Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zc33tavkaz
Target JaffaCakes118_4374ffe3395196ca313993c5b6337d2e
SHA256 36bb9292501433a0931ca14fc3e32cf8ced0c83da8a32b6bdc2e39e1fb6de157
Tags
modiloader defense_evasion discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36bb9292501433a0931ca14fc3e32cf8ced0c83da8a32b6bdc2e39e1fb6de157

Threat Level: Known bad

The file JaffaCakes118_4374ffe3395196ca313993c5b6337d2e was found to be: Known bad.

Malicious Activity Summary

modiloader defense_evasion discovery persistence trojan upx

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

124s

Command Line

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\1be398f8\\X" C:\Windows\Explorer.EXE N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\srRTMxaDv9.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\woauy.exe N/A

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /x" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Q" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /F" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Y" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Z" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /K" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /c" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /C" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /u" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /p" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /f" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /i" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /L" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /a" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /j" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /y" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /V" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /n" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /v" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /H" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /U" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /B" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /h" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /W" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /q" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /A" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /T" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /m" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /w" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /R" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /g" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /e" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /l" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /S" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /M" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /P" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /D" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /z" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /o" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /s" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /M" C:\Users\Admin\srRTMxaDv9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /d" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /t" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /r" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /X" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /k" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /E" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /N" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /b" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /O" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /J" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /I" C:\Users\Admin\woauy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /G" C:\Users\Admin\woauy.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\csrss.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\csrss.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2412 set thread context of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 set thread context of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\cmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\dmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\srRTMxaDv9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\woauy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\bmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\amhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\bmhost.exe N/A
N/A N/A C:\Users\Admin\bmhost.exe N/A
N/A N/A C:\Users\Admin\bmhost.exe N/A
N/A N/A C:\Users\Admin\bmhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\1be398f8\X N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bmhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bmhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\woauy.exe N/A
N/A N/A C:\Users\Admin\dmhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2516 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\woauy.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\woauy.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\woauy.exe
PID 2084 wrote to memory of 2056 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\woauy.exe
PID 2084 wrote to memory of 2912 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2912 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2912 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2912 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2516 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2516 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2516 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2516 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2640 wrote to memory of 2780 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2412 wrote to memory of 1124 N/A C:\Users\Admin\bmhost.exe C:\Windows\Explorer.EXE
PID 2412 wrote to memory of 336 N/A C:\Users\Admin\bmhost.exe C:\Windows\system32\csrss.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1180 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 2516 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 2516 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 2516 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 1188 wrote to memory of 2884 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\1be398f8\X
PID 1188 wrote to memory of 2884 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\1be398f8\X
PID 1188 wrote to memory of 2884 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\1be398f8\X
PID 1188 wrote to memory of 2884 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\1be398f8\X
PID 2884 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\1be398f8\X C:\Windows\Explorer.EXE
PID 1188 wrote to memory of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1544 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2516 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2516 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2516 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2516 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 344 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 344 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe"

C:\Users\Admin\srRTMxaDv9.exe

C:\Users\Admin\srRTMxaDv9.exe

C:\Users\Admin\woauy.exe

"C:\Users\Admin\woauy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\amhost.exe

C:\Users\Admin\amhost.exe

C:\Users\Admin\amhost.exe

amhost.exe

C:\Users\Admin\bmhost.exe

C:\Users\Admin\bmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\cmhost.exe

