modiloader | edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520

Analysis

max time kernel
126s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Size

7.2MB
MD5

1b07681e664e306e849cfac378fd5c36
SHA1

18c2aa65af42a6c17826e65b2d11e7a8da15555b
SHA256

edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520
SHA512

e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e
SSDEEP

196608:BuezwW++1nerHAOdMF69hTmo/7H4gsQ6hAady5q0V+amY:9zw5+crHALF69hTmO7DsVEqVax

Score

10^/10

modiloader persistence spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-15-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-14-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-13-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-12-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral1/memory/1984-33-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5NLKV6XC-S1B7-TJSO-6LNB-6004J6415IFR}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5NLKV6XC-S1B7-TJSO-6LNB-6004J6415IFR}\StubPath = "C:\\Windows\\system32\\Spy-Net\\server.exe Restart"	server.exe

Executes dropped EXE 64 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeSpywareCease_Setup.exeserver.exeserver.exeUpdater.exesteal.exeUpdater.exeUpdater.exeserver.exeserver.exeSpywareCease_Setup.tmpserver.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeserver.exe

pid	process
2732	server.exe
2820	server.exe
2444	server.exe
2480	server.exe
2772	server.exe
804	Updater.exe
296	Updater.exe
2000	Updater.exe
2676	Updater.exe
1540	Updater.exe
2848	Updater.exe
2896	Updater.exe
1028	Updater.exe
1860	SpywareCease_Setup.exe
2104	server.exe
1500	server.exe
848	Updater.exe
1712	steal.exe
1324	Updater.exe
916	Updater.exe
3304	server.exe
3016	server.exe
2724	SpywareCease_Setup.tmp
2400	server.exe
624	Updater.exe
1824	server.exe
3312	server.exe
384	server.exe
948	Updater.exe
4020	server.exe
2484	server.exe
1220	server.exe
2512	server.exe
2728	server.exe
4132	Updater.exe
4224	server.exe
3332	Updater.exe
4332	Updater.exe
4932	Updater.exe
1604	server.exe
3856	Updater.exe
4364	Updater.exe
4960	Updater.exe
3408	Updater.exe
5024	Updater.exe
3228	Updater.exe
4600	Updater.exe
4656	Updater.exe
2336	server.exe
1968	server.exe
1196	server.exe
2340	server.exe
2592	server.exe
996	server.exe
3340	server.exe
3520	server.exe
3580	server.exe
3796	server.exe
4188	server.exe
4376	Updater.exe
4972	Updater.exe
3828	Updater.exe
2104	Updater.exe
4128	server.exe

Loads dropped DLL 64 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeregsvr32.exeserver.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exeUpdater.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeSpywareCease_Setup.exeUpdater.exeUpdater.exeserver.exeSpywareCease_Setup.tmpUpdater.exe

pid	process
1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2732	server.exe
2684	regsvr32.exe
2772	server.exe
2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
804	Updater.exe
804	Updater.exe
804	Updater.exe
296	Updater.exe
296	Updater.exe
296	Updater.exe
296	Updater.exe
2000	Updater.exe
2000	Updater.exe
2000	Updater.exe
804	Updater.exe
2676	Updater.exe
2676	Updater.exe
2676	Updater.exe
296	Updater.exe
1540	Updater.exe
1540	Updater.exe
1540	Updater.exe
296	Updater.exe
804	Updater.exe
2896	Updater.exe
2896	Updater.exe
2896	Updater.exe
804	Updater.exe
2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2444	server.exe
2444	server.exe
2444	server.exe
804	Updater.exe
2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
296	Updater.exe
804	Updater.exe
1540	Updater.exe
1540	Updater.exe
1540	Updater.exe
848	Updater.exe
848	Updater.exe
848	Updater.exe
1860	SpywareCease_Setup.exe
1324	Updater.exe
1324	Updater.exe
1324	Updater.exe
916	Updater.exe
916	Updater.exe
916	Updater.exe
916	Updater.exe
3304	server.exe
3304	server.exe
3304	server.exe
3304	server.exe
296	Updater.exe
3304	server.exe
3304	server.exe
3304	server.exe
2724	SpywareCease_Setup.tmp
2724	SpywareCease_Setup.tmp
624	Updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2232-99-0x0000000000260000-0x000000000026D000-memory.dmp	upx
behavioral1/memory/2232-87-0x0000000010740000-0x00000000107C2000-memory.dmp	upx
behavioral1/memory/2232-103-0x0000000000270000-0x000000000027D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\medax = "C:\\Windows\\system32\\Spy-Net\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\medax = "C:\\Windows\\system32\\Spy-Net\\server.exe"	server.exe

Drops file in System32 directory 30 IoCs

Processes:

Updater.exeUpdater.exeserver.exeUpdater.exeserver.exeserver.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeserver.exeUpdater.exesteal.exeserver.exeUpdater.exeUpdater.exe

description	ioc	process
File created	C:\Windows\SysWOW64\server.exe	Updater.exe
File created	C:\Windows\SysWOW64\Updater.exe	Updater.exe
File created	C:\Windows\SysWOW64\Spy-Net\server.exe	server.exe
File created	C:\Windows\SysWOW64\server.exe	Updater.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\logs.dat	server.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\server.exe	server.exe
File created	C:\Windows\SysWOW64\Updater.exe	server.exe
File created	C:\Windows\SysWOW64\Updater.exe	Updater.exe
File created	C:\Windows\SysWOW64\Updater.exe	Updater.exe
File created	C:\Windows\SysWOW64\Updater.exe	server.exe
File created	C:\Windows\SysWOW64\server.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\	server.exe
File created	C:\Windows\SysWOW64\Updater.exe	server.exe
File created	C:\Windows\SysWOW64\Updater.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\plugin.dat	server.exe
File created	C:\Windows\SysWOW64\Spy-Net\logs.dat	server.exe
File created	C:\Windows\SysWOW64\server.exe	Updater.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File created	\??\c:\WINDOWS\SysWOW64\homepage.txt	steal.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe
File created	C:\Windows\SysWOW64\server.exe	Updater.exe
File created	C:\Windows\SysWOW64\Spy-Net\plugin.dat	server.exe
File created	C:\Windows\SysWOW64\server.exe	Updater.exe
File created	C:\Windows\SysWOW64\Updater.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Updater.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exe

description	pid	process	target process
PID 2856 set thread context of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 set thread context of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 set thread context of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 set thread context of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2732 set thread context of 2820	2732	server.exe	server.exe
PID 2732 set thread context of 2444	2732	server.exe	server.exe
PID 2732 set thread context of 2480	2732	server.exe	server.exe
PID 2856 set thread context of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2732 set thread context of 2772	2732	server.exe	server.exe
PID 296 set thread context of 2000	296	Updater.exe	Updater.exe
PID 804 set thread context of 2676	804	Updater.exe	Updater.exe
PID 296 set thread context of 1540	296	Updater.exe	Updater.exe
PID 296 set thread context of 2848	296	Updater.exe	Updater.exe
PID 804 set thread context of 2896	804	Updater.exe	Updater.exe
PID 804 set thread context of 1028	804	Updater.exe	Updater.exe
PID 2732 set thread context of 2104	2732	server.exe	server.exe
PID 804 set thread context of 848	804	Updater.exe	Updater.exe
PID 296 set thread context of 1324	296	Updater.exe	Updater.exe
PID 804 set thread context of 916	804	Updater.exe	Updater.exe
PID 1500 set thread context of 2400	1500	server.exe	server.exe
PID 1500 set thread context of 1824	1500	server.exe	server.exe
PID 1500 set thread context of 3312	1500	server.exe	server.exe
PID 3304 set thread context of 384	3304	server.exe	server.exe
PID 296 set thread context of 948	296	Updater.exe	Updater.exe
PID 1500 set thread context of 4020	1500	server.exe	server.exe
PID 3304 set thread context of 2484	3304	server.exe	server.exe
PID 3304 set thread context of 1220	3304	server.exe	server.exe
PID 3304 set thread context of 2512	3304	server.exe	server.exe
PID 1500 set thread context of 2728	1500	server.exe	server.exe
PID 4132 set thread context of 4332	4132	Updater.exe	Updater.exe
PID 3332 set thread context of 4932	3332	Updater.exe	Updater.exe
PID 3304 set thread context of 1604	3304	server.exe	server.exe
PID 4132 set thread context of 3856	4132	Updater.exe	Updater.exe
PID 4132 set thread context of 4364	4132	Updater.exe	Updater.exe
PID 3332 set thread context of 4960	3332	Updater.exe	Updater.exe
PID 3332 set thread context of 3408	3332	Updater.exe	Updater.exe
PID 4132 set thread context of 3228	4132	Updater.exe	Updater.exe
PID 3332 set thread context of 5024	3332	Updater.exe	Updater.exe
PID 3332 set thread context of 4600	3332	Updater.exe	Updater.exe
PID 4132 set thread context of 4656	4132	Updater.exe	Updater.exe
PID 2336 set thread context of 1968	2336	server.exe	server.exe
PID 2336 set thread context of 1196	2336	server.exe	server.exe
PID 2336 set thread context of 2340	2336	server.exe	server.exe
PID 2336 set thread context of 996	2336	server.exe	server.exe
PID 2592 set thread context of 3340	2592	server.exe	server.exe
PID 2592 set thread context of 3520	2592	server.exe	server.exe
PID 2592 set thread context of 3580	2592	server.exe	server.exe
PID 2592 set thread context of 3796	2592	server.exe	server.exe
PID 2336 set thread context of 4188	2336	server.exe	server.exe
PID 4376 set thread context of 4972	4376	Updater.exe	Updater.exe
PID 4376 set thread context of 3828	4376	Updater.exe	Updater.exe
PID 4376 set thread context of 2104	4376	Updater.exe	Updater.exe
PID 2592 set thread context of 4128	2592	server.exe	server.exe
PID 4376 set thread context of 3648	4376	Updater.exe	Updater.exe
PID 4360 set thread context of 4980	4360	Updater.exe	Updater.exe
PID 4360 set thread context of 3912	4360	Updater.exe	Updater.exe
PID 4360 set thread context of 3952	4360	Updater.exe	Updater.exe
PID 4360 set thread context of 1288	4360	Updater.exe	Updater.exe
PID 4376 set thread context of 2584	4376	Updater.exe	Updater.exe
PID 3196 set thread context of 4984	3196	server.exe	server.exe
PID 4360 set thread context of 488	4360	Updater.exe	Updater.exe
PID 3196 set thread context of 2728	3196	server.exe	server.exe
PID 3196 set thread context of 3896	3196	server.exe	server.exe
PID 2528 set thread context of 2736	2528	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3376 1712 WerFault.exe steal.exe
1544 3016 WerFault.exe server.exe

pid	pid_target	process	target process
3376	1712	WerFault.exe	steal.exe
1544	3016	WerFault.exe	server.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

server.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeUpdater.exeserver.exeUpdater.exesteal.exeUpdater.exeserver.exeUpdater.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeserver.exe

pid	process
2444	server.exe
2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
1540	Updater.exe
2104	server.exe
916	Updater.exe
1712	steal.exe
1712	steal.exe
1712	steal.exe
948	Updater.exe
948	Updater.exe
2728	server.exe
2896	Updater.exe
3856	Updater.exe
4960	Updater.exe
1824	server.exe
2484	server.exe
1196	server.exe
3828	Updater.exe
3520	server.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exe

description	pid	process
Token: SeDebugPrivilege	2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Token: SeDebugPrivilege	2104	server.exe
Token: SeDebugPrivilege	2104	server.exe
Token: SeDebugPrivilege	916	Updater.exe
Token: SeDebugPrivilege	916	Updater.exe
Token: SeRestorePrivilege	916	Updater.exe
Token: SeBackupPrivilege	916	Updater.exe
Token: SeDebugPrivilege	948	Updater.exe
Token: SeDebugPrivilege	948	Updater.exe
Token: SeDebugPrivilege	2728	server.exe
Token: SeDebugPrivilege	2728	server.exe
Token: SeDebugPrivilege	948	Updater.exe
Token: SeDebugPrivilege	948	Updater.exe
Token: SeDebugPrivilege	3016	server.exe
Token: SeDebugPrivilege	3016	server.exe
Token: SeDebugPrivilege	1604	server.exe
Token: SeDebugPrivilege	1604	server.exe
Token: SeDebugPrivilege	4600	Updater.exe
Token: SeDebugPrivilege	4600	Updater.exe
Token: SeDebugPrivilege	4656	Updater.exe
Token: SeDebugPrivilege	4656	Updater.exe
Token: SeDebugPrivilege	4188	server.exe
Token: SeDebugPrivilege	4188	server.exe
Token: SeDebugPrivilege	4128	server.exe
Token: SeDebugPrivilege	4128	server.exe
Token: SeDebugPrivilege	2584	Updater.exe
Token: SeDebugPrivilege	2584	Updater.exe
Token: SeDebugPrivilege	488	Updater.exe
Token: SeDebugPrivilege	488	Updater.exe
Token: SeDebugPrivilege	4760	server.exe
Token: SeDebugPrivilege	4760	server.exe
Token: SeDebugPrivilege	4712	server.exe
Token: SeDebugPrivilege	4712	server.exe
Token: SeDebugPrivilege	3356	Updater.exe
Token: SeDebugPrivilege	3356	Updater.exe
Token: SeDebugPrivilege	3512	Updater.exe
Token: SeDebugPrivilege	3512	Updater.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exe

