Malware Analysis Report

2025-04-14 08:32

Sample ID 240921-qvt37avcpd
Target efe7ddf2fe9f2936aa3f11a69ef0ce1f_JaffaCakes118
SHA256 8a6387c525e0279b36c6b87b799d9ce7f3cc7d0965d27f6b4af2eb9b8993248e
Tags
formbook hx319 credential_access discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a6387c525e0279b36c6b87b799d9ce7f3cc7d0965d27f6b4af2eb9b8993248e

Threat Level: Known bad

The file efe7ddf2fe9f2936aa3f11a69ef0ce1f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook hx319 credential_access discovery persistence rat spyware stealer trojan

Formbook

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 13:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 13:35

Reported

2024-09-21 13:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ODPHLLGH = "C:\\Program Files (x86)\\Bkt_tnhq8\\chkdsk2d9l_r.exe" C:\Windows\SysWOW64\wlanext.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ikdibakelehuntum = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Ikdibakelehuntum.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2192 set thread context of 1244 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\Explorer.EXE
PID 2712 set thread context of 1244 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bkt_tnhq8\chkdsk2d9l_r.exe C:\Windows\SysWOW64\wlanext.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\view.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wlanext.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\view.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2664 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2664 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2664 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1244 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 2712 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\view.exe

"C:\Users\Admin\AppData\Local\Temp\view.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\Ikdibakelehuntum.exe

"C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Ikdibakelehuntum" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Ikdibakelehuntum.txt" | cmd"

C:\Users\Admin\Desktop\Ikdibakelehuntum.exe

"C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.makrobet260.com udp
US 8.8.8.8:53 www.livecasino.link udp
US 8.8.8.8:53 www.excellcium-promotion.com udp
FR 51.83.44.84:80 www.excellcium-promotion.com tcp
US 8.8.8.8:53 www.libertylinks.info udp
US 8.8.8.8:53 www.dcxinc.biz udp
US 8.8.8.8:53 www.iddaocc.com udp

Files

memory/1968-0-0x00000000749B1000-0x00000000749B2000-memory.dmp

memory/1968-1-0x00000000749B0000-0x0000000074F5B000-memory.dmp

memory/1968-2-0x00000000749B0000-0x0000000074F5B000-memory.dmp

\Users\Admin\Desktop\Ikdibakelehuntum.exe

MD5 13c50d12714b8d5177d53e6f0980346d
SHA1 c3efaf564476634a8baca98028ffa9d1918a0a4c
SHA256 ca6bf064da10636ada68b69d36ee69de1c794e71928adeeb3781bef7ce6d4c71
SHA512 f411aba44e6d8a91abb204c397203a01d5393056317f57b9b73145b4d71aee535269f4fc47cdf87a6212d2ef193683b84f75f53042327dc1ef4744cd0ddba06d

memory/1968-8-0x00000000749B0000-0x0000000074F5B000-memory.dmp

memory/2116-10-0x00000000749B0000-0x0000000074F5B000-memory.dmp

memory/2116-9-0x00000000749B0000-0x0000000074F5B000-memory.dmp

memory/2192-13-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-17-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2192-14-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-20-0x00000000009C0000-0x0000000000CC3000-memory.dmp

memory/2116-19-0x00000000749B0000-0x0000000074F5B000-memory.dmp

memory/1244-22-0x0000000002FC0000-0x00000000030C0000-memory.dmp

memory/2192-24-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2712-23-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

memory/1244-25-0x0000000000010000-0x0000000000020000-memory.dmp

memory/1244-29-0x00000000079A0000-0x0000000007A8A000-memory.dmp

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logrv.ini

MD5 ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1 24cb89501f0212ff3095ecc0aba97dd563718fb1
SHA256 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512 ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logim.jpeg

MD5 5155ab9a809ea2fe2de7057ce6457254
SHA1 f4c3cb0d8cc2b51f352e5e7336ef71614d7c5878
SHA256 542f87a699bf14237306f955910acc10f21402689674cc3ca194d404beb3498b
SHA512 3d16c557fff552e36e767b4a00c7e7c20beb69cf2c3f7062bff027ab169220d81302d2451b390239cbf3de8bda7b8fa6e10ecee61e4fd61ac2d112dc91f54b20

