002300000-0x0000000002301000-memory.dmp
memory/2492-9-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4908-10-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2492-14-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4908-16-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4908-15-0x0000000000920000-0x0000000000921000-memory.dmp
memory/4908-12-0x0000000000890000-0x0000000000891000-memory.dmp
memory/4908-11-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1968-7-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2492-5-0x0000000000400000-0x0000000000553000-memory.dmp
memory/432-3-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/432-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
C:\ProgramData\images.exe
| MD5 | f672d1603b04f6a1bb2c1168429768de |
| SHA1 | 7321c9d98b08b4e2a59240666a17787d583e74f0 |
| SHA256 | d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165 |
| SHA512 | 21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575 |
memory/4568-25-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4568-28-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4568-30-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4520-32-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4568-37-0x0000000000960000-0x0000000000961000-memory.dmp
memory/1852-38-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3484-48-0x0000000002D00000-0x0000000002D36000-memory.dmp
memory/4520-49-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4520-47-0x0000000000690000-0x0000000000691000-memory.dmp
memory/3484-51-0x0000000005850000-0x0000000005E78000-memory.dmp
memory/3484-52-0x0000000073CE0000-0x0000000074490000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs
| MD5 | 22965bf780a1f6765b8c4f592ac43af6 |
| SHA1 | 99c91c1351f21ab92cbc028da05b8bcb7e007f76 |
| SHA256 | cfaa7ab524373e22fe317556e030491cd71d85db67f96692711178e38f377799 |
| SHA512 | 77327ea6a9d361c37997188d87a43d7ede626d78f7d22046d2b43f654f2133165263ac5919930f97251097febd0cf836dca17270c87048d581f6c359fc079988 |
memory/2984-57-0x0000000000740000-0x0000000000741000-memory.dmp
memory/2984-53-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/5040-60-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3484-59-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3484-62-0x0000000005660000-0x0000000005682000-memory.dmp
memory/4628-63-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/2984-64-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1852-61-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3484-66-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/3484-65-0x0000000002E20000-0x0000000002E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnrkj20t.pbs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3484-67-0x0000000006010000-0x0000000006076000-memory.dmp
memory/2984-58-0x0000000000840000-0x0000000000841000-memory.dmp
memory/4628-56-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4628-45-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs
| MD5 | 3cccf9435b659bf318d80f780097ffbf |
| SHA1 | f0af7b20ad3498befcc19d90c0c1c7d4f021e77f |
| SHA256 | a5c69769ed69652017de0ac5b2b49978af9580a67f0ce473742fc3a04c00a86a |
| SHA512 | d28c78ce84c518b8446aaa2b10bced63c7877b969abdcc0d3b65251123c1472f66598935de7facab9f5608c2bdc01b03156b00413687ee40b272c1b307e29b40 |
memory/3484-77-0x0000000006180000-0x00000000064D4000-memory.dmp
memory/4628-42-0x0000000002240000-0x0000000002241000-memory.dmp
memory/4520-39-0x0000000000910000-0x0000000000911000-memory.dmp
memory/4520-35-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4568-27-0x0000000000790000-0x0000000000791000-memory.dmp
memory/2492-23-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3484-78-0x0000000006620000-0x000000000663E000-memory.dmp
memory/3484-79-0x00000000067F0000-0x000000000683C000-memory.dmp
memory/1852-80-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1208-84-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1208-85-0x0000000002140000-0x0000000002141000-memory.dmp
memory/1208-87-0x0000000002210000-0x0000000002211000-memory.dmp
memory/1208-86-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4016-99-0x0000000000640000-0x0000000000641000-memory.dmp
memory/3812-98-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4016-100-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/3484-102-0x0000000006BD0000-0x0000000006C02000-memory.dmp
memory/3484-104-0x0000000074580000-0x00000000745CC000-memory.dmp
memory/4016-105-0x0000000002850000-0x0000000002851000-memory.dmp
memory/3484-103-0x000000007FB10000-0x000000007FB20000-memory.dmp
memory/3484-116-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/3484-117-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3484-119-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/5040-120-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1592-121-0x0000000073CE0000-0x0000000074490000-memory.dmp
memory/1592-122-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/3484-118-0x0000000007800000-0x00000000078A3000-memory.dmp
memory/3484-123-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3484-115-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/3484-124-0x0000000007F80000-0x00000000085FA000-memory.dmp
memory/4016-101-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/3484-125-0x0000000007940000-0x000000000795A000-memory.dmp
memory/4016-94-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/3484-135-0x00000000079B0000-0x00000000079BA000-memory.dmp
memory/3484-136-0x0000000007BC0000-0x0000000007C56000-memory.dmp
memory/1208-89-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/3484-138-0x0000000007B40000-0x0000000007B51000-memory.dmp
memory/3552-137-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/3484-140-0x0000000007B70000-0x0000000007B7E000-memory.dmp
memory/3484-141-0x0000000007B80000-0x0000000007B94000-memory.dmp
memory/3812-156-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4604-164-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4048-177-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3eec57a063ddeef5a5584bd53b072634 |
| SHA1 | 4fa6792f06bf298f5a0f62de1281f10a91f71b14 |
