Analysis
-
max time kernel
126s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 10:57
Static task
static1
Behavioral task
behavioral1
Sample
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
-
Size
7.2MB
-
MD5
1b07681e664e306e849cfac378fd5c36
-
SHA1
18c2aa65af42a6c17826e65b2d11e7a8da15555b
-
SHA256
edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520
-
SHA512
e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e
-
SSDEEP
196608:BuezwW++1nerHAOdMF69hTmo/7H4gsQ6hAady5q0V+amY:9zw5+crHALF69hTmO7DsVEqVax
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-15-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/1984-14-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/1984-13-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/1984-12-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/1984-33-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe" server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5NLKV6XC-S1B7-TJSO-6LNB-6004J6415IFR} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5NLKV6XC-S1B7-TJSO-6LNB-6004J6415IFR}\StubPath = "C:\\Windows\\system32\\Spy-Net\\server.exe Restart" server.exe -
Executes dropped EXE 64 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeSpywareCease_Setup.exeserver.exeserver.exeUpdater.exesteal.exeUpdater.exeUpdater.exeserver.exeserver.exeSpywareCease_Setup.tmpserver.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeserver.exepid process 2732 server.exe 2820 server.exe 2444 server.exe 2480 server.exe 2772 server.exe 804 Updater.exe 296 Updater.exe 2000 Updater.exe 2676 Updater.exe 1540 Updater.exe 2848 Updater.exe 2896 Updater.exe 1028 Updater.exe 1860 SpywareCease_Setup.exe 2104 server.exe 1500 server.exe 848 Updater.exe 1712 steal.exe 1324 Updater.exe 916 Updater.exe 3304 server.exe 3016 server.exe 2724 SpywareCease_Setup.tmp 2400 server.exe 624 Updater.exe 1824 server.exe 3312 server.exe 384 server.exe 948 Updater.exe 4020 server.exe 2484 server.exe 1220 server.exe 2512 server.exe 2728 server.exe 4132 Updater.exe 4224 server.exe 3332 Updater.exe 4332 Updater.exe 4932 Updater.exe 1604 server.exe 3856 Updater.exe 4364 Updater.exe 4960 Updater.exe 3408 Updater.exe 5024 Updater.exe 3228 Updater.exe 4600 Updater.exe 4656 Updater.exe 2336 server.exe 1968 server.exe 1196 server.exe 2340 server.exe 2592 server.exe 996 server.exe 3340 server.exe 3520 server.exe 3580 server.exe 3796 server.exe 4188 server.exe 4376 Updater.exe 4972 Updater.exe 3828 Updater.exe 2104 Updater.exe 4128 server.exe -
Loads dropped DLL 64 IoCs
Processes:
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeregsvr32.exeserver.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeSpywareCease_Setup.exeUpdater.exeUpdater.exeserver.exeSpywareCease_Setup.tmpUpdater.exepid process 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 2732 server.exe 2684 regsvr32.exe 2772 server.exe 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 804 Updater.exe 804 Updater.exe 804 Updater.exe 296 Updater.exe 296 Updater.exe 296 Updater.exe 296 Updater.exe 2000 Updater.exe 2000 Updater.exe 2000 Updater.exe 804 Updater.exe 2676 Updater.exe 2676 Updater.exe 2676 Updater.exe 296 Updater.exe 1540 Updater.exe 1540 Updater.exe 1540 Updater.exe 296 Updater.exe 804 Updater.exe 2896 Updater.exe 2896 Updater.exe 2896 Updater.exe 804 Updater.exe 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 2444 server.exe 2444 server.exe 2444 server.exe 804 Updater.exe 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 296 Updater.exe 804 Updater.exe 1540 Updater.exe 1540 Updater.exe 1540 Updater.exe 848 Updater.exe 848 Updater.exe 848 Updater.exe 1860 SpywareCease_Setup.exe 1324 Updater.exe 1324 Updater.exe 1324 Updater.exe 916 Updater.exe 916 Updater.exe 916 Updater.exe 916 Updater.exe 3304 server.exe 3304 server.exe 3304 server.exe 3304 server.exe 296 Updater.exe 3304 server.exe 3304 server.exe 3304 server.exe 2724 SpywareCease_Setup.tmp 2724 SpywareCease_Setup.tmp 624 Updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2232-99-0x0000000000260000-0x000000000026D000-memory.dmp upx behavioral1/memory/2232-87-0x0000000010740000-0x00000000107C2000-memory.dmp upx behavioral1/memory/2232-103-0x0000000000270000-0x000000000027D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\medax = "C:\\Windows\\system32\\Spy-Net\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\medax = "C:\\Windows\\system32\\Spy-Net\\server.exe" server.exe -
Drops file in System32 directory 30 IoCs
Processes:
