Malware Analysis Report

2024-09-22 09:12

Sample ID 240622-a64trsshpj
Target 0081117561dbbe476ca7c53d931272eb_JaffaCakes118
SHA256 69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42

Threat Level: Known bad

The file 0081117561dbbe476ca7c53d931272eb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Checks computer location settings

UPX packed file

Uses the VBS compiler for execution

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 00:50

Reported

2024-06-22 00:52

Platform

win7-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

\SystemRoot\System32\smss.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\windows\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 2116 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 2116 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 2116 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2964 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1793508553-352905866-2062955186-5258329257991145025581625121570511284606176835"

C:\Windows\SysWOW64\windows\system.exe

"C:\Windows\system32\windows\system.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-421556289-82603964123529799315784425791803808245186761579-1484572417-232962919"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp

Files

memory/2116-0-0x0000000074371000-0x0000000074372000-memory.dmp

memory/2116-1-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2116-2-0x0000000074370000-0x000000007491B000-memory.dmp

\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

MD5 0081117561dbbe476ca7c53d931272eb
SHA1 c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
SHA256 69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
SHA512 cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155

memory/2116-15-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2964-26-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\AppData\Local\Twain.dll

MD5 2153e2d85da316a0fe302227e0f9af88
SHA1 48b334c27d604ce7d89c9c825d211d26427176cf
SHA256 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

memory/2964-16-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2556-33-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-37-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-35-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-43-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-41-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-46-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-45-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-47-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2556-44-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2964-48-0x0000000074370000-0x000000007491B000-memory.dmp

memory/1176-52-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/2556-51-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Windows\SysWOW64\windows\system.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 6e4f978fe3aec19ca9498551e93678d0
SHA1 bd74f4186eb34a6ec0bafc64617968c872079bad
SHA256 81e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308
SHA512 57448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9

memory/2556-972-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a3a2e3f09fa7ee0330ef356f5d00f5c8
SHA1 3d4a2a240bc7a85c5e648a7a10a823af8592a0ff
SHA256 5df5bbb4ff3e4650ea86ffd53e20eac6be8b3bfad693f2db666a92da7fdccc0a
SHA512 07bb2a186b8b548535e99cd91d0e5c05ead29e72732184f71045eb380b3c11a3256ed9686f3fb7fbcbaff1b7dab30fdc34a580c82fde0b44c7093be6ac71f352

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6513e10a5d26a4b9af1cc219379d3932
SHA1 57774645fe2d760d0759b885328d9572a6acf767
SHA256 00d0d445b3534106abf6f2a2ce0f485f523035fa4585d0cc7922c6aec36e61c4
SHA512 f5e5c5b66145fe3be3d1f03d8a51aa44a3716221c0ecdd596d19849c905be1a9b85359c017bb60d7f1e0aea054785de70929871f9bbb7c4cbc404229ea06956a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3605d3cacab0677c0cf4c8f712beae0d
SHA1 ae1c8b4c5347f9a257ea88574251b169550ecd4a
SHA256 3eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb
SHA512 945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 394c4c99d33de21667a4362729ec6a45
SHA1 ae14afaba223202f85f9c0ace3b8d495c2bf0c36
SHA256 ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed
SHA512 622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 abe16d92b9e6feb2098a22f95747028f
SHA1 da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3
SHA256 4d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad
SHA512 a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7e9b7c2773d1ba8848d001e6a51446e
SHA1 37195cdeb982a726582a212843a21e830a21d392
SHA256 f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f
SHA512 7bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c521edbff8ee66a2c4a13a9b9fd3bf7b
SHA1 5ee01bf076c6098db51a9eba89fc8d52493ebc54
SHA256 7379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb
SHA512 bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65a1af38189c50777abc38e95acd0141
SHA1 4ea2671bd0ee30647136232b5a3d8fc42a9d2b8b
SHA256 fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab
SHA512 c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dfd40db1a5ac4e47f785fee37d988f4b
SHA1 f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8
SHA256 68f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b
SHA512 f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 52487f67988b549e9d67c87966c44ad3
SHA1 d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa
SHA256 59f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c
SHA512 485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 00:50

Reported

2024-06-22 00:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\windows\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Windows\SysWOW64\windows\system.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 3060 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 3060 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe f911383b43e33a0fa1835ba8709267d9 qmyr5G8v2kOMZjPweHxrtQ.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\windows\system.exe

"C:\Windows\system32\windows\system.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3060-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

memory/3060-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/3060-2-0x0000000074EE0000-0x0000000075491000-memory.dmp

C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe

MD5 0081117561dbbe476ca7c53d931272eb
SHA1 c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
SHA256 69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
SHA512 cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155

memory/3620-16-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/3060-19-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/3620-18-0x0000000074EE0000-0x0000000075491000-memory.dmp

C:\Users\Admin\AppData\Roaming\Twain.dll

MD5 2153e2d85da316a0fe302227e0f9af88
SHA1 48b334c27d604ce7d89c9c825d211d26427176cf
SHA256 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

memory/2420-36-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe.log

MD5 600936e187ce94453648a9245b2b42a5
SHA1 3349e5da3f713259244a2cbcb4a9dca777f637ed
SHA256 1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d
SHA512 d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

memory/2420-39-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2420-40-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3620-41-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/2420-42-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2420-46-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4524-50-0x0000000001010000-0x0000000001011000-memory.dmp

memory/4524-51-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/2420-49-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4524-110-0x0000000000090000-0x00000000004C3000-memory.dmp