C:\Users\Admin\cmhost.exe

C:\Users\Admin\AppData\Local\1be398f8\X

176.53.17.24:80

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\dmhost.exe

C:\Users\Admin\dmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
UA 82.193.112.116:21860 tcp
AU 101.116.124.29:21860 tcp
PL 89.73.219.45:21860 tcp
RO 79.118.77.103:21860 tcp
LT 88.222.56.69:21860 tcp
US 69.250.129.195:21860 tcp
CA 70.81.44.41:21860 tcp
TR 176.30.86.202:21860 tcp
US 174.141.188.24:21860 tcp
KZ 178.91.248.14:21860 tcp
JO 94.249.55.111:21860 tcp
US 24.46.123.138:21860 tcp
IN 115.242.209.10:21860 tcp
CO 190.26.101.67:21860 tcp
ID 203.169.53.84:21860 tcp
KZ 212.76.23.88:21860 tcp
AO 41.70.167.39:21860 tcp
KZ 46.36.136.165:21860 tcp
US 128.122.94.12:21860 tcp
DE 92.231.15.88:21860 tcp
US 75.132.141.34:21860 tcp
AR 186.111.236.70:21860 tcp
RU 195.96.95.179:21860 tcp
KG 178.216.209.13:21860 tcp
TR 178.245.145.190:21860 tcp
RO 188.25.162.139:21860 tcp
CA 131.104.255.1:21860 tcp
BR 201.40.210.50:21860 tcp
SE 81.170.225.74:21860 tcp
US 70.117.153.95:21860 tcp
AU 101.116.112.34:21860 tcp
RU 136.169.146.2:21860 tcp
RU 46.191.210.42:21860 tcp
IN 14.96.221.136:21860 tcp
KZ 178.90.90.35:21860 tcp
FR 46.105.8.114:21860 tcp
US 24.107.182.20:21860 tcp
US 109.246.238.57:21860 tcp
US 67.240.113.178:21860 tcp
IN 115.240.16.161:21860 tcp
FR 82.234.113.202:21860 tcp
CO 190.24.175.156:21860 tcp
RU 46.147.192.139:21860 tcp
SE 93.182.158.47:21860 tcp
US 67.175.138.9:21860 tcp
CA 70.65.141.173:21860 tcp
US 69.145.125.224:21860 tcp
RU 95.220.179.145:21860 tcp
IN 106.76.214.92:21860 tcp
RU 46.48.158.46:21860 tcp
RU 109.111.162.61:21860 tcp
HK 119.247.240.204:21860 tcp
BG 78.90.135.67:21860 tcp
TT 190.213.8.51:21860 tcp
CA 216.246.224.198:21860 tcp
MK 79.126.214.106:21860 tcp
RU 94.41.27.147:21860 tcp
IN 182.156.97.233:21860 tcp
PL 84.10.70.246:21860 tcp
HN 190.99.16.188:21860 tcp
US 129.21.84.226:21860 tcp
BR 187.11.71.126:21860 tcp
PT 188.37.110.241:21860 tcp
JM 216.10.209.57:21860 tcp
US 67.10.235.214:21860 tcp
US 24.11.139.131:21860 tcp
MD 188.131.111.69:21860 tcp
RU 31.207.206.186:21860 tcp
OM 46.40.228.234:21860 tcp
MY 182.63.74.42:21860 tcp
FJ 210.7.25.105:21860 tcp
IN 115.184.99.171:21860 tcp
MX 201.167.33.127:21860 tcp
KZ 95.58.235.26:21860 tcp
IN 14.99.99.197:21860 tcp
US 207.191.205.143:21860 tcp
RU 46.48.200.108:21860 tcp
FR 78.250.140.118:21860 tcp
IN 203.90.81.237:21860 tcp
FR 82.230.128.86:21860 tcp
IN 117.225.6.110:21860 tcp
PH 111.68.40.160:21860 tcp
KZ 178.91.60.15:21860 tcp
TW 125.227.184.100:21860 tcp
KZ 212.76.9.85:21860 tcp
IN 1.23.234.180:21860 tcp
UZ 93.188.84.251:21860 tcp
DO 190.166.208.66:21860 tcp
US 69.253.17.94:21860 tcp
IN 49.204.13.214:21860 tcp
US 31.57.100.109:21860 tcp
ES 79.112.95.109:21860 tcp