pid	process
2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2772	server.exe
848	Updater.exe
1324	Updater.exe
4020	server.exe
2512	server.exe
5024	Updater.exe
3228	Updater.exe
996	server.exe
3796	server.exe
3648	Updater.exe
1288	Updater.exe
2600	server.exe
3744	server.exe
4860	Updater.exe
3916	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2768	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1984	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 1244	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 1984 wrote to memory of 2732	1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 1984 wrote to memory of 2732	1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 1984 wrote to memory of 2732	1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 1984 wrote to memory of 2732	1984	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2588	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2588 wrote to memory of 2684	2588	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2820	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2444	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2732 wrote to memory of 2480	2732	server.exe	server.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2856 wrote to memory of 2232	2856	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2732 wrote to memory of 2772	2732	server.exe	server.exe
PID 2732 wrote to memory of 2772	2732	server.exe	server.exe
PID 2732 wrote to memory of 2772	2732	server.exe	server.exe
PID 2732 wrote to memory of 2772	2732	server.exe	server.exe
PID 2732 wrote to memory of 2772	2732	server.exe	server.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:280

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1056

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2084

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
3⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\server.exe
"C:\Windows\system32\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
- Executes dropped EXE
PID:2820

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\server.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1500

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
8⤵
- Suspicious use of SetThreadContext
PID:2528

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:2736

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:1352

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:1576

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
PID:3312

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3332

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
10⤵
- Suspicious use of SetThreadContext
PID:3196

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:4984

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2728

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:3896

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
12⤵
PID:4612

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:4604

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:4572

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:2748

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
14⤵
PID:4908

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
15⤵
PID:4920

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
15⤵
PID:1780

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
15⤵
PID:4084

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
15⤵
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
- Executes dropped EXE
PID:2480

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:296

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3304

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
10⤵
PID:4212

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:1800

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:672

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:3604

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:1996

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
12⤵
PID:2444

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:3500

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:1080

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:3592

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
13⤵
PID:2968

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:3288

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
PID:2848

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 688
7⤵
- Program crash
PID:1544

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
3⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\mswinsck.ocx"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2684

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:804

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2336

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
8⤵
PID:684

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:3256

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:2676

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:4652

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:3000

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
PID:3812

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
PID:2340

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:996

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4376

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
PID:4972

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
10⤵
PID:2652

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:956

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:1852

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2464

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2292

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2264

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
10⤵
- Suspicious use of SetThreadContext
PID:4360

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
11⤵
PID:4980

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
11⤵
PID:3912

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
12⤵
PID:1968

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
11⤵
PID:3952

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4132

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2592

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
10⤵
PID:896

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:3636

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2488

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:4144

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:2380

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
11⤵
PID:3404

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
4⤵
PID:1776

C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe
"C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860

C:\Users\Admin\AppData\Local\Temp\is-69SAJ.tmp\SpywareCease_Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-69SAJ.tmp\SpywareCease_Setup.tmp" /SL5="$301CA,5942796,78848,C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724

C:\Users\Admin\AppData\Roaming\steal.exe
"C:\Users\Admin\AppData\Roaming\steal.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 548
4⤵
- Program crash
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\steal.exe
Filesize
417KB

MD5
88ec2c9f6078250fa693b7b4483e0eda

SHA1
75fb79ad898f519e0c58c2b5b867a5f9b572f80c

SHA256
8fe6e338dc8a5d5b9a651c18ed9e636f843537091f5ca792c27a355f043dd360

SHA512
091e2efcf839f1dfc87735c6376bdf496eae8577f5b7fa3b5aa106237d552c04f9c8ce29dbb7d4b8122dbe176931325785742a9cab5b07be6b247da2df78d942

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\server.exe
Filesize
7.2MB

MD5
1b07681e664e306e849cfac378fd5c36

SHA1
18c2aa65af42a6c17826e65b2d11e7a8da15555b

SHA256
edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520

SHA512
e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e

Download Submit
\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe
Filesize
5.9MB

MD5
c4c214bb68de61f34e0a67c299512cdc

SHA1
521f4c321036275d5e6a870c13a301de6abb8d3b

SHA256
7c81b04ec8d4b25ff58c565d82fe044ce0afb0fe2f2cff2594e3fbf68bed429a

SHA512
1ca6a8bc112cc95d30e2aeed60c39dcc74239f45cd270c3844784b8b72e9cfe38f4d6e8fb2bdc86c85b1fd42f36e2ba43b1e779ceeebd6e00702e3f0da7203eb

Download Submit
memory/1244-21-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1244-16-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1244-20-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1984-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2000-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-87-0x0000000010740000-0x00000000107C2000-memory.dmp

Filesize
520KB

Download
memory/2232-99-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download
memory/2232-69-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-103-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/2232-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2588-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2588-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-7-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/2768-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download