Analysis
-
max time kernel
17s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
-
Size
292KB
-
MD5
e8eca1a24d0eb575beb2dc01b6d01b64
-
SHA1
a1f389cd0b9488685316462ccef24b6e972dda05
-
SHA256
e82b397c6cb9555caeb62448771c6c2d1c1faee6969041bdca06e9b2eb1c087c
-
SHA512
b65e589c4d60c69c08e29a65bc55f0b648bae209afbb422246554b8cb516699a2757a4abeea79111307c3657839b676a2384077980701935a14e8b474f7e02fa
-
SSDEEP
6144:2DdmAid3w4AsdOty/2gfazN1qNsGoMbMESRzDKgI88/nLd:CEAidw4AS3/7fkb4oM4EADv8/nLd
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 20 IoCs
resource yara_rule behavioral2/memory/3116-29-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/3116-31-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/3116-32-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/3116-34-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/3116-98-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/1008-191-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4732-219-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4316-244-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4160-270-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/1472-297-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/2380-323-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4752-348-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4652-374-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4016-400-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/2008-426-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/1636-452-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/2688-478-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4660-500-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/2140-522-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 behavioral2/memory/4852-544-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 32 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cgi-bin.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 47 IoCs
pid Process 4140 cgi-bin.exe 3116 cgi-bin.exe 1488 server.exe 4212 cgi-bin.exe 1008 cgi-bin.exe 4032 server.exe 884 cgi-bin.exe 4732 cgi-bin.exe 3564 server.exe 3180 cgi-bin.exe 4316 cgi-bin.exe 1648 server.exe 4512 cgi-bin.exe 4160 cgi-bin.exe 1716 server.exe 1076 cgi-bin.exe 1472 cgi-bin.exe 1592 server.exe 4928 cgi-bin.exe 2380 cgi-bin.exe 3124 server.exe 4624 cgi-bin.exe 4752 cgi-bin.exe 5104 server.exe 1968 cgi-bin.exe 4652 cgi-bin.exe 1936 server.exe 2120 cgi-bin.exe 4016 cgi-bin.exe 3936 server.exe 1852 cgi-bin.exe 2008 cgi-bin.exe 4236 server.exe 2740 cgi-bin.exe 1636 cgi-bin.exe 1056 server.exe 1388 cgi-bin.exe 2688 cgi-bin.exe 2896 server.exe 1320 cgi-bin.exe 4660 cgi-bin.exe 3252 server.exe 3652 cgi-bin.exe 2140 cgi-bin.exe 4768 server.exe 2572 cgi-bin.exe 4852 cgi-bin.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 4140 set thread context of 3116 4140 cgi-bin.exe 85 PID 4212 set thread context of 1008 4212 cgi-bin.exe 90 PID 884 set thread context of 4732 884 cgi-bin.exe 95 PID 3180 set thread context of 4316 3180 cgi-bin.exe 100 PID 4512 set thread context of 4160 4512 cgi-bin.exe 105 PID 1076 set thread context of 1472 1076 cgi-bin.exe 110 PID 4928 set thread context of 2380 4928 cgi-bin.exe 115 PID 4624 set thread context of 4752 4624 cgi-bin.exe 120 PID 1968 set thread context of 4652 1968 cgi-bin.exe 125 PID 2120 set thread context of 4016 2120 cgi-bin.exe 132 PID 1852 set thread context of 2008 1852 cgi-bin.exe 139 PID 2740 set thread context of 1636 2740 cgi-bin.exe 144 PID 1388 set thread context of 2688 1388 cgi-bin.exe 150 PID 1320 set thread context of 4660 1320 cgi-bin.exe 155 PID 3652 set thread context of 2140 3652 cgi-bin.exe 162 PID 2572 set thread context of 4852 2572 cgi-bin.exe 167 -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File opened for modification C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe File created C:\Windows\server.exe cgi-bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cgi-bin.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cgi-bin.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1008 cgi-bin.exe 1008 cgi-bin.exe 4732 cgi-bin.exe 4732 cgi-bin.exe 4316 cgi-bin.exe 4316 cgi-bin.exe 4160 cgi-bin.exe 4160 cgi-bin.exe 1472 cgi-bin.exe 1472 cgi-bin.exe 2380 cgi-bin.exe 2380 cgi-bin.exe 4752 cgi-bin.exe 4752 cgi-bin.exe 4652 cgi-bin.exe 4652 cgi-bin.exe 4016 cgi-bin.exe 4016 cgi-bin.exe 2008 cgi-bin.exe 2008 cgi-bin.exe 1636 cgi-bin.exe 1636 cgi-bin.exe 2688 cgi-bin.exe 2688 cgi-bin.exe 4660 cgi-bin.exe 4660 cgi-bin.exe 2140 cgi-bin.exe 2140 cgi-bin.exe 4852 cgi-bin.exe 4852 cgi-bin.