PK 111.88.47.52:21860 tcp
US 98.160.212.176:21860 tcp
KR 58.233.70.8:21860 tcp
US 72.19.127.116:21860 tcp
KG 158.181.149.196:21860 tcp
PT 46.50.88.40:21860 tcp
HN 190.53.78.114:21860 tcp
US 24.6.120.104:21860 tcp
IN 59.93.240.165:21860 tcp
US 173.172.156.244:21860 tcp
PL 85.222.93.25:21860 tcp
MX 189.214.161.23:21860 tcp
VE 186.92.84.39:21860 tcp
ES 79.116.224.179:21860 tcp
US 98.215.149.242:21860 tcp
ES 77.27.212.30:21860 tcp
OM 188.66.179.19:21860 tcp
CA 69.70.45.186:21860 tcp
IN 106.79.130.234:21860 tcp
US 68.226.243.185:21860 tcp
US 70.94.44.23:21860 tcp
KZ 95.58.110.93:21860 tcp
SG 222.165.56.168:21860 tcp
IN 1.23.200.185:21860 tcp
US 71.62.88.179:21860 tcp
US 96.41.81.39:21860 tcp
AR 190.193.7.204:21860 tcp
AR 190.246.45.29:21860 tcp
IN 115.184.103.41:21860 tcp
IN 117.230.77.230:21860 tcp
CA 99.231.30.158:21860 tcp
MK 77.29.195.154:21860 tcp
SE 79.138.235.241:21860 tcp
LT 158.129.21.189:21860 tcp
US 71.10.127.231:21860 tcp
IL 84.94.189.96:21860 tcp
IN 14.96.177.186:21860 tcp
MX 189.220.204.24:21860 tcp
IT 95.75.208.208:21860 tcp
US 129.22.53.243:21860 tcp
US 76.125.125.76:21860 tcp
IN 182.237.128.155:21860 tcp
BT 202.144.135.136:21860 tcp
KZ 95.56.77.21:21860 tcp
KZ 95.56.34.162:21860 tcp
CL 190.101.26.74:21860 tcp
IN 115.241.41.156:21860 tcp
US 67.184.93.17:21860 tcp
MG 41.188.33.4:21860 tcp
DE 92.231.15.45:21860 tcp
MX 189.194.147.244:21860 tcp
US 71.202.35.179:21860 tcp
IR 31.184.188.154:21860 tcp
AU 138.130.89.233:21860 tcp
IR 2.176.22.69:21860 tcp
KE 197.178.185.64:21860 tcp
ES 83.97.225.103:21860 tcp
CL 190.164.63.28:21860 tcp
KZ 92.47.209.177:21860 tcp
RU 178.234.117.240:21860 tcp
MD 89.28.102.142:21860 tcp
AR 190.113.144.149:21860 tcp
AU 124.184.180.45:21860 tcp
US 75.74.147.243:21860 tcp
DE 89.12.197.164:21860 tcp
CL 190.162.186.100:21860 tcp
US 66.191.237.173:21860 tcp
KZ 95.58.12.224:21860 tcp
US 76.16.129.67:21860 tcp
KZ 178.89.58.92:21860 tcp
MX 201.173.60.230:21860 tcp
RU 2.93.157.92:21860 tcp
DE 178.238.234.130:21860 tcp
KZ 95.57.239.198:21860 tcp
KZ 212.76.20.40:21860 tcp
US 24.7.86.89:21860 tcp
KZ 178.89.136.152:21860 tcp
CL 200.83.17.225:21860 tcp
AR 190.105.2.83:21860 tcp
IN 110.227.229.212:21860 tcp
US 71.60.24.124:21860 tcp
TR 46.30.176.5:21860 tcp
FJ 183.81.130.182:21860 tcp
ES 49.0.187.143:21860 tcp
SA 188.54.49.121:21860 tcp
KG 158.181.182.85:21860 tcp
EC 190.130.166.131:21860 tcp
BR 189.69.66.187:21860 tcp
TW 175.181.123.239:21860 tcp
KZ 85.29.157.69:21860 tcp
KZ 178.91.238.198:21860 tcp
HU 89.132.133.91:21860 tcp
KZ 212.76.2.252:21860 tcp
KZ 95.56.52.235:21860 tcp
KH 87.247.162.223:21860 tcp
EC 186.42.33.196:21860 tcp
US 67.163.155.160:21860 tcp
BG 84.54.175.182:21860 tcp
IN 27.4.242.99:21860 tcp
KR 121.135.107.52:21860 tcp
US 70.190.221.64:21860 tcp
