Malware Analysis Report

2025-08-10 22:41

Sample ID 250127-zm6xfswjar
Target JaffaCakes118_4391c55d26956c55b1792111e0291ffb
SHA256 5e34760cc73c5355d8295796562590ecae4529b3eb828be60a673adb6f40554b
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5e34760cc73c5355d8295796562590ecae4529b3eb828be60a673adb6f40554b

Threat Level: Likely malicious

The file JaffaCakes118_4391c55d26956c55b1792111e0291ffb was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-28 09:11

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp N/A
N/A N/A C:\Windows\SysWOW64\zebhau.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zebhau.exe C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp N/A
File opened for modification C:\Windows\SysWOW64\zebhau.exe C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 2748 N/A C:\Windows\SysWOW64\zebhau.exe C:\Windows\SysWOW64\svchost.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\zebhau.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp

C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp

C:\Windows\SysWOW64\zebhau.exe

C:\Windows\SysWOW64\zebhau.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 159.96.196.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\hrl1160.tmp

MD5 4b5b96093cdd0eb372be9a459b2bc27e
SHA1 6c36841cabbf00bb365bddede0897fcc6338e68f
SHA256 b3c425ac158293c36809f69d6c53cc4b77c6f14eb63c548320e280414ae7a4fa
SHA512 cba45a987e23452f630790ae620876916710ecda846e5300be0f399ed57bc994cfd594b0a638d217af7a611a5c7c3430f6369f47f3b72403f3eb2fdff0e033fe

memory/2748-7-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4508-8-0x0000000000400000-0x000000000040CE58-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:53

Platform

win7-20241023-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BPFU\ImagePath = "C:\\Users\\Public\\Ypel\\Aimu.exe" C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2260 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Windows\SysWOW64\Net.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Net.exe C:\Windows\SysWOW64\net1.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe
PID 2260 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe

"C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"

C:\Windows\SysWOW64\Net.exe

Net Stop PcaSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 Stop PcaSvc

C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe

C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\g8BF49\setup.ini

MD5 5e717774540f75a0b64e51f3746a1d76
SHA1 1c1255f0869892bb8837d7763b8eef24df593633
SHA256 3207b9643a165b6268db6303186d152efa592677837797ea5fd1f71553dd5598
SHA512 5bf4098275938796d11a7aff176103bff3448b0fd32a3b398b9f36f8c43aa94b15964b8496d7af795ea6fe23579eedfd0e23f67133a6409844beba113a72c7a0

C:\Users\Admin\AppData\Local\Temp\g8BF49\light_setup.exe

MD5 be55a91a726e2ad26293dde6eb1970a2
SHA1 64696a3fa96dcb9bea3aacc533a4b5c7eb7627aa
SHA256 191ffd48ea2a53472f662bff4d83e4b3a5bf544722de57c8e00b25b4225c32aa
SHA512 cbc55c1bbc15f0ced2ab19445d89d7d7953132d50a290d35c4aca5df5aba2c4c2fe85b6cef00db5978970ca3a52f4e98851ae16b9cfd90becf4c40ec6167dd43

C:\Users\Public\Ypel\Jwwu\Aohcn.dll

MD5 5224be6315e1747700bcff2ec7191c1e
SHA1 ee03a125c3f47948f2f2f3f13e51b50fb2870e01
SHA256 db6e89720418d699853a004eca4ef643b80e8f3349e68add4a1edfd482a5c489
SHA512 6c4445d885be8f425f074c41dacefe1abb79d75ca1e2d30970d7ba07680f5027d34e40a2d289164dbd83046961ddf87245c48427fd9383584a3c7ea6a5696424

C:\Users\Public\Ypel\Aimu.exe

MD5 027a6b8e19620e00ac4f3719e022b5ba
SHA1 8a7081fc6afa679a0237ad718fb763d685dbe327
SHA256 ae6ee3a125289bb3562b89b7014166db8c69ba81da10b69da61bcf30e1086480
SHA512 e9182116d8a9267c348ceae64a83f10724918e4657070c873a7d629a39f6f79bfca98fd676141071c9e4a24d627a80f83a46915dcbd4207791cd5c23c67487da

C:\Users\Public\Ypel\Pixua.exe

MD5 78d176cd101bec19c8e5a9ca23628509
SHA1 3cda6abc6d63062dade1162b1ddc72afdb107c79
SHA256 d02ba7536a0496150b457212e568cd5ad59c5d3d8c938a93201d28852259c317
SHA512 c58aa11951ddb8495092862c7d01beebd4337a47f2dccfcf8a81471983fd0b3c95c11cc1fde84056534ac92b11867f89a9267aeae7ca8feb883598cb6a47ef19

memory/2808-55-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2260-54-0x0000000000400000-0x00000000004AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-28 09:11

Platform

win10v2004-20241007-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BPFU\ImagePath = "C:\\Program Files\\Kcxa\\Oyat.exe" C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Kcxa\duzose.exe C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File created C:\Program Files\Kcxa\kusoce.exe C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File created C:\Program Files\Kcxa\nesvus\pat.xml C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File opened for modification C:\Program Files\Kcxa\nesvus\pat.xml C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File created C:\Program Files\Kcxa\nesvus\tucesv.dll C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File opened for modification C:\Program Files\Kcxa\nesvus\tucesv.dll C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File opened for modification C:\Program Files\Kcxa\duzose.exe C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File opened for modification C:\Program Files\Kcxa\kusoce.exe C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\MSPat.xml C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\MSPat.xml C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe

"C:\Users\Admin\AppData\Local\Temp\light1.83\light_setup.exe"

C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe

C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 159.96.196.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 177.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4492-0-0x0000000002140000-0x0000000002141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g8DCC3\setup.ini

MD5 5e717774540f75a0b64e51f3746a1d76
SHA1 1c1255f0869892bb8837d7763b8eef24df593633
SHA256 3207b9643a165b6268db6303186d152efa592677837797ea5fd1f71553dd5598
SHA512 5bf4098275938796d11a7aff176103bff3448b0fd32a3b398b9f36f8c43aa94b15964b8496d7af795ea6fe23579eedfd0e23f67133a6409844beba113a72c7a0

C:\Program Files\Kcxa\Oxrea.exe

MD5 7eec1e3c3e1ff6bfb43c2cbf65b91393
SHA1 b1e72cac40af7d4a7f4e3672b380c587b73aa1e0
SHA256 081b533f004ee405453ff1c209df899e307d5a847a969a1b34386f1ac157d4b4
SHA512 38328782fed00aca2d3eb67cd32fc1c91a8cc5d4d721cc1d36523212ee3aef6c086882ebf45cf794776fe83aebaec8dcf7ac390aacf35ae3f8617fe02e1295a1

C:\Program Files\Kcxa\Oyat.exe

MD5 750651b3564c00a3d983a1ad124cb250
SHA1 2935192a6c82ce294beb85800c656712af5262f9
SHA256 2fd7950fb206bb482629871d66be07d69ff46457adc363b9f2ea00f599f92efe
SHA512 a0267a0380388db235d8e0300e055120f48f308f539a4bfc57b97aaa4b48b62086ca842ab862cd541d89a8094ebf7c5b96ab3585fe6f6d648445cf2e991abda4

C:\Program Files\Kcxa\Jomtr\Nvez.dll

MD5 5a69f8d867d35369f077e4dba2bc7985
SHA1 4bf504712b89829cd5719658fa4d56afedeff18d
SHA256 b0faabe0014b6d916dad58752d8402d7d87b52c1b678634a1d1d3bec88fa1a32
SHA512 3921761e70f5b45f426f76b48156c868fd56277ce9eb75016539477b5c92410a075944cb5c2c20110ce32721eecbb1c15e7172928efc104850d3016200fe4300

C:\Program Files\Kcxa\Jomtr\pat.xml

MD5 73c433f44adc08aff21560458cd24351
SHA1 03410ba18d909999c0883814c44a60757eb59bd9
SHA256 f70d57995c3ed5bad83d723e921f31618d5d6072ad5f785aa14ab16e710804f4
SHA512 03bb5a7e10498841ed8f8bedee5bf088e18b1e7e4e91df731bc5034b6a88716707fa71812a8d5410e6fef46daeda44e3166d24157a1f010a07e2fa8f736576bb

C:\Users\Admin\AppData\Local\Temp\g8DCC3\light_setup.exe

MD5 be55a91a726e2ad26293dde6eb1970a2
SHA1 64696a3fa96dcb9bea3aacc533a4b5c7eb7627aa
SHA256 191ffd48ea2a53472f662bff4d83e4b3a5bf544722de57c8e00b25b4225c32aa
SHA512 cbc55c1bbc15f0ced2ab19445d89d7d7953132d50a290d35c4aca5df5aba2c4c2fe85b6cef00db5978970ca3a52f4e98851ae16b9cfd90becf4c40ec6167dd43

memory/4492-46-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/728-47-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4492-48-0x0000000002140000-0x0000000002141000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-27 20:51

Reported

2025-01-27 20:53

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp N/A
N/A N/A C:\Windows\SysWOW64\zmxrwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zmxrwm.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp N/A
File opened for modification C:\Windows\SysWOW64\zmxrwm.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\zmxrwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp
PID 2120 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp
PID 2120 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp
PID 2120 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\SysWOW64\zmxrwm.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\light1.83\lpk.dll,#1

C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp

C:\Users\Admin\AppData\Local\Temp\hrlFB30.tmp

C:\Windows\SysWOW64\zmxrwm.exe

C:\Windows\SysWOW64\zmxrwm.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\hrlFB30.tmp

MD5 4b5b96093cdd0eb372be9a459b2bc27e
SHA1 6c36841cabbf00bb365bddede0897fcc6338e68f
SHA256 b3c425ac158293c36809f69d6c53cc4b77c6f14eb63c548320e280414ae7a4fa
SHA512 cba45a987e23452f630790ae620876916710ecda846e5300be0f399ed57bc994cfd594b0a638d217af7a611a5c7c3430f6369f47f3b72403f3eb2fdff0e033fe

memory/2680-16-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2680-14-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2680-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-17-0x0000000000400000-0x000000000040CE58-memory.dmp