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 13:35

Reported

2024-09-21 13:37

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ikdibakelehuntum = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Ikdibakelehuntum.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UFZXNBRHSZCL = "C:\\Program Files (x86)\\Kv2sdbdj0\\taskhost1bf.exe" C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 876 set thread context of 3524 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\Explorer.EXE
PID 3136 set thread context of 3524 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Kv2sdbdj0\taskhost1bf.exe C:\Windows\SysWOW64\WWAHost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WWAHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\view.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\view.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WWAHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\view.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 4168 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 4168 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 436 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 436 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 436 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 1904 wrote to memory of 876 N/A C:\Users\Admin\Desktop\Ikdibakelehuntum.exe C:\Users\Admin\Desktop\Ikdibakelehuntum.exe
PID 3524 wrote to memory of 3136 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3524 wrote to memory of 3136 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3524 wrote to memory of 3136 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3136 wrote to memory of 2408 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2408 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2408 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\view.exe

"C:\Users\Admin\AppData\Local\Temp\view.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\Ikdibakelehuntum.exe

"C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Ikdibakelehuntum" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Ikdibakelehuntum.txt" | cmd"

C:\Users\Admin\Desktop\Ikdibakelehuntum.exe

"C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\Desktop\Ikdibakelehuntum.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.7907f.com udp
US 8.8.8.8:53 www.excellcium-promotion.com udp
FR 51.83.44.84:80 www.excellcium-promotion.com tcp
US 8.8.8.8:53 84.44.83.51.in-addr.arpa udp
US 8.8.8.8:53 www.gdrk.com udp
HK 47.90.30.95:80 www.gdrk.com tcp
US 8.8.8.8:53 95.30.90.47.in-addr.arpa udp
HK 47.90.30.95:80 www.gdrk.com tcp
HK 47.90.30.95:80 www.gdrk.com tcp
US 8.8.8.8:53 www.centuryroses.com udp
US 74.208.236.79:80 www.centuryroses.com tcp
US 8.8.8.8:53 79.236.208.74.in-addr.arpa udp
US 74.208.236.79:80 www.centuryroses.com tcp
US 74.208.236.79:80 www.centuryroses.com tcp
US 8.8.8.8:53 www.zimmer-ulm.com udp
US 8.8.8.8:53 www.hunch.info udp
US 76.223.54.146:80 www.hunch.info tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 76.223.54.146:80 www.hunch.info tcp
US 76.223.54.146:80 www.hunch.info tcp
N/A 52.168.117.170:443 tcp
US 8.8.8.8:53 udp

Files

memory/4920-0-0x00000000754E2000-0x00000000754E3000-memory.dmp

memory/4920-1-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/4920-2-0x00000000754E0000-0x0000000075A91000-memory.dmp

C:\Users\Admin\Desktop\Ikdibakelehuntum.exe

MD5 13c50d12714b8d5177d53e6f0980346d
SHA1 c3efaf564476634a8baca98028ffa9d1918a0a4c
SHA256 ca6bf064da10636ada68b69d36ee69de1c794e71928adeeb3781bef7ce6d4c71
SHA512 f411aba44e6d8a91abb204c397203a01d5393056317f57b9b73145b4d71aee535269f4fc47cdf87a6212d2ef193683b84f75f53042327dc1ef4744cd0ddba06d

memory/1904-8-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/1904-10-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/1904-7-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/4920-12-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/876-13-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1904-16-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/876-17-0x0000000001590000-0x00000000018DA000-memory.dmp

memory/876-20-0x0000000001050000-0x0000000001064000-memory.dmp

memory/876-19-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3524-21-0x0000000008780000-0x0000000008908000-memory.dmp

memory/3136-22-0x0000000000360000-0x000000000043C000-memory.dmp

memory/3136-24-0x0000000000360000-0x000000000043C000-memory.dmp

memory/3524-25-0x0000000008780000-0x0000000008908000-memory.dmp

memory/3524-29-0x0000000009230000-0x0000000009370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logrg.ini

MD5 4aadf49fed30e4c9b3fe4a3dd6445ebe
SHA1 1e332822167c6f351b99615eada2c30a538ff037
SHA256 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512 eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

C:\Users\Admin\AppData\Roaming\NN11N28C\NN1logim.jpeg

MD5 7326be91e05335992a34a2423a30aced
SHA1 1076aa43cba5a01c6862167793fa475d39c64a78
SHA256 67292e1be08fcc909a8c40801f19274f67e5d12cfa3aa698b447b2824fdbd2be
SHA512 72cc6768f8d2c30bda6fa1754975f3e2744eb9a8701eedcacd7aa98164eefd41f5ba66702677b3d6a1eb3dd3ae957a79a2ecc4aeb246ba0fa2bcdb65ef698099