SG 111.119.216.149:21860 tcp
IN 183.83.43.159:21860 tcp
US 98.251.157.5:21860 tcp
IR 2.179.82.132:21860 tcp
PL 62.141.211.249:21860 tcp
RU 89.148.251.241:21860 tcp
JP 110.165.135.136:21860 tcp
IN 14.97.21.231:21860 tcp
NO 188.113.127.144:25700 tcp
US 75.110.231.24:25700 tcp
US 71.58.52.32:25700 tcp
HU 188.143.69.158:25700 tcp
US 75.132.11.131:25700 tcp
PK 119.154.89.161:25700 tcp
US 68.206.39.222:25700 tcp
LT 88.118.9.19:25700 tcp
US 28.240.130.61:25700 tcp
US 198.82.98.127:25700 tcp
US 67.197.163.174:25700 tcp
US 24.130.41.168:25700 tcp
CA 216.104.111.135:25700 tcp
US 99.14.85.82:25700 tcp
US 71.87.243.75:25700 tcp
CD 41.243.65.127:25700 tcp
US 97.65.48.207:25700 tcp
US 68.110.199.9:25700 tcp
KZ 84.240.207.176:25700 tcp
US 68.92.112.237:25700 tcp
US 71.74.1.168:25700 tcp
ES 79.117.78.238:25700 tcp
US 98.180.21.161:25700 tcp
US 69.142.187.67:25700 tcp
DE 24.40.144.134:25700 tcp
PT 62.169.120.205:25700 tcp
US 99.64.192.239:25700 tcp
US 70.113.206.81:25700 tcp
US 76.27.59.89:25700 tcp
US 69.180.38.221:25700 tcp
US 67.184.24.170:25700 tcp
US 71.95.157.6:25700 tcp
US 128.36.54.183:25700 tcp
US 76.107.104.13:25700 tcp
US 71.86.99.90:25700 tcp
US 50.88.221.71:25700 tcp
US 76.181.141.94:25700 tcp
US 24.126.187.34:25700 tcp
US 18.245.7.14:25700 tcp
US 75.73.60.153:25700 tcp
SG 119.234.154.170:25700 tcp
FR 82.234.113.202:25700 tcp
US 24.12.204.68:25700 tcp
US 98.231.208.73:25700 tcp
US 71.236.155.16:25700 tcp
IT 151.31.96.116:25700 tcp
DE 178.200.126.51:25700 tcp
SE 213.112.235.194:25700 tcp
PT 79.168.109.47:25700 tcp
CA 24.226.241.71:25700 tcp
US 24.90.27.57:25700 tcp
US 68.1.115.188:25700 tcp
US 72.198.82.70:25700 tcp
US 76.179.103.0:25700 tcp
US 76.183.0.208:25700 tcp
US 96.38.57.251:25700 tcp
US 70.132.200.253:25700 tcp
US 71.23.43.138:25700 tcp
DE 217.13.173.105:25700 tcp
DE 95.88.168.246:25700 tcp
GB 92.236.32.199:25700 tcp
US 173.175.167.134:25700 tcp
US 69.132.184.166:25700 tcp
US 98.217.15.123:25700 tcp
US 24.131.109.230:25700 tcp
RO 89.42.36.38:25700 tcp
US 97.89.228.148:25700 tcp
IN 223.29.199.151:25700 tcp
KZ 87.247.42.163:25700 tcp
US 69.113.16.97:25700 tcp
US 68.11.134.106:25700 tcp
US 66.56.32.93:25700 tcp
CA 173.230.173.59:25700 tcp
DZ 41.107.70.89:25700 tcp
US 68.199.124.4:25700 tcp
US 68.103.79.198:25700 tcp
US 174.64.30.198:25700 tcp
US 68.3.248.223:25700 tcp
CA 74.12.234.101:25700 tcp
DE 86.56.15.251:25700 tcp
US 97.102.37.94:25700 tcp
US 24.31.184.124:25700 tcp
US 66.190.220.48:25700 tcp
US 24.253.208.76:25700 tcp
US 75.66.39.93:25700 tcp
IT 151.81.146.112:25700 tcp
ES 85.219.20.126:25700 tcp
US 68.39.127.163:25700 tcp
US 173.3.143.226:25700 tcp
US 24.126.8.252:25700 tcp
US 71.195.62.171:25700 tcp
US 76.116.104.184:25700 tcp
US 98.196.30.132:25700 tcp