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe Token: SeDebugPrivilege 4140 cgi-bin.exe Token: SeDebugPrivilege 1488 server.exe Token: SeDebugPrivilege 4212 cgi-bin.exe Token: SeDebugPrivilege 4032 server.exe Token: SeDebugPrivilege 884 cgi-bin.exe Token: SeDebugPrivilege 3564 server.exe Token: SeDebugPrivilege 3180 cgi-bin.exe Token: SeDebugPrivilege 1648 server.exe Token: SeDebugPrivilege 4512 cgi-bin.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1076 cgi-bin.exe Token: SeDebugPrivilege 1592 server.exe Token: SeDebugPrivilege 4928 cgi-bin.exe Token: SeDebugPrivilege 3124 server.exe Token: SeDebugPrivilege 4624 cgi-bin.exe Token: SeDebugPrivilege 5104 server.exe Token: SeDebugPrivilege 1968 cgi-bin.exe Token: SeDebugPrivilege 1936 server.exe Token: SeDebugPrivilege 2120 cgi-bin.exe Token: SeDebugPrivilege 3936 server.exe Token: SeDebugPrivilege 1852 cgi-bin.exe Token: SeDebugPrivilege 4236 server.exe Token: SeDebugPrivilege 2740 cgi-bin.exe Token: SeDebugPrivilege 1056 server.exe Token: SeDebugPrivilege 1388 cgi-bin.exe Token: SeDebugPrivilege 2896 server.exe Token: SeDebugPrivilege 1320 cgi-bin.exe Token: SeDebugPrivilege 3252 server.exe Token: SeDebugPrivilege 3652 cgi-bin.exe Token: SeDebugPrivilege 4768 server.exe Token: SeDebugPrivilege 2572 cgi-bin.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 4140 cgi-bin.exe 1488 server.exe 4212 cgi-bin.exe 4032 server.exe 884 cgi-bin.exe 3564 server.exe 3180 cgi-bin.exe 1648 server.exe 4512 cgi-bin.exe 1716 server.exe 1076 cgi-bin.exe 1592 server.exe 4928 cgi-bin.exe 3124 server.exe 4624 cgi-bin.exe 5104 server.exe 1968 cgi-bin.exe 1936 server.exe 2120 cgi-bin.exe 3936 server.exe 1852 cgi-bin.exe 4236 server.exe 2740 cgi-bin.exe 1056 server.exe 1388 cgi-bin.exe 2896 server.exe 1320 cgi-bin.exe 3252 server.exe 3652 cgi-bin.exe 4768 server.exe 2572 cgi-bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4140 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 82 PID 4916 wrote to memory of 4140 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 82 PID 4916 wrote to memory of 4140 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 82 PID 4916 wrote to memory of 2996 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 83 PID 4916 wrote to memory of 2996 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 83 PID 4916 wrote to memory of 2996 4916 e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe 83 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 4140 wrote to memory of 3116 4140 cgi-bin.exe 85 PID 3116 wrote to memory of 1488 3116 cgi-bin.exe 86 PID 3116 wrote to memory of 1488 3116 cgi-bin.exe 86 PID 3116 wrote to memory of 1488 3116 cgi-bin.exe 86 PID 1488 wrote to memory of 4212 1488 server.exe 87 PID 1488 wrote to memory of 4212 1488 server.exe 87 PID 1488 wrote to memory of 4212 1488 server.exe 87 PID 1488 wrote to memory of 1644 1488 server.exe 88 PID 1488 wrote to memory of 1644 1488 server.exe 88 PID 1488 wrote to memory of 1644 1488 server.exe 88 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 4212 wrote to memory of 1008 4212 cgi-bin.exe 90 PID 1008 wrote to memory of 4032 1008 cgi-bin.exe 91 PID 1008 wrote to memory of 4032 1008 cgi-bin.exe 91 PID 1008 wrote to memory of 4032 1008 cgi-bin.exe 91 PID 4032 wrote to memory of 884 4032 server.exe 92 PID 4032 wrote to memory of 884 4032 server.exe 92 PID 4032 wrote to memory of 884 4032 server.exe 92 PID 4032 wrote to memory of 5048 4032 server.exe 93 PID 4032 wrote to memory of 5048 4032 server.exe 93 PID 4032 wrote to memory of 5048 4032 server.exe 93 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 884 wrote to memory of 4732 884 cgi-bin.exe 95 PID 4732 wrote to memory of 3564 4732 cgi-bin.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\server.exe"C:\Windows\server.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3564 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3180 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4316 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4512 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4160 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1076 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2380 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3124 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4652 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4016 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"38⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4660 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3252 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"44⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3652 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4852 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"49⤵PID:4624
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"50⤵PID:1604
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe51⤵PID:3488