C:\Windows\SysWOW64\windows\system.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 6e4f978fe3aec19ca9498551e93678d0
SHA1 bd74f4186eb34a6ec0bafc64617968c872079bad
SHA256 81e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308
SHA512 57448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9

memory/2420-181-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3605d3cacab0677c0cf4c8f712beae0d
SHA1 ae1c8b4c5347f9a257ea88574251b169550ecd4a
SHA256 3eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb
SHA512 945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 394c4c99d33de21667a4362729ec6a45
SHA1 ae14afaba223202f85f9c0ace3b8d495c2bf0c36
SHA256 ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed
SHA512 622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 abe16d92b9e6feb2098a22f95747028f
SHA1 da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3
SHA256 4d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad
SHA512 a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7e9b7c2773d1ba8848d001e6a51446e
SHA1 37195cdeb982a726582a212843a21e830a21d392
SHA256 f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f
SHA512 7bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c521edbff8ee66a2c4a13a9b9fd3bf7b
SHA1 5ee01bf076c6098db51a9eba89fc8d52493ebc54
SHA256 7379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb
SHA512 bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65a1af38189c50777abc38e95acd0141
SHA1 4ea2671bd0ee30647136232b5a3d8fc42a9d2b8b
SHA256 fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab
SHA512 c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dfd40db1a5ac4e47f785fee37d988f4b
SHA1 f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8
SHA256 68f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b
SHA512 f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 52487f67988b549e9d67c87966c44ad3
SHA1 d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa
SHA256 59f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c
SHA512 485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 31e4d2c862b871b61db87bc03f589769
SHA1 1c852eca1eebf9c81f8047efec441f289752bb84
SHA256 b6c425b7eee323c5f0fb95f2799ebd899a452a06b6f11a452da520d3534854b4
SHA512 754ca63fd525fce808ff2f5b5ec15dbad28865c839b4293bc1c743f10a075cccd952a925d4e2b4532daeb530d0aea966cd480381e3ea62755897eecb7f63bb4e

memory/4524-1311-0x0000000000090000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e9ec478b7fc81ff30afb964e2a1884f3
SHA1 b1407dcbe742612cc00eee8ba007bd9195e66161
SHA256 bc6760c5c1bcf6d6a782e3b7303394e9c2ba626f32193b8a7224172f766f57d5
SHA512 64e70177ab7f01ee5bbc0154a61385542b6375fa05e9b2fcbf294893dd6d5d57a0be86ba11188392745a638d379a1a6f4d5b9cacf1f91bc815fd5bb957adc522

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0dde77501aa3545e82e2cef328bcf917
SHA1 bd22714f0f21d4806c0a45c5651643a07c95d7fd
SHA256 102d07742517b2fe6e4f12d27b08416a2924ca7c4b62c851dbb1dfa1453cde4c
SHA512 462506aa4a9ed9a72b4a997297da8b33851463888926de16c2a669cdc85f7c2e662fedb2a1f4cd8a7e26695c3a0e581b5cda2f9e4e3c708ec920403154007acb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 70dbb774adb0f58d86e7c6886f9ed949
SHA1 9e66b77663266b93222b4297efcbcda129077d6d
SHA256 8be020a2539cc9129f8472e6a7d7b9bb4b595459d7b0ddf3c85effd963073999
SHA512 ae92825e00add36262c5333c711a45ecc90d65a3bf3e945c86c410d44c1dfdaa7c975bcb6bc0432154a011602ea48e8beed8d7e23935ac38259e94296c8a76b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47d49e4018023b366f56a8e63c8e6b18
SHA1 8400098f1fb7bc65a518ba214904a18bc7565ca7
SHA256 74448383710bae14f755185dd3e62c8a70fd3fc6a5ac91ccb79e76312e43b4e2
SHA512 a875f2c40b666e1ea587812a7d83aa48c8238f2dd58823b28c3fcd3a4f5e7d43da8663195a63fea6b79d37cbc9061aad0b6a6939a05a2de21c1e317a30408255

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd0d26cb524800b461a048de8981fcd4
SHA1 8f690b33aea03370d3bcbde04dc087852fe3b3fa
SHA256 083bccdfb94f5e2950d39664955d1496e057cea9c2348bae29bc10cfb65637e7
SHA512 ffc7ca07d3ba5325ebf693cb7c919381378b0c242c30f957d89ede2b7dabe1053834d2419a3debead28e9d9285de62ecf1eb27ae2f50226b74b51ff3a0ed5bf2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2149a1e3d51b2f22dc529da60b300370
SHA1 f1c8d4304d5885b5439fa34e4aab8a52735117e9
SHA256 4e1e6cf042bf5b5fca54178d20f34ae799b881cd7660ac2ee5f2befe3bdbb3f2
SHA512 6d46b24226fd884db0c224f41a073a5a1bcb2caee58dc4b1fe0dbe373598859c2c87cf561e1f0c78f659657d7332d9dae216b604b90e09387ba9f68cafebed6e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0652ef583b4d5b0b61082e5b85117ef4
SHA1 ae8eb9f4f4891d14464d4b673b0717cfc04bbc8b
SHA256 f7a42bb071e7728debc67375a8a65880e8471c4f24b0ac22f07ec84ae3804fa7
SHA512 634a28a6fd30fe63f12ee47e4076283fa50f9a292b780bae17094ed0d09e137581cb8e5440e8d29999deb052fd4e4227dcd487811ab03ad207ab2d1cbbc1c812

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6fbcc8811c16666e889495fd75f1ecc6
SHA1 fbfc9e56e5451f095b1a52b52306bde260c73d2a
SHA256 5faec1cb9679012db719b6ea962140e934888e67d5a439fd733274ca818e69d6
SHA512 b371d07baf558a7166339b558b910cb642f8907572af39ae342c0805a0615586714709dc3592e57361e22ac5546ab363eff5dd6bcf9b192e110d4d1558d44bf8