US 66.25.247.230:25700 tcp
US 24.14.49.4:25700 tcp
US 67.60.244.54:25700 tcp
PL 91.207.60.22:25700 tcp
US 24.99.224.18:25700 tcp
US 71.194.116.155:25700 tcp
NL 98.64.60.8:25700 tcp
DE 78.43.118.192:25700 tcp
US 67.162.64.31:25700 tcp
US 75.108.60.107:25700 tcp
US 76.115.46.206:25700 tcp
DK 212.10.97.79:25700 tcp
BE 84.195.107.140:25700 tcp
US 67.172.173.99:25700 tcp
US 76.169.142.205:25700 tcp
US 69.204.107.254:25700 tcp
US 98.26.36.207:25700 tcp
IT 82.55.209.61:25700 tcp
US 71.45.142.31:25700 tcp
FR 81.51.40.68:25700 tcp
US 24.18.125.203:25700 tcp
US 68.37.37.133:25700 tcp
US 69.76.179.226:25700 tcp
US 69.205.231.132:25700 tcp
US 67.85.181.95:25700 tcp
US 76.105.72.3:25700 tcp
US 24.228.5.130:25700 tcp
PL 87.116.205.54:25700 tcp
US 76.119.15.140:25700 tcp
US 71.203.154.25:25700 tcp
US 174.70.136.28:25700 tcp
US 24.178.86.126:25700 tcp
US 108.106.109.107:25700 tcp
US 50.136.114.82:25700 tcp
US 24.146.171.229:25700 tcp
CA 74.59.63.112:25700 tcp
US 71.68.97.7:25700 tcp
US 24.91.136.219:25700 tcp
US 24.245.2.5:25700 tcp
US 71.95.34.209:25700 tcp
US 68.62.166.162:25700 tcp
US 216.26.97.151:25700 tcp
US 69.113.201.236:25700 tcp
US 65.185.120.89:25700 tcp
US 174.57.113.217:25700 tcp
US 69.143.8.209:25700 tcp
US 71.77.72.78:25700 tcp
US 74.196.169.67:25700 tcp
US 76.31.37.100:25700 tcp
US 96.18.183.250:25700 tcp
US 98.214.78.126:25700 tcp
CA 69.156.160.226:25700 tcp
US 98.194.201.41:25700 tcp
US 75.66.128.197:25700 tcp
US 74.64.85.127:25700 tcp
US 98.193.89.231:25700 tcp
DE 91.64.176.203:25700 tcp
US 24.250.24.134:25700 tcp
US 107.8.75.96:25700 tcp
RU 91.79.143.168:25700 tcp
US 72.135.14.49:25700 tcp
US 68.54.184.7:25700 tcp
US 71.76.58.50:25700 tcp
US 72.249.44.79:25700 tcp
US 98.204.110.177:25700 tcp
US 75.73.45.126:25700 tcp
US 66.168.25.248:25700 tcp
US 107.41.156.180:25700 tcp
US 184.59.86.72:25700 tcp
US 71.234.195.93:25700 tcp
US 64.53.184.103:25700 tcp
IT 151.81.79.182:25700 tcp
US 69.122.91.56:25700 tcp
US 24.27.176.91:25700 tcp
US 76.190.213.150:25700 tcp
US 76.118.218.158:25700 tcp
US 24.158.142.102:25700 tcp
US 65.185.76.30:25700 tcp
ES 79.108.2.152:25700 tcp
US 24.30.7.62:25700 tcp
RU 94.180.203.48:25700 tcp
US 75.66.198.134:25700 tcp
US 66.169.32.66:25700 tcp
US 24.217.238.43:25700 tcp
US 50.12.174.124:25700 tcp
US 97.106.237.122:25700 tcp
US 68.58.196.120:25700 tcp
US 67.169.67.143:25700 tcp
KZ 95.56.27.119:25700 tcp
US 107.2.144.105:25700 tcp
US 68.3.244.77:25700 tcp
US 76.186.89.77:25700 tcp
US 76.116.86.5:25700 tcp
US 76.170.106.209:25700 tcp
US 184.201.93.26:25700 tcp
US 24.217.82.195:25700 tcp
US 24.46.123.214:25700 tcp
CZ 213.211.60.35:25700 tcp
US 75.177.162.9:25700 tcp
US 71.62.150.167:25700 tcp
US 67.249.111.108:25700 tcp
US 24.197.112.102:25700 tcp