| SHA256 | b10d3b025ce67a8180cca9f94f9d9e09db9394c4e7b3d7d64c33d990bc7eee82 |
| SHA512 | 26b54d912ca3dd113a324f3d9bd45459321fee39ca942ff3b1e8d73fefa2b1e32307f90b1a858502ada1fc40e37b94b9ac7a95ba1699687e62fc88bd1aa4a428 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4676-189-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3004-194-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/368-208-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/1912-212-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3196-218-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4264-228-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/4900-235-0x0000000000400000-0x0000000000553000-memory.dmp
memory/732-241-0x0000000000400000-0x00000000004D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 18:55
Reported
2024-04-17 18:58
Platform
win7-20240215-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2416 set thread context of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe |
| PID 2876 set thread context of 2152 | N/A | C:\ProgramData\images.exe | C:\ProgramData\images.exe |
| PID 2720 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2376 259397074
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2152 259399226
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe" 2 2472 259399460
C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f672d1603b04f6a1bb2c1168429768de_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
Files
memory/2416-0-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2416-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2416-2-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2416-4-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2416-3-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2296-5-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2416-9-0x0000000002130000-0x0000000002205000-memory.dmp
memory/2376-7-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2004-11-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2004-15-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2004-17-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2004-16-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2004-14-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2376-18-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2296-13-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2376-19-0x0000000000400000-0x0000000000553000-memory.dmp
\ProgramData\images.exe
| MD5 | f672d1603b04f6a1bb2c1168429768de |
| SHA1 | 7321c9d98b08b4e2a59240666a17787d583e74f0 |
| SHA256 | d267c57b4520dcb86c9930857aef0d59457c832b820a3a4c568c63ffe2837165 |
| SHA512 | 21bff6aea5afa8f983ce920f8d0b4774173ccd065dd44f01e03d31fba5bb706c6e1b7cc6e5ef4394724e539f2c4842ee13f64e182dae72a700ef08d9f33e6575 |
memory/2376-34-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2376-35-0x0000000002C50000-0x0000000002D25000-memory.dmp
memory/2004-39-0x0000000001E20000-0x0000000001EF5000-memory.dmp
memory/2720-40-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2876-41-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2876-47-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/2876-46-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2720-54-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2720-50-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2720-44-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\ProgramData
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2876-42-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/2876-37-0x0000000000400000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs
| MD5 | 3cccf9435b659bf318d80f780097ffbf |
| SHA1 | f0af7b20ad3498befcc19d90c0c1c7d4f021e77f |
| SHA256 | a5c69769ed69652017de0ac5b2b49978af9580a67f0ce473742fc3a04c00a86a |
| SHA512 | d28c78ce84c518b8446aaa2b10bced63c7877b969abdcc0d3b65251123c1472f66598935de7facab9f5608c2bdc01b03156b00413687ee40b272c1b307e29b40 |
memory/2720-59-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2152-63-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2516-68-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2516-65-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/3004-72-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2720-70-0x00000000031B0000-0x0000000003285000-memory.dmp
memory/2152-71-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2600-73-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2600-75-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/2516-74-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2600-80-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/2600-79-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/2472-78-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2516-77-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2600-76-0x0000000074270000-0x000000007481B000-memory.dmp
memory/3004-81-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/3004-82-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2600-83-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2472-84-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2440-87-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2440-88-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2440-90-0x0000000000400000-0x00000000004D5000-memory.dmp
memory/2440-92-0x0000000000290000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9f682defdaeed1a680601c7ee29e98be |
| SHA1 | d3fce83f2a61eedb5e7679f95d36d2a501fa7c4a |
| SHA256 | ecd123794bb41e2129d7d9af51129ae745556a231ed9116c7654b623d6d3066f |
| SHA512 | 356b05e037b0c73fa1fcc9087190f54a2a2f33268f81e7648c0af3021a408a846515e089f48acc180d59e16825d6e08334bf2b1f212899f16ac39b8bb69a7032 |
memory/2428-99-0x0000000002B00000-0x0000000002B40000-memory.dmp
memory/2428-98-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/2428-101-0x0000000002B00000-0x0000000002B40000-memory.dmp
memory/2428-100-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/2428-102-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/1248-104-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2152-107-0x0000000000400000-0x0000000000553000-memory.dmp