Malware Analysis Report

2025-04-13 20:43

Sample ID 240704-b32qnszamb
Target 1d8cf8997c79b9d5b0dabbcf698ff8ad.bin
SHA256 25a144002a8255a86b41f65977f80a7939384b7c4a18aa4c9aa14cb8d5210359
Tags
modiloader evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25a144002a8255a86b41f65977f80a7939384b7c4a18aa4c9aa14cb8d5210359

Threat Level: Known bad

The file 1d8cf8997c79b9d5b0dabbcf698ff8ad.bin was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan upx

Modifies visiblity of hidden/system files in Explorer

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 01:40

Reported

2024-07-04 01:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\d3s3Jf2gX6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yaaupot.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /H" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /d" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /K" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /q" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /I" C:\Users\Admin\d3s3Jf2gX6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /B" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /v" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /z" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /m" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /W" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /J" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /n" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Z" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /S" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /F" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /l" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /L" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /g" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /A" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /V" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /o" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /h" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /G" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /a" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /j" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /k" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /T" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /O" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /i" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /x" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /w" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /u" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /P" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /e" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /U" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /c" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /E" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Y" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /C" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /X" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /t" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /D" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /s" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /p" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /r" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /N" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /b" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Q" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /I" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /y" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /f" C:\Users\Admin\yaaupot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /M" C:\Users\Admin\yaaupot.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\csrss.exe N/A
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 848 set thread context of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\bahost.exe N/A
N/A N/A C:\Users\Admin\bahost.exe N/A
N/A N/A C:\Users\Admin\bahost.exe N/A
N/A N/A C:\Users\Admin\bahost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bahost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\yaaupot.exe N/A
N/A N/A C:\Users\Admin\djhost.exe N/A
N/A N/A C:\Users\Admin\ekhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 2156 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 2156 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 2156 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 1240 wrote to memory of 1904 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\yaaupot.exe
PID 1240 wrote to memory of 1904 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\yaaupot.exe
PID 1240 wrote to memory of 1904 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\yaaupot.exe
PID 1240 wrote to memory of 1904 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\yaaupot.exe
PID 1240 wrote to memory of 2928 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2928 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2928 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2928 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2928 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2928 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2928 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2156 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 2156 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 2156 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 2156 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2156 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 2156 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 2156 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 2156 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 848 wrote to memory of 1192 N/A C:\Users\Admin\bahost.exe C:\Windows\Explorer.EXE
PID 848 wrote to memory of 336 N/A C:\Users\Admin\bahost.exe C:\Windows\system32\csrss.exe
PID 848 wrote to memory of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 2748 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 2156 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 2156 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 2156 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 2156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 2156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 2156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 2156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 336 wrote to memory of 1704 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\DllHost.exe
PID 2156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 676 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 676 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 676 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1904 wrote to memory of 1120 N/A C:\Users\Admin\yaaupot.exe C:\Windows\SysWOW64\tasklist.exe
PID 1904 wrote to memory of 1120 N/A C:\Users\Admin\yaaupot.exe C:\Windows\SysWOW64\tasklist.exe
PID 336 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\DllHost.exe
PID 3032 wrote to memory of 500 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 500 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 500 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 500 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 500 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe

"C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe"

C:\Users\Admin\d3s3Jf2gX6.exe

C:\Users\Admin\d3s3Jf2gX6.exe

C:\Users\Admin\yaaupot.exe

"C:\Users\Admin\yaaupot.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\ayhost.exe

C:\Users\Admin\ayhost.exe

C:\Users\Admin\ayhost.exe

ayhost.exe

C:\Users\Admin\bahost.exe

C:\Users\Admin\bahost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\djhost.exe