Files

\Users\Admin\srRTMxaDv9.exe

MD5 57a5743f47b3a874773041195600909c
SHA1 74f5c16a6ca03baea7c684e40d351f1ec484a70d
SHA256 eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90
SHA512 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954

\Users\Admin\woauy.exe

MD5 07fde06b6fa5b5aac1b1f829f239c149
SHA1 493ea55103ec11486e424ce65b18b0b1627cc704
SHA256 3f3810d49d52695fb564da70161034b5c433804288ca6dd1fe2220fd60722e10
SHA512 b7c2f8aef0cdac030c4c7f8f1f80ffdf777472e70f885ba3709076703095fabd7fd3a9c2d9121ad31922d402cb418f6d95a0933c53b7f0638750c75e354a6368

\Users\Admin\amhost.exe

MD5 8ccbe4f27f9710f3e7f75e1d1de57e49
SHA1 272e95e476477cd4a1715ee0bcf32318e0351718
SHA256 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d
SHA512 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

memory/2780-40-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2780-47-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2640-46-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2780-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-38-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2780-36-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2780-50-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2780-52-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2780-51-0x0000000000400000-0x000000000040E000-memory.dmp

\Users\Admin\bmhost.exe

MD5 2da0070a7c50f3a078b73b4fb7ee7c02
SHA1 999b4860a80b908622fadfc8fae27db66b200932
SHA256 f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf
SHA512 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630

memory/2412-64-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/2412-68-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/2412-60-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/2412-69-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/2412-70-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/2412-72-0x0000000000360000-0x00000000003A1000-memory.dmp

memory/1124-73-0x0000000002520000-0x0000000002526000-memory.dmp

memory/1124-77-0x0000000002520000-0x0000000002526000-memory.dmp

memory/1124-81-0x0000000002520000-0x0000000002526000-memory.dmp

C:\Windows\system32\consrv.dll

MD5 4d7cde615a0f534bd5e359951829554b
SHA1 c885d00d9000f2a5dbc78f6193a052b36f4fe968
SHA256 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a
SHA512 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

memory/336-87-0x0000000002540000-0x0000000002552000-memory.dmp

memory/2412-91-0x0000000000400000-0x0000000000446000-memory.dmp

\Users\Admin\cmhost.exe

MD5 03102e4338eb16e0c4dfe106830557e3
SHA1 4fdb5baf0900e44e95acdeee1c947be3b0518b39
SHA256 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139
SHA512 c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9

\Windows\assembly\GAC_32\Desktop.ini

MD5 878f9b6da85cb98fcbdf6abd1730a32f
SHA1 343007e658ea541f4680b4edf4513e69e1cc18a6
SHA256 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d
SHA512 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293

\Users\Admin\AppData\Local\1be398f8\X

MD5 be40a2578e862f1cecc9b9194f524201
SHA1 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12
SHA256 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6
SHA512 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