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"52⤵PID:1588
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"53⤵PID:3224
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe54⤵PID:1660
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"55⤵PID:4788
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"56⤵PID:3044
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe57⤵PID:3360
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"58⤵PID:4576
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"59⤵PID:1276
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe60⤵PID:3352
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"61⤵PID:332
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"62⤵PID:3252
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe63⤵PID:4432
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"64⤵PID:1232
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"65⤵PID:4768
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe66⤵PID:1436
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"67⤵PID:2896
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"68⤵PID:1276
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe69⤵PID:2604
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"70⤵PID:4792
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"71⤵PID:4420
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe72⤵PID:460
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"73⤵PID:3576
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"74⤵PID:1300
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe75⤵PID:3564
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"76⤵PID:1588
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"77⤵PID:1068
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe78⤵PID:1952
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"79⤵PID:4768
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"80⤵PID:1944
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe81⤵PID:884
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"82⤵PID:3432
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"83⤵PID:3892
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe84⤵PID:4288
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"85⤵PID:756
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"86⤵PID:892
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe87⤵PID:1068
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"88⤵PID:1500
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"89⤵PID:1600
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe90⤵PID:4860
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"91⤵PID:1956
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"92⤵PID:2420
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe93⤵PID:2340
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"94⤵PID:4008
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"95⤵PID:2512
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe96⤵PID:1056
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"97⤵PID:2420
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"98⤵PID:8
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe99⤵PID:3680
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"100⤵PID:3440
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"101⤵PID:4868
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe102⤵PID:1468
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"103⤵PID:4736
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"104⤵PID:2508
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe105⤵PID:8
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"106⤵PID:892
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"107⤵PID:3948
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe108⤵PID:880
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"109⤵PID:3364
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"110⤵PID:2512
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe111⤵PID:884
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"112⤵PID:4340
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"113⤵PID:1600
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe114⤵PID:1700
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"115⤵PID:1668
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"116⤵PID:3688
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe117⤵PID:2792
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"118⤵PID:4152
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"119⤵PID:3820
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe120⤵PID:5212
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"121⤵PID:5268
-
C:\Users\Admin\appdata\local\temp\cgi-bin.exe"C:\Users\Admin\appdata\local\temp\cgi-bin.exe"122⤵PID:5348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-