C:\Users\Admin\djhost.exe

C:\Users\Admin\ekhost.exe

C:\Users\Admin\ekhost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 1d8cf8997c79b9d5b0dabbcf698ff8ad.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 elegantweddingdecor.com udp
CA 66.49.203.74:80 elegantweddingdecor.com tcp
US 67.85.181.95:25700 tcp
US 75.194.28.245:25700 tcp
OM 188.66.136.181:25700 tcp
US 67.181.89.116:25700 tcp
US 68.51.12.254:25700 tcp
DE 95.91.41.161:25700 tcp
PH 112.205.160.134:25700 tcp
US 65.113.118.94:25700 tcp
US 98.248.170.108:25700 tcp
US 207.38.138.33:25700 tcp
US 75.72.141.181:25700 tcp
HR 89.18.52.87:25700 tcp
KZ 95.57.252.244:25700 tcp
US 173.19.200.8:25700 tcp
US 97.88.140.101:25700 tcp
US 24.253.33.30:25700 tcp
US 108.107.200.151:25700 tcp
US 96.42.113.52:25700 tcp
US 97.115.97.115:25700 tcp
US 24.187.91.160:25700 tcp
US 68.189.105.18:25700 tcp
US 75.196.35.155:25700 tcp
US 98.196.30.132:25700 tcp
US 24.152.191.210:25700 tcp
US 68.63.230.90:25700 tcp
US 66.177.71.82:25700 tcp
US 76.118.218.158:25700 tcp
US 75.143.148.26:25700 tcp
US 71.75.75.170:25700 tcp
JP 114.158.142.100:25700 tcp
US 64.53.184.103:25700 tcp
IN 14.98.119.33:25700 tcp
FR 85.171.0.142:25700 tcp
US 18.245.7.14:25700 tcp
US 75.185.13.10:25700 tcp
LK 112.134.96.44:25700 tcp
US 75.136.106.185:25700 tcp
US 72.178.104.115:25700 tcp
US 24.12.36.210:25700 tcp
US 75.92.67.82:25700 tcp
NO 84.52.210.234:25700 tcp
GB 92.41.46.218:25700 tcp
FI 91.155.181.198:25700 tcp
US 75.83.61.197:25700 tcp
US 71.197.250.192:25700 tcp
US 67.185.176.150:25700 tcp
BR 189.103.32.63:25700 tcp
US 72.161.208.91:25700 tcp
US 74.233.130.58:25700 tcp
US 69.201.159.20:25700 tcp
IN 65.3.163.60:25700 tcp
US 71.68.194.76:25700 tcp
US 75.65.115.171:25700 tcp
US 71.193.8.197:25700 tcp
US 72.24.80.223:25700 tcp
US 71.94.132.40:25700 tcp
US 66.25.14.205:25700 tcp
US 76.170.33.158:25700 tcp
US 68.58.177.138:25700 tcp
US 76.19.227.125:25700 tcp
US 68.37.242.117:25700 tcp
US 96.42.218.190:25700 tcp
US 67.248.218.233:25700 tcp
US 24.211.101.86:25700 tcp
US 67.165.43.31:25700 tcp
CA 50.92.182.239:25700 tcp
US 69.245.186.178:25700 tcp
US 67.165.49.219:25700 tcp
US 138.236.22.72:25700 tcp
US 50.80.239.21:25700 tcp
US 174.97.24.141:25700 tcp
US 184.59.204.68:25700 tcp
US 75.187.148.62:25700 tcp
US 68.47.67.107:25700 tcp
US 68.192.100.193:25700 tcp
US 75.65.245.83:25700 tcp
US 76.235.164.101:25700 tcp
JP 212.50.232.253:25700 tcp
US 70.119.34.246:25700 tcp
US 71.197.149.224:25700 tcp
US 67.10.199.179:25700 tcp
US 71.94.223.29:25700 tcp
US 98.198.243.160:25700 tcp
KZ 84.240.207.226:25700 tcp
US 67.175.63.86:25700 tcp
US 67.85.223.123:25700 tcp
US 72.179.41.196:25700 tcp
US 24.125.159.74:25700 tcp
DK 86.52.83.19:25700 tcp
US 98.203.129.141:25700 tcp
US 98.233.79.149:25700 tcp
CA 184.160.183.192:25700 tcp
US 71.71.238.247:25700 tcp
US 24.234.85.173:25700 tcp
US 75.204.205.69:25700 tcp
US 184.77.179.71:25700 tcp
US 69.249.229.104:25700 tcp
US 152.23.18.236:25700 tcp
US 98.157.152.68:25700 tcp
US 68.47.164.166:25700 tcp
US 75.111.197.142:25700 tcp
US 68.184.60.76:25700 tcp
US 50.80.19.135:25700 tcp
US 98.210.205.21:25700 tcp
US 98.101.150.126:25700 tcp
US 69.116.108.230:25700 tcp
US 173.171.137.173:25700 tcp
US 68.36.33.67:25700 tcp
US 68.226.130.43:25700 tcp
US 24.196.160.171:25700 tcp
US 50.27.227.131:25700 tcp
US 68.185.158.188:25700 tcp
US 128.123.194.154:25700 tcp
US 71.236.247.96:25700 tcp
US 76.187.28.55:25700 tcp
US 24.208.178.3:25700 tcp
US 68.59.201.247:25700 tcp
US 69.122.91.56:25700 tcp
US 67.168.54.19:25700 tcp
US 76.173.92.227:25700 tcp
US 69.125.67.98:25700 tcp
US 72.152.174.83:25700 tcp
US 98.176.177.6:25700 tcp
US 130.85.240.102:25700 tcp
CA 130.63.255.0:25700 tcp
US 76.121.76.247:25700 tcp
US 71.86.96.214:25700 tcp
US 24.0.60.42:25700 tcp
US 24.18.125.203:25700 tcp
US 66.190.220.48:25700 tcp
US 75.215.249.54:25700 tcp
US 24.250.49.21:25700 tcp
US 74.197.218.66:25700 tcp
NL 77.61.97.222:25700 tcp
IT 82.58.102.106:25700 tcp
US 69.245.229.50:25700 tcp
US 97.100.183.111:25700 tcp
CA 174.112.136.166:25700 tcp
US 66.87.2.138:25700 tcp
US 174.98.236.183:25700 tcp
NO 84.202.167.107:25700 tcp
US 50.34.38.185:25700 tcp
US 74.90.93.55:25700 tcp
US 71.29.65.234:25700 tcp
GB 87.117.229.99:25700 tcp
US 74.161.129.240:25700 tcp
US 184.57.174.203:25700 tcp
US 68.186.141.82:25700 tcp
US 67.184.24.170:25700 tcp
US 75.65.211.210:25700 tcp
US 184.12.12.84:25700 tcp
US 76.169.207.19:25700 tcp
US 66.87.0.164:25700 tcp
US 71.234.40.56:25700 tcp
US 74.90.118.14:25700 tcp
US 174.70.47.116:25700 tcp
GB 94.196.72.79:25700 tcp
US 24.33.142.77:25700 tcp
US 71.225.241.71:25700 tcp
US 67.162.64.31:25700 tcp
US 67.80.121.65:25700 tcp
US 74.60.0.54:25700 tcp
US 98.246.97.168:25700 tcp
US 76.114.218.172:25700 tcp
US 50.113.176.190:25700 tcp
US 173.17.139.147:25700 tcp
US 98.198.30.69:25700 tcp
US 74.180.50.149:25700 tcp
US 24.63.97.60:25700 tcp
US 66.30.203.111:25700 tcp
US 67.181.194.146:25700 tcp
ES 77.210.93.83:25700 tcp
US 24.119.155.195:25700 tcp
US 98.198.219.107:25700 tcp
US 68.200.23.168:25700 tcp
US 69.211.231.214:25700 tcp
US 68.190.19.217:25700 tcp
SE 46.239.106.150:25700 tcp
US 74.254.247.222:25700 tcp
US 98.236.169.124:25700 tcp
US 24.1.145.150:25700 tcp
US 174.100.141.19:25700 tcp
US 24.10.115.156:25700 tcp
US 96.63.248.120:25700 tcp
US 72.211.190.153:25700 tcp
US 74.61.114.66:25700 tcp
US 72.187.48.225:25700 tcp
RU 91.79.124.198:25700 tcp
BG 62.73.111.196:25700 tcp
US 173.218.48.197:25700 tcp
US 72.135.111.85:25700 tcp
US 70.119.197.66:25700 tcp
US 71.87.243.75:25700 tcp
DE 109.193.51.84:25700 tcp
US 24.179.78.232:25700 tcp
US 174.102.72.32:25700 tcp

Files

\Users\Admin\d3s3Jf2gX6.exe

MD5 b3c7427a9509d61a373b377e668c8ddd
SHA1 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3
SHA256 b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28
SHA512 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe

\Users\Admin\yaaupot.exe

MD5 df3b05884d68c74c7011f225bf3a5da7
SHA1 7e08c8b383259ae44d97514ba3d5791287eca03d
SHA256 d2c6b9c0f7dcd70e8941dd359b5f7c8fc26999101537e44668932aa387e56b3f
SHA512 572ee79aeb2f34852e5705ae62a7c33e213fa3fd5b7d47758b23bfda75685af436068cfbe3850563826e30a12d5018fd16bebce71288bc929bab8a4e988e78de

\Users\Admin\ayhost.exe

MD5 8ccbe4f27f9710f3e7f75e1d1de57e49
SHA1 272e95e476477cd4a1715ee0bcf32318e0351718
SHA256 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d
SHA512 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

memory/2496-36-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2496-44-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2492-51-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2496-50-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2496-49-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2496-48-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2496-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2496-40-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2496-38-0x0000000000400000-0x000000000040E000-memory.dmp

\Users\Admin\bahost.exe

MD5 57d06744cbe8d579531f5704827605c1
SHA1 222404c29087c7481127d5616e209e8a8946b110
SHA256 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a
SHA512 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093

memory/848-68-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/848-67-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/848-63-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/848-59-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/848-69-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/848-71-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/1192-80-0x0000000002510000-0x0000000002516000-memory.dmp

memory/1192-76-0x0000000002510000-0x0000000002516000-memory.dmp

memory/1192-72-0x0000000002510000-0x0000000002516000-memory.dmp

C:\Windows\system32\consrv.dll

MD5 4d7cde615a0f534bd5e359951829554b
SHA1 c885d00d9000f2a5dbc78f6193a052b36f4fe968
SHA256 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a
SHA512 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

memory/336-86-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

memory/848-90-0x0000000000400000-0x0000000000446000-memory.dmp

\Users\Admin\djhost.exe

MD5 af152804736fe7af65e4b49633a2d185
SHA1 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35
SHA256 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e
SHA512 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6

\Users\Admin\ekhost.exe

MD5 046275674448c41615014cf770ee4f53
SHA1 4f51eb674e199d6b901aaffb55c4aeafb94acfb3
SHA256 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f
SHA512 db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2

\Windows\assembly\GAC_32\Desktop.ini

MD5 878f9b6da85cb98fcbdf6abd1730a32f
SHA1 343007e658ea541f4680b4edf4513e69e1cc18a6
SHA256 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d
SHA512 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293

C:\Users\Admin\calc.exe

MD5 e381b04abf596ed1573154cd41f418dc
SHA1 2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e
SHA256 02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6
SHA512 44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

\Windows\assembly\GAC_64\Desktop.ini

MD5 9d7ec1e355ac35cbe6991721ef5ae3b8
SHA1 c35a00bd35c6e4a7516b93947be08ead966347e8
SHA256 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98
SHA512 b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0

memory/336-133-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

memory/852-139-0x0000000000460000-0x000000000046B000-memory.dmp

memory/852-136-0x0000000000460000-0x000000000046B000-memory.dmp

memory/852-143-0x0000000000460000-0x000000000046B000-memory.dmp

\??\globalroot\systemroot\assembly\temp\@

MD5 bb7950e23de4cc1a030aff96408f61c3
SHA1 551d347d2673a40e899a970b5edcbd21317008db
SHA256 76155df2ff750895145b43ad644e1bca83412be569cfd2a21c23a04a06f2245e
SHA512 65bdbab46aec19adbff9c3c756e78ba446cb6c479dbf08f8a30a6d59b781a7409f2a6249ff8962aad861929ad71a097cc0138deceaca44be90490abd365fdb25