\Windows\assembly\GAC_64\Desktop.ini

MD5 9d7ec1e355ac35cbe6991721ef5ae3b8
SHA1 c35a00bd35c6e4a7516b93947be08ead966347e8
SHA256 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98
SHA512 b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0

memory/1124-121-0x0000000002550000-0x000000000255B000-memory.dmp

memory/1124-120-0x0000000002540000-0x000000000254B000-memory.dmp

memory/1124-115-0x0000000002540000-0x000000000254B000-memory.dmp

memory/1124-111-0x0000000002540000-0x000000000254B000-memory.dmp

C:\Users\Admin\AppData\Local\1be398f8\@

MD5 f5e66a93bc297ba83db0e7b5564ced3f
SHA1 863c519546cfba7531b8ecbf10ae5bede6d2193d
SHA256 94257ae4c040d8487cb44bc23030193944c72c12678dcd8b80684a3721b21231
SHA512 b7ee82bdc3057df90eed61a9d0d6d52420fb8baf6cc8f12f30144ecdd1f298f13d89e14bfa474ea939bd734440f185d7bba72d1140080a3ef975253191adaea3

memory/1188-128-0x0000000000400000-0x0000000000465C48-memory.dmp

memory/1188-135-0x0000000000400000-0x0000000000465C48-memory.dmp

\Users\Admin\dmhost.exe

MD5 e5a8cc5176a71d1fb82d8790db0c20f0
SHA1 6d0c76a9e94151d84241bdf99033524daf4346ed
SHA256 3b324891d70636e38cfc4c080a91fc83b387013af03ef9d2d6aa36376e1d6c8c
SHA512 ccbd5e3f98ff202c8a7753208d588bfef183eb37a6da3fbcf733dab0112408b1a05836ebbc24d6a17e9b72260ba9682e53628d20f130b10d8ec76cf9f1a51f9c

\??\globalroot\systemroot\assembly\temp\@

MD5 c9c375e4592e4f72fc80d8673aa484e3
SHA1 565b0a395671b12a77d006b7b17a54d20932f28a
SHA256 f6b79b69ca9f5047bed4631c79b6ea737fb03125e185b2114f4986a366f8b9c2
SHA512 e412db5ec4003861a02e04b564e3f6ae6f93f2d052615fab96b4560ca74989891a610fd6062b14cef96785c9866b34c72470f158918af161870942fe5153ee65

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\srRTMxaDv9.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sazab.exe N/A

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\srRTMxaDv9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /C" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /I" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /K" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /m" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /F" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /M" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /A" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /a" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /z" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /r" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /j" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /R" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /x" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /u" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /X" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Y" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Z" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /l" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /B" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /y" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /w" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /t" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /q" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /i" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /s" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /E" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /G" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /V" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /J" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /D" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /U" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /O" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /g" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /n" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /o" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /c" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /v" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /b" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /L" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /W" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /H" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /d" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /E" C:\Users\Admin\srRTMxaDv9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /N" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /e" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /k" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /T" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Q" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /f" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /h" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /p" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /P" C:\Users\Admin\sazab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /S" C:\Users\Admin\sazab.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4676 set thread context of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 1788 set thread context of 3528 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 set thread context of 1976 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\cmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\amhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\bmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\dmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\srRTMxaDv9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\sazab.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9a2c62aa\X N/A
N/A N/A C:\Users\Admin\AppData\Local\9a2c62aa\X N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\amhost.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\bmhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\cmhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe N/A
N/A N/A C:\Users\Admin\srRTMxaDv9.exe N/A
N/A N/A C:\Users\Admin\sazab.exe N/A
N/A N/A C:\Users\Admin\dmhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2216 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2216 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\srRTMxaDv9.exe
PID 2216 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2216 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2216 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\amhost.exe
PID 2212 wrote to memory of 4048 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\sazab.exe
PID 2212 wrote to memory of 4048 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\sazab.exe
PID 2212 wrote to memory of 4048 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Users\Admin\sazab.exe
PID 2212 wrote to memory of 1556 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1556 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1556 N/A C:\Users\Admin\srRTMxaDv9.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1556 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1556 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 4676 wrote to memory of 1656 N/A C:\Users\Admin\amhost.exe C:\Users\Admin\amhost.exe
PID 2216 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2216 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 2216 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\bmhost.exe
PID 1788 wrote to memory of 3528 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 3528 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 3528 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 3528 N/A C:\Users\Admin\bmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 2216 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\cmhost.exe
PID 1552 wrote to memory of 4620 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\9a2c62aa\X
PID 1552 wrote to memory of 4620 N/A C:\Users\Admin\cmhost.exe C:\Users\Admin\AppData\Local\9a2c62aa\X
PID 4620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\9a2c62aa\X C:\Windows\explorer.exe
PID 4620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\9a2c62aa\X C:\Windows\explorer.exe
PID 4620 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\9a2c62aa\X C:\Windows\explorer.exe
PID 1552 wrote to memory of 1976 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1976 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1976 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1976 N/A C:\Users\Admin\cmhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2216 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2216 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Users\Admin\dmhost.exe
PID 2216 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4476 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4476 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe"

