Analysis Overview
SHA256
a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759
Threat Level: Known bad
The file 160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet family
Modifies WinLogon for persistence
Darkcomet
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 12:41
Signatures
Darkcomet family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 12:41
Reported
2024-06-27 12:43
Platform
win7-20240221-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe" | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\mssvc32.exe" | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\ | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"
C:\Windows\SysWOW64\MSSVC\mssvc32.exe
"C:\Windows\system32\MSSVC\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
Network
Files
memory/1876-0-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1876-1-0x00000000003E0000-0x00000000003E1000-memory.dmp
\Windows\SysWOW64\MSSVC\mssvc32.exe
| MD5 | 160c1f5dd0587c3b49fb893abacf6882 |
| SHA1 | 1ccb65f16de6a144beb4abc70b4dd6f6b924fb4f |
| SHA256 | a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759 |
| SHA512 | 586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574 |
memory/2480-15-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1876-14-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1876-12-0x00000000040B0000-0x000000000416D000-memory.dmp
memory/2480-27-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2532-29-0x0000000000400000-0x00000000004BD000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/768-44-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2532-43-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2240-58-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/768-57-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2240-70-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2132-84-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2012-85-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2012-97-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2012-98-0x0000000003F50000-0x000000000400D000-memory.dmp
memory/1944-110-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1672-112-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2928-128-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1672-127-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1672-125-0x0000000003DB0000-0x0000000003E6D000-memory.dmp
memory/2928-141-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/816-150-0x0000000003D00000-0x0000000003DBD000-memory.dmp
memory/816-155-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2156-156-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2156-169-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1424-170-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1424-182-0x0000000003DE0000-0x0000000003E9D000-memory.dmp
memory/1424-184-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2312-185-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2312-198-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2544-207-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2364-208-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2364-217-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2352-226-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1436-235-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1448-236-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1512-246-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1448-245-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1512-255-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/936-265-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1980-264-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1272-275-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/936-274-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1272-284-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/996-285-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 12:41
Reported
2024-06-27 12:43
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe" | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSSVC\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe,C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\mssvc32.exe" | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntwrksvc32 = "C:\\Windows\\system32\\MSSVC\\aW1mC3x94Zf8\\mssvc32.exe" | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\ | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| File created | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\160c1f5dd0587c3b49fb893abacf6882_JaffaCakes118.exe"
C:\Windows\SysWOW64\MSSVC\mssvc32.exe
"C:\Windows\system32\MSSVC\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\mssvc32.exe"
C:\Windows\SysWOW64\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe
"C:\Windows\system32\MSSVC\aW1mC3x94Zf8\aW1mC3x94Zf8\mssvc32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2676-0-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2676-1-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Windows\SysWOW64\MSSVC\mssvc32.exe
| MD5 | 160c1f5dd0587c3b49fb893abacf6882 |
| SHA1 | 1ccb65f16de6a144beb4abc70b4dd6f6b924fb4f |
| SHA256 | a08d9bbcf25cda6dbd708cb5381df841f494f822e9ae26224212b70c0123f759 |
| SHA512 | 586cb880d6365925984f78e90510846976befc81f3bd73c5bf1d9894b197b35846216a0540616296e2987977d09bbcc107d571005430e89fcc1eb7983b674574 |
memory/2676-63-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4388-64-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4388-65-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/4388-127-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2884-189-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5064-250-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4920-312-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3048-313-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3048-375-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4552-376-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4552-438-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4464-439-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4464-501-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4684-502-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4684-564-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4968-626-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1324-627-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1324-689-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1436-690-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1436-752-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1940-753-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4684-814-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1940-816-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4684-878-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1388-941-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2988-940-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1388-1003-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1576-1065-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4964-1127-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5080-1128-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5080-1190-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2476-1191-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2476-1253-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2136-1315-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4508-1377-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2992-1378-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2992-1439-0x0000000000400000-0x00000000004BD000-memory.dmp