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 01:40

Reported

2024-07-04 01:43

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\seaiqur.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\d3s3Jf2gX6.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ekhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\d3s3Jf2gX6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\bahost.exe N/A
N/A N/A C:\Users\Admin\djhost.exe N/A
N/A N/A C:\Users\Admin\ekhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /l" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /F" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /a" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Y" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /w" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /e" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /N" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /T" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /G" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /b" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Q" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /H" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /r" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /d" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /E" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /J" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /K" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /O" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /S" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /j" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /y" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /i" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /t" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /v" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /o" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /h" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /W" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /x" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /V" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /k" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /M" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /c" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /p" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /m" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /R" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /A" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /f" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /U" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /n" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /B" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Z" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /I" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /p" C:\Users\Admin\d3s3Jf2gX6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /q" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /s" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /z" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /u" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /X" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /C" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /D" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /g" C:\Users\Admin\seaiqur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /P" C:\Users\Admin\seaiqur.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2588 set thread context of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 820 set thread context of 400 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A
N/A N/A C:\Users\Admin\ayhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe N/A
N/A N/A C:\Users\Admin\d3s3Jf2gX6.exe N/A
N/A N/A C:\Users\Admin\seaiqur.exe N/A
N/A N/A C:\Users\Admin\djhost.exe N/A
N/A N/A C:\Users\Admin\ekhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 4804 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 4804 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\d3s3Jf2gX6.exe
PID 3520 wrote to memory of 4888 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\seaiqur.exe
PID 3520 wrote to memory of 4888 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\seaiqur.exe
PID 3520 wrote to memory of 4888 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Users\Admin\seaiqur.exe
PID 4804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 4804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 4804 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ayhost.exe
PID 3520 wrote to memory of 3188 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3188 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3188 N/A C:\Users\Admin\d3s3Jf2gX6.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3188 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3188 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 2588 wrote to memory of 2764 N/A C:\Users\Admin\ayhost.exe C:\Users\Admin\ayhost.exe
PID 4804 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 4804 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 4804 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\bahost.exe
PID 820 wrote to memory of 400 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 400 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 400 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 400 N/A C:\Users\Admin\bahost.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 4804 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 4804 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\djhost.exe
PID 4804 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 4804 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 4804 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Users\Admin\ekhost.exe
PID 4804 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1628 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1628 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1668 wrote to memory of 3464 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 3464 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 3464 N/A C:\Users\Admin\ekhost.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3464 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3464 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4888 wrote to memory of 1868 N/A C:\Users\Admin\seaiqur.exe C:\Windows\SysWOW64\tasklist.exe
PID 4888 wrote to memory of 1868 N/A C:\Users\Admin\seaiqur.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe

"C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe"

C:\Users\Admin\d3s3Jf2gX6.exe

C:\Users\Admin\d3s3Jf2gX6.exe

C:\Users\Admin\seaiqur.exe

"C:\Users\Admin\seaiqur.exe"

C:\Users\Admin\ayhost.exe

C:\Users\Admin\ayhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\ayhost.exe

ayhost.exe

C:\Users\Admin\bahost.exe

C:\Users\Admin\bahost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\djhost.exe

C:\Users\Admin\djhost.exe

C:\Users\Admin\ekhost.exe

C:\Users\Admin\ekhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 1d8cf8997c79b9d5b0dabbcf698ff8ad.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

C:\Users\Admin\d3s3Jf2gX6.exe

MD5 b3c7427a9509d61a373b377e668c8ddd
SHA1 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3
SHA256 b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28
SHA512 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe

C:\Users\Admin\seaiqur.exe

MD5 7bed818c5b5615e5ca44cd59dae9e2a9
SHA1 294a4af5716255a28e7f3f4aa6e18996a059d36b
SHA256 3923552b946d8e96dc01664ebe43143746d91026ebac3c1eccb1bbc12911de4c
SHA512 5e3709ff9f5d8f5a858e28a8423e6be037b41bc4089bd779cfb84cdf2ff4f915703ac333a37698eea186bd9c14d047eac6d8b9bee345c355fba4bf2e4e4be549

C:\Users\Admin\ayhost.exe

MD5 8ccbe4f27f9710f3e7f75e1d1de57e49
SHA1 272e95e476477cd4a1715ee0bcf32318e0351718
SHA256 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d
SHA512 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

memory/2764-46-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2764-45-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2588-49-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2764-51-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2764-53-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2764-52-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\bahost.exe

MD5 57d06744cbe8d579531f5704827605c1
SHA1 222404c29087c7481127d5616e209e8a8946b110
SHA256 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a
SHA512 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093

memory/820-58-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\djhost.exe

MD5 af152804736fe7af65e4b49633a2d185
SHA1 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35
SHA256 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e
SHA512 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6

C:\Users\Admin\ekhost.exe

MD5 046275674448c41615014cf770ee4f53
SHA1 4f51eb674e199d6b901aaffb55c4aeafb94acfb3
SHA256 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f
SHA512 db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2