C:\Users\Admin\srRTMxaDv9.exe

C:\Users\Admin\srRTMxaDv9.exe

C:\Users\Admin\sazab.exe

"C:\Users\Admin\sazab.exe"

C:\Users\Admin\amhost.exe

C:\Users\Admin\amhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\amhost.exe

amhost.exe

C:\Users\Admin\bmhost.exe

C:\Users\Admin\bmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\cmhost.exe

C:\Users\Admin\cmhost.exe

C:\Users\Admin\AppData\Local\9a2c62aa\X

176.53.17.24:80

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\dmhost.exe

C:\Users\Admin\dmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
TR 176.53.17.24:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp

Files

C:\Users\Admin\srRTMxaDv9.exe

MD5 57a5743f47b3a874773041195600909c
SHA1 74f5c16a6ca03baea7c684e40d351f1ec484a70d
SHA256 eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90
SHA512 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954

C:\Users\Admin\sazab.exe

MD5 15328499a2e83b063081d2cfd27faed6
SHA1 bf0a0fd4407935258ff9df51de7c1915901b92e2
SHA256 d4e38f4c3bd7b294298c4fda059da3035f2c3f9a5f59780d858fe666a2546b7b
SHA512 97c7fc7fadf0fa33ccce81bbc0662912bcfa0c75fee4b3f057bef602d7805e68835e13a9bb7c0befcabfbce2b8db7db5db3b2a47536c7559403db51f3fd30c84

C:\Users\Admin\amhost.exe

MD5 8ccbe4f27f9710f3e7f75e1d1de57e49
SHA1 272e95e476477cd4a1715ee0bcf32318e0351718
SHA256 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d
SHA512 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

memory/1656-45-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1656-46-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1656-53-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1656-52-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1656-51-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4676-50-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\bmhost.exe

MD5 2da0070a7c50f3a078b73b4fb7ee7c02
SHA1 999b4860a80b908622fadfc8fae27db66b200932
SHA256 f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf
SHA512 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630

memory/1788-58-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\cmhost.exe

MD5 03102e4338eb16e0c4dfe106830557e3
SHA1 4fdb5baf0900e44e95acdeee1c947be3b0518b39
SHA256 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139
SHA512 c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9

C:\Users\Admin\AppData\Local\9a2c62aa\X

MD5 be40a2578e862f1cecc9b9194f524201
SHA1 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12
SHA256 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6
SHA512 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8

memory/1552-73-0x0000000000400000-0x0000000000465C48-memory.dmp

memory/1552-80-0x0000000000400000-0x0000000000465C48-memory.dmp

C:\Users\Admin\dmhost.exe

MD5 e5a8cc5176a71d1fb82d8790db0c20f0
SHA1 6d0c76a9e94151d84241bdf99033524daf4346ed
SHA256 3b324891d70636e38cfc4c080a91fc83b387013af03ef9d2d6aa36376e1d6c8c
SHA512 ccbd5e3f98ff202c8a7753208d588bfef183eb37a6da3fbcf733dab0112408b1a05836ebbc24d6a17e9b72260ba9682e53628d20f130b10d8ec76cf9f1a51f9c