Updater.exeUpdater.exeserver.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeserver.exeUpdater.exesteal.exeserver.exeUpdater.exeUpdater.exedescription ioc process File created C:\Windows\SysWOW64\server.exe Updater.exe File created C:\Windows\SysWOW64\Updater.exe Updater.exe File created C:\Windows\SysWOW64\Spy-Net\server.exe server.exe File created C:\Windows\SysWOW64\server.exe Updater.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\logs.dat server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\server.exe server.exe File created C:\Windows\SysWOW64\Updater.exe server.exe File created C:\Windows\SysWOW64\Updater.exe Updater.exe File created C:\Windows\SysWOW64\Updater.exe Updater.exe File created C:\Windows\SysWOW64\Updater.exe server.exe File created C:\Windows\SysWOW64\server.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mswinsck.ocx 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\ server.exe File created C:\Windows\SysWOW64\Updater.exe server.exe File created C:\Windows\SysWOW64\Updater.exe server.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\plugin.dat server.exe File created C:\Windows\SysWOW64\Spy-Net\logs.dat server.exe File created C:\Windows\SysWOW64\server.exe Updater.exe File opened for modification C:\Windows\SysWOW64\server.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe File created \??\c:\WINDOWS\SysWOW64\homepage.txt steal.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe Updater.exe File created C:\Windows\SysWOW64\Spy-Net\plugin.dat server.exe File created C:\Windows\SysWOW64\server.exe Updater.exe File created C:\Windows\SysWOW64\Updater.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Updater.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exedescription pid process target process PID 2856 set thread context of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 set thread context of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 set thread context of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 set thread context of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2732 set thread context of 2820 2732 server.exe server.exe PID 2732 set thread context of 2444 2732 server.exe server.exe PID 2732 set thread context of 2480 2732 server.exe server.exe PID 2856 set thread context of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2732 set thread context of 2772 2732 server.exe server.exe PID 296 set thread context of 2000 296 Updater.exe Updater.exe PID 804 set thread context of 2676 804 Updater.exe Updater.exe PID 296 set thread context of 1540 296 Updater.exe Updater.exe PID 296 set thread context of 2848 296 Updater.exe Updater.exe PID 804 set thread context of 2896 804 Updater.exe Updater.exe PID 804 set thread context of 1028 804 Updater.exe Updater.exe PID 2732 set thread context of 2104 2732 server.exe server.exe PID 804 set thread context of 848 804 Updater.exe Updater.exe PID 296 set thread context of 1324 296 Updater.exe Updater.exe PID 804 set thread context of 916 804 Updater.exe Updater.exe PID 1500 set thread context of 2400 1500 server.exe server.exe PID 1500 set thread context of 1824 1500 server.exe server.exe PID 1500 set thread context of 3312 1500 server.exe server.exe PID 3304 set thread context of 384 3304 server.exe server.exe PID 296 set thread context of 948 296 Updater.exe Updater.exe PID 1500 set thread context of 4020 1500 server.exe server.exe PID 3304 set thread context of 2484 3304 server.exe server.exe PID 3304 set thread context of 1220 3304 server.exe server.exe PID 3304 set thread context of 2512 3304 server.exe server.exe PID 1500 set thread context of 2728 1500 server.exe server.exe PID 4132 set thread context of 4332 4132 Updater.exe Updater.exe PID 3332 set thread context of 4932 3332 Updater.exe Updater.exe PID 3304 set thread context of 1604 3304 server.exe server.exe PID 4132 set thread context of 3856 4132 Updater.exe Updater.exe PID 4132 set thread context of 4364 4132 Updater.exe Updater.exe PID 3332 set thread context of 4960 3332 Updater.exe Updater.exe PID 3332 set thread context of 3408 3332 Updater.exe Updater.exe PID 4132 set thread context of 3228 4132 Updater.exe Updater.exe PID 3332 set thread context of 5024 3332 Updater.exe Updater.exe PID 3332 set thread context of 4600 3332 Updater.exe Updater.exe PID 4132 set thread context of 4656 4132 Updater.exe Updater.exe PID 2336 set thread context of 1968 2336 server.exe server.exe PID 2336 set thread context of 1196 2336 server.exe server.exe PID 2336 set thread context of 2340 2336 server.exe server.exe PID 2336 set thread context of 996 2336 server.exe server.exe PID 2592 set thread context of 3340 2592 server.exe server.exe PID 2592 set thread context of 3520 2592 server.exe server.exe PID 2592 set thread context of 3580 2592 server.exe server.exe PID 2592 set thread context of 3796 2592 server.exe server.exe PID 2336 set thread context of 4188 2336 server.exe server.exe PID 4376 set thread context of 4972 4376 Updater.exe Updater.exe PID 4376 set thread context of 3828 4376 Updater.exe Updater.exe PID 4376 set thread context of 2104 4376 Updater.exe Updater.exe PID 2592 set thread context of 4128 2592 server.exe server.exe PID 4376 set thread context of 3648 4376 Updater.exe Updater.exe PID 4360 set thread context of 4980 4360 Updater.exe Updater.exe PID 4360 set thread context of 3912 4360 Updater.exe Updater.exe PID 4360 set thread context of 3952 4360 Updater.exe Updater.exe PID 4360 set thread context of 1288 4360 Updater.exe Updater.exe PID 4376 set thread context of 2584 4376 Updater.exe Updater.exe PID 3196 set thread context of 4984 3196 server.exe server.exe PID 4360 set thread context of 488 4360 Updater.exe Updater.exe PID 3196 set thread context of 2728 3196 server.exe server.exe PID 3196 set thread context of 3896 3196 server.exe server.exe PID 2528 set thread context of 2736 2528 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3376 1712 WerFault.exe steal.exe 1544 3016 WerFault.exe server.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
server.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeUpdater.exeserver.exeUpdater.exesteal.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeserver.exepid process 2444 server.exe 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1540 Updater.exe 2104 server.exe 916 Updater.exe 1712 steal.exe 1712 steal.exe 1712 steal.exe 948 Updater.exe 948 Updater.exe 2728 server.exe 2896 Updater.exe 3856 Updater.exe 4960 Updater.exe 1824 server.exe 2484 server.exe 1196 server.exe 3828 Updater.exe 3520 server.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exedescription pid process Token: SeDebugPrivilege 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe Token: SeDebugPrivilege 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe Token: SeDebugPrivilege 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe Token: SeDebugPrivilege 2232 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe Token: SeDebugPrivilege 2104 server.exe Token: SeDebugPrivilege 2104 server.exe Token: SeDebugPrivilege 916 Updater.exe Token: SeDebugPrivilege 916 Updater.exe Token: SeRestorePrivilege 916 Updater.exe Token: SeBackupPrivilege 916 Updater.exe Token: SeDebugPrivilege 948 Updater.exe Token: SeDebugPrivilege 948 Updater.exe Token: SeDebugPrivilege 2728 server.exe Token: SeDebugPrivilege 2728 server.exe Token: SeDebugPrivilege 948 Updater.exe Token: SeDebugPrivilege 948 Updater.exe Token: SeDebugPrivilege 3016 server.exe Token: SeDebugPrivilege 3016 server.exe Token: SeDebugPrivilege 1604 server.exe Token: SeDebugPrivilege 1604 server.exe Token: SeDebugPrivilege 4600 Updater.exe Token: SeDebugPrivilege 4600 Updater.exe Token: SeDebugPrivilege 4656 Updater.exe Token: SeDebugPrivilege 4656 Updater.exe Token: SeDebugPrivilege 4188 server.exe Token: SeDebugPrivilege 4188 server.exe Token: SeDebugPrivilege 4128 server.exe Token: SeDebugPrivilege 4128 server.exe Token: SeDebugPrivilege 2584 Updater.exe Token: SeDebugPrivilege 2584 Updater.exe Token: SeDebugPrivilege 488 Updater.exe Token: SeDebugPrivilege 488 Updater.exe Token: SeDebugPrivilege 4760 server.exe Token: SeDebugPrivilege 4760 server.exe Token: SeDebugPrivilege 4712 server.exe Token: SeDebugPrivilege 4712 server.exe Token: SeDebugPrivilege 3356 Updater.exe Token: SeDebugPrivilege 3356 Updater.exe Token: SeDebugPrivilege 3512 Updater.exe Token: SeDebugPrivilege 3512 Updater.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exepid process 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 2772 server.exe 848 Updater.exe 1324 Updater.exe 4020 server.exe 2512 server.exe 5024 Updater.exe 3228 Updater.exe 996 server.exe 3796 server.exe 3648 Updater.exe 1288 Updater.exe 2600 server.exe 3744 server.exe 4860 Updater.exe 3916 Updater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exedescription pid process target process PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2768 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1984 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 1244 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 1984 wrote to memory of 2732 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe server.exe PID 1984 wrote to memory of 2732 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe server.exe PID 1984 wrote to memory of 2732 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe server.exe PID 1984 wrote to memory of 2732 1984 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe server.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2588 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2588 wrote to memory of 2684 2588 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe regsvr32.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2820 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2444 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2732 wrote to memory of 2480 2732 server.exe server.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2856 wrote to memory of 2232 2856 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe PID 2732 wrote to memory of 2772 2732 server.exe server.exe PID 2732 wrote to memory of 2772 2732 server.exe server.exe PID 2732 wrote to memory of 2772 2732 server.exe server.exe PID 2732 wrote to memory of 2772 2732 server.exe server.exe PID 2732 wrote to memory of 2772 2732 server.exe server.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe12⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe14⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe15⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe15⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe15⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe15⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe12⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe13⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\server.exeC:\Windows\SysWOW64\server.exe6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 6887⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\system32\mswinsck.ocx"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe10⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe11⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"12⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe11⤵
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\system32\Updater.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe11⤵
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\server.exeC:\Users\Admin\AppData\Roaming\server.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater.exeC:\Windows\SysWOW64\Updater.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe4⤵
-
C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-69SAJ.tmp\SpywareCease_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-69SAJ.tmp\SpywareCease_Setup.tmp" /SL5="$301CA,5942796,78848,C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\steal.exe"C:\Users\Admin\AppData\Roaming\steal.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 5484⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\steal.exeFilesize
417KB
MD588ec2c9f6078250fa693b7b4483e0eda
SHA175fb79ad898f519e0c58c2b5b867a5f9b572f80c
SHA2568fe6e338dc8a5d5b9a651c18ed9e636f843537091f5ca792c27a355f043dd360
SHA512091e2efcf839f1dfc87735c6376bdf496eae8577f5b7fa3b5aa106237d552c04f9c8ce29dbb7d4b8122dbe176931325785742a9cab5b07be6b247da2df78d942
-
C:\Windows\SysWOW64\mswinsck.ocxFilesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
C:\Windows\SysWOW64\server.exeFilesize
7.2MB
MD51b07681e664e306e849cfac378fd5c36
SHA118c2aa65af42a6c17826e65b2d11e7a8da15555b
SHA256edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520
SHA512e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e
-
\Users\Admin\AppData\Roaming\SpywareCease_Setup.exeFilesize
5.9MB
MD5c4c214bb68de61f34e0a67c299512cdc
SHA1521f4c321036275d5e6a870c13a301de6abb8d3b
SHA2567c81b04ec8d4b25ff58c565d82fe044ce0afb0fe2f2cff2594e3fbf68bed429a
SHA5121ca6a8bc112cc95d30e2aeed60c39dcc74239f45cd270c3844784b8b72e9cfe38f4d6e8fb2bdc86c85b1fd42f36e2ba43b1e779ceeebd6e00702e3f0da7203eb
-
memory/1244-21-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1244-16-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1244-20-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1984-15-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1984-33-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1984-13-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1984-12-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1984-14-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1984-8-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2000-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2232-87-0x0000000010740000-0x00000000107C2000-memory.dmpFilesize
520KB
-
memory/2232-99-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/2232-69-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2232-103-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/2232-66-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2232-71-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2588-34-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2588-38-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2588-37-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2768-7-0x0000000000020000-0x0000000000031000-memory.dmpFilesize
68KB
-
memory/2768-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2768-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2768-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2768-5-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2768-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB