e0bb93e404ee1f2858f1360e55af52ffd428389c43f8a69a8d0318cda79c9499

Analysis

max time kernel
92s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Size

717KB
MD5

1aef6ee78795c04d46e161af2900ea53
SHA1

64fa4950cd61f624ac6df1ca8f83eb60ab96b849
SHA256

e0bb93e404ee1f2858f1360e55af52ffd428389c43f8a69a8d0318cda79c9499
SHA512

467bec1a949dae06feaced999f4717381342d19d135338c4623ac2de4d231c07762784178fb5e1458c5e96531f9349074f3fff9a3bd60779bc7e8e8df4859a2c
SSDEEP

12288:LhA+xMh1qRIKvx5ciUnnECuFObYBqi07ftmSjVrG8oV09e6RZKx:qgkKvjPaEFFObYj07tdjFvoVWev

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	DarkCoderSc.exe

Windows security bypass 2 TTPs 64 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	DarkCoderSc.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
3012	DarkCoderSc.exe
2692	DarkCoderSc.exe
2528	DarkCoderSc.exe
2532	DarkCoderSc.exe
1060	DarkCoderSc.exe
1676	DarkCoderSc.exe
896	DarkCoderSc.exe
1668	DarkCoderSc.exe
2892	DarkCoderSc.exe
2572	DarkCoderSc.exe
2300	DarkCoderSc.exe
2128	DarkCoderSc.exe
2456	DarkCoderSc.exe
1808	DarkCoderSc.exe
1028	DarkCoderSc.exe
2668	DarkCoderSc.exe
1628	DarkCoderSc.exe
1872	DarkCoderSc.exe
1648	DarkCoderSc.exe
1324	DarkCoderSc.exe
1544	DarkCoderSc.exe
1724	DarkCoderSc.exe
2964	DarkCoderSc.exe
2152	DarkCoderSc.exe
2156	DarkCoderSc.exe
2720	DarkCoderSc.exe
2992	DarkCoderSc.exe
2928	DarkCoderSc.exe
1848	DarkCoderSc.exe
1060	DarkCoderSc.exe
1036	DarkCoderSc.exe
1736	DarkCoderSc.exe
1044	DarkCoderSc.exe
1772	DarkCoderSc.exe
2412	DarkCoderSc.exe
1216	DarkCoderSc.exe
2240	DarkCoderSc.exe
1708	DarkCoderSc.exe
1448	DarkCoderSc.exe
556	DarkCoderSc.exe
1556	DarkCoderSc.exe
1804	DarkCoderSc.exe
1516	DarkCoderSc.exe
1152	DarkCoderSc.exe
752	DarkCoderSc.exe
900	DarkCoderSc.exe
1116	DarkCoderSc.exe
872	DarkCoderSc.exe
1620	DarkCoderSc.exe
2148	DarkCoderSc.exe
2160	DarkCoderSc.exe
2152	DarkCoderSc.exe
2156	DarkCoderSc.exe
2720	DarkCoderSc.exe
2936	DarkCoderSc.exe
1832	DarkCoderSc.exe
1848	DarkCoderSc.exe
1060	DarkCoderSc.exe
2676	DarkCoderSc.exe
2272	DarkCoderSc.exe
2664	DarkCoderSc.exe
1772	DarkCoderSc.exe
1484	DarkCoderSc.exe
536	DarkCoderSc.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
3012	DarkCoderSc.exe
3012	DarkCoderSc.exe
2692	DarkCoderSc.exe
2692	DarkCoderSc.exe
2528	DarkCoderSc.exe
2528	DarkCoderSc.exe
2532	DarkCoderSc.exe
2532	DarkCoderSc.exe
1060	DarkCoderSc.exe
1060	DarkCoderSc.exe
1676	DarkCoderSc.exe
1676	DarkCoderSc.exe
896	DarkCoderSc.exe
896	DarkCoderSc.exe
1668	DarkCoderSc.exe
1668	DarkCoderSc.exe
2892	DarkCoderSc.exe
2892	DarkCoderSc.exe
2572	DarkCoderSc.exe
2572	DarkCoderSc.exe
2300	DarkCoderSc.exe
2300	DarkCoderSc.exe
2128	DarkCoderSc.exe
2128	DarkCoderSc.exe
2456	DarkCoderSc.exe
2456	DarkCoderSc.exe
1808	DarkCoderSc.exe
1808	DarkCoderSc.exe
1028	DarkCoderSc.exe
1028	DarkCoderSc.exe
2668	DarkCoderSc.exe
2668	DarkCoderSc.exe
1628	DarkCoderSc.exe
1628	DarkCoderSc.exe
1872	DarkCoderSc.exe
1872	DarkCoderSc.exe
1648	DarkCoderSc.exe
1648	DarkCoderSc.exe
1324	DarkCoderSc.exe
1324	DarkCoderSc.exe
1544	DarkCoderSc.exe
1544	DarkCoderSc.exe
1724	DarkCoderSc.exe
1724	DarkCoderSc.exe
2964	DarkCoderSc.exe
2964	DarkCoderSc.exe
2152	DarkCoderSc.exe
2152	DarkCoderSc.exe
2156	DarkCoderSc.exe
2156	DarkCoderSc.exe
2720	DarkCoderSc.exe
2720	DarkCoderSc.exe
2992	DarkCoderSc.exe
2992	DarkCoderSc.exe
2928	DarkCoderSc.exe
2928	DarkCoderSc.exe
1848	DarkCoderSc.exe
1848	DarkCoderSc.exe
1060	DarkCoderSc.exe
1060	DarkCoderSc.exe
1036	DarkCoderSc.exe
1036	DarkCoderSc.exe

Windows security modification 2 TTPs 64 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	DarkCoderSc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\windows\\DarkCoderSc.exe"	DarkCoderSc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\	DarkCoderSc.exe
File opened for modification	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe
File created	C:\Windows\SysWOW64\windows\DarkCoderSc.exe	DarkCoderSc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeSecurityPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeBackupPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeRestorePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeShutdownPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeDebugPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeUndockPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: 33	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: 34	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: 35	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3012	DarkCoderSc.exe
Token: SeSecurityPrivilege	3012	DarkCoderSc.exe
Token: SeTakeOwnershipPrivilege	3012	DarkCoderSc.exe
Token: SeLoadDriverPrivilege	3012	DarkCoderSc.exe
Token: SeSystemProfilePrivilege	3012	DarkCoderSc.exe
Token: SeSystemtimePrivilege	3012	DarkCoderSc.exe
Token: SeProfSingleProcessPrivilege	3012	DarkCoderSc.exe
Token: SeIncBasePriorityPrivilege	3012	DarkCoderSc.exe
Token: SeCreatePagefilePrivilege	3012	DarkCoderSc.exe
Token: SeBackupPrivilege	3012	DarkCoderSc.exe
Token: SeRestorePrivilege	3012	DarkCoderSc.exe
Token: SeShutdownPrivilege	3012	DarkCoderSc.exe
Token: SeDebugPrivilege	3012	DarkCoderSc.exe
Token: SeSystemEnvironmentPrivilege	3012	DarkCoderSc.exe
Token: SeChangeNotifyPrivilege	3012	DarkCoderSc.exe
Token: SeRemoteShutdownPrivilege	3012	DarkCoderSc.exe
Token: SeUndockPrivilege	3012	DarkCoderSc.exe
Token: SeManageVolumePrivilege	3012	DarkCoderSc.exe
Token: SeImpersonatePrivilege	3012	DarkCoderSc.exe
Token: SeCreateGlobalPrivilege	3012	DarkCoderSc.exe
Token: 33	3012	DarkCoderSc.exe
Token: 34	3012	DarkCoderSc.exe
Token: 35	3012	DarkCoderSc.exe
Token: SeIncreaseQuotaPrivilege	2692	DarkCoderSc.exe
Token: SeSecurityPrivilege	2692	DarkCoderSc.exe
Token: SeTakeOwnershipPrivilege	2692	DarkCoderSc.exe
Token: SeLoadDriverPrivilege	2692	DarkCoderSc.exe
Token: SeSystemProfilePrivilege	2692	DarkCoderSc.exe
Token: SeSystemtimePrivilege	2692	DarkCoderSc.exe
Token: SeProfSingleProcessPrivilege	2692	DarkCoderSc.exe
Token: SeIncBasePriorityPrivilege	2692	DarkCoderSc.exe
Token: SeCreatePagefilePrivilege	2692	DarkCoderSc.exe
Token: SeBackupPrivilege	2692	DarkCoderSc.exe
Token: SeRestorePrivilege	2692	DarkCoderSc.exe
Token: SeShutdownPrivilege	2692	DarkCoderSc.exe
Token: SeDebugPrivilege	2692	DarkCoderSc.exe
Token: SeSystemEnvironmentPrivilege	2692	DarkCoderSc.exe
Token: SeChangeNotifyPrivilege	2692	DarkCoderSc.exe
Token: SeRemoteShutdownPrivilege	2692	DarkCoderSc.exe
Token: SeUndockPrivilege	2692	DarkCoderSc.exe
Token: SeManageVolumePrivilege	2692	DarkCoderSc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3012	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe	28
PID 2884 wrote to memory of 3012	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe	28
PID 2884 wrote to memory of 3012	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe	28
PID 2884 wrote to memory of 3012	2884	1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2692	3012	DarkCoderSc.exe	29
PID 3012 wrote to memory of 2692	3012	DarkCoderSc.exe	29
PID 3012 wrote to memory of 2692	3012	DarkCoderSc.exe	29
PID 3012 wrote to memory of 2692	3012	DarkCoderSc.exe	29
PID 2692 wrote to memory of 2528	2692	DarkCoderSc.exe	30
PID 2692 wrote to memory of 2528	2692	DarkCoderSc.exe	30
PID 2692 wrote to memory of 2528	2692	DarkCoderSc.exe	30
PID 2692 wrote to memory of 2528	2692	DarkCoderSc.exe	30
PID 2528 wrote to memory of 2532	2528	DarkCoderSc.exe	31
PID 2528 wrote to memory of 2532	2528	DarkCoderSc.exe	31
PID 2528 wrote to memory of 2532	2528	DarkCoderSc.exe	31
PID 2528 wrote to memory of 2532	2528	DarkCoderSc.exe	31
PID 2532 wrote to memory of 1060	2532	DarkCoderSc.exe	32
PID 2532 wrote to memory of 1060	2532	DarkCoderSc.exe	32
PID 2532 wrote to memory of 1060	2532	DarkCoderSc.exe	32
PID 2532 wrote to memory of 1060	2532	DarkCoderSc.exe	32
PID 1060 wrote to memory of 1676	1060	DarkCoderSc.exe	33
PID 1060 wrote to memory of 1676	1060	DarkCoderSc.exe	33
PID 1060 wrote to memory of 1676	1060	DarkCoderSc.exe	33
PID 1060 wrote to memory of 1676	1060	DarkCoderSc.exe	33
PID 1676 wrote to memory of 896	1676	DarkCoderSc.exe	34
PID 1676 wrote to memory of 896	1676	DarkCoderSc.exe	34
PID 1676 wrote to memory of 896	1676	DarkCoderSc.exe	34
PID 1676 wrote to memory of 896	1676	DarkCoderSc.exe	34
PID 896 wrote to memory of 1668	896	DarkCoderSc.exe	35
PID 896 wrote to memory of 1668	896	DarkCoderSc.exe	35
PID 896 wrote to memory of 1668	896	DarkCoderSc.exe	35
PID 896 wrote to memory of 1668	896	DarkCoderSc.exe	35
PID 1668 wrote to memory of 2892	1668	DarkCoderSc.exe	36
PID 1668 wrote to memory of 2892	1668	DarkCoderSc.exe	36
PID 1668 wrote to memory of 2892	1668	DarkCoderSc.exe	36
PID 1668 wrote to memory of 2892	1668	DarkCoderSc.exe	36
PID 2892 wrote to memory of 2572	2892	DarkCoderSc.exe	37
PID 2892 wrote to memory of 2572	2892	DarkCoderSc.exe	37
PID 2892 wrote to memory of 2572	2892	DarkCoderSc.exe	37
PID 2892 wrote to memory of 2572	2892	DarkCoderSc.exe	37
PID 2572 wrote to memory of 2300	2572	DarkCoderSc.exe	38
PID 2572 wrote to memory of 2300	2572	DarkCoderSc.exe	38
PID 2572 wrote to memory of 2300	2572	DarkCoderSc.exe	38
PID 2572 wrote to memory of 2300	2572	DarkCoderSc.exe	38
PID 2300 wrote to memory of 2128	2300	DarkCoderSc.exe	39
PID 2300 wrote to memory of 2128	2300	DarkCoderSc.exe	39
PID 2300 wrote to memory of 2128	2300	DarkCoderSc.exe	39
PID 2300 wrote to memory of 2128	2300	DarkCoderSc.exe	39
PID 2128 wrote to memory of 2456	2128	DarkCoderSc.exe	40
PID 2128 wrote to memory of 2456	2128	DarkCoderSc.exe	40
PID 2128 wrote to memory of 2456	2128	DarkCoderSc.exe	40
PID 2128 wrote to memory of 2456	2128	DarkCoderSc.exe	40
PID 2456 wrote to memory of 1808	2456	DarkCoderSc.exe	41
PID 2456 wrote to memory of 1808	2456	DarkCoderSc.exe	41
PID 2456 wrote to memory of 1808	2456	DarkCoderSc.exe	41
PID 2456 wrote to memory of 1808	2456	DarkCoderSc.exe	41
PID 1808 wrote to memory of 1028	1808	DarkCoderSc.exe	42
PID 1808 wrote to memory of 1028	1808	DarkCoderSc.exe	42
PID 1808 wrote to memory of 1028	1808	DarkCoderSc.exe	42
PID 1808 wrote to memory of 1028	1808	DarkCoderSc.exe	42
PID 1028 wrote to memory of 2668	1028	DarkCoderSc.exe	43
PID 1028 wrote to memory of 2668	1028	DarkCoderSc.exe	43
PID 1028 wrote to memory of 2668	1028	DarkCoderSc.exe	43
PID 1028 wrote to memory of 2668	1028	DarkCoderSc.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	DarkCoderSc.exe

C:\Users\Admin\AppData\Local\Temp\1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aef6ee78795c04d46e161af2900ea53_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\windows\DarkCoderSc.exe
  "C:\Windows\system32\windows\DarkCoderSc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\windows\DarkCoderSc.exe
    "C:\Windows\system32\windows\DarkCoderSc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\windows\DarkCoderSc.exe
      "C:\Windows\system32\windows\DarkCoderSc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:896
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        9⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        10⤵
        Modifies security service
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        14⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        15⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        16⤵
        Modifies security service
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        17⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        18⤵
        Modifies security service
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        
        PID:1628
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1872
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        21⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System policy modification
        
        PID:1324
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2152
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        26⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        27⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2992
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        29⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        30⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1848
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        31⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System policy modification
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        32⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        33⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        34⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        35⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        System policy modification
        
        PID:2412
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        37⤵
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        38⤵
        Windows security bypass
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        39⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        40⤵
        Executes dropped EXE
        System policy modification
        
        PID:1448
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        41⤵
        Windows security bypass
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1556
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        43⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        44⤵
        Modifies security service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        45⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System policy modification
        
        PID:1152
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        46⤵
        Executes dropped EXE
        Windows security modification
        
        PID:752
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        47⤵
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        48⤵
        Modifies security service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        49⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1620
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        System policy modification
        
        PID:2148
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        System policy modification
        
        PID:2160
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System policy modification
        
        PID:2152
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        54⤵
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        55⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        56⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        57⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        58⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        60⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:2676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        61⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        62⤵
        Modifies security service
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        63⤵
        Modifies security service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1772
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        64⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        65⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        66⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:1680
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        67⤵
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        68⤵
        Modifies security service
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1912
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        69⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        System policy modification
        
        PID:2000
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        70⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        71⤵
        Modifies security service
        Disables RegEdit via registry modification
        
        PID:496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        73⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        74⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        75⤵
        System policy modification
        
        PID:2064
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        76⤵
        Windows security modification
        
        PID:1612
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        77⤵
        Windows security bypass
        Drops file in System32 directory
        System policy modification
        
        PID:2824
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        79⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        80⤵
        Windows security modification
        Adds Run key to start application
        
        PID:2744
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        81⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:2492
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        82⤵
        Windows security modification
        
        PID:2920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        83⤵
        Modifies security service
        Windows security modification
        
        PID:2720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        84⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        85⤵
        Windows security modification
        System policy modification
        
        PID:1376
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        86⤵
        Disables RegEdit via registry modification
        
        PID:1848
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        87⤵
        Modifies security service
        Adds Run key to start application
        
        PID:1036
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        88⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1776
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        89⤵
        Drops file in System32 directory
        System policy modification
        
        PID:2688
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        90⤵
        Modifies security service
        Adds Run key to start application
        System policy modification
        
        PID:2876
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        91⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        92⤵
        Disables RegEdit via registry modification
        
        PID:2184
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        93⤵
        Modifies security service
        System policy modification
        
        PID:2016
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        94⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        95⤵
        System policy modification
        
        PID:1500
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        96⤵
        Windows security bypass
        
        PID:1496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        97⤵
        Adds Run key to start application
        System policy modification
        
        PID:1880
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        98⤵
        Modifies security service
        Disables RegEdit via registry modification
        Windows security modification
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        99⤵
        Modifies security service
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        100⤵
        Modifies security service
        Windows security bypass
        
        PID:2024
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        101⤵
        Modifies security service
        
        PID:2264
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        102⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        103⤵
        Disables RegEdit via registry modification
        
        PID:1564
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        104⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        105⤵
        Modifies security service
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:2144
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        106⤵
        Modifies security service
        Adds Run key to start application
        
        PID:2380
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        107⤵
        Windows security modification
        
        PID:2696
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        108⤵
        Windows security bypass
        Drops file in System32 directory
        System policy modification
        
        PID:2704
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        109⤵
        Disables RegEdit via registry modification
        Windows security modification
        System policy modification
        
        PID:2844
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        110⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:1992
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        111⤵
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        112⤵
        Modifies security service
        Windows security modification
        
        PID:2936
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        113⤵
        Windows security bypass
        System policy modification
        
        PID:2420
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        114⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        115⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        116⤵
        Windows security modification
        
        PID:1776
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        117⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        118⤵
        Disables RegEdit via registry modification
        
        PID:2812
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        119⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        120⤵
        Modifies security service
        Disables RegEdit via registry modification
        
        PID:2032
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        121⤵
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        122⤵
        Disables RegEdit via registry modification
        Windows security modification
        Adds Run key to start application
        
        PID:2304
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        123⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        124⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        125⤵
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:844
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        126⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        127⤵
        Modifies security service
        
        PID:952
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        128⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        129⤵
        Disables RegEdit via registry modification
        
        PID:2264
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        130⤵
        Windows security modification
        
        PID:2332
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        131⤵
        System policy modification
        
        PID:2340
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        132⤵
        System policy modification
        
        PID:2148
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        133⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        134⤵
        System policy modification
        
        PID:2160
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        135⤵
        Adds Run key to start application
        Drops file in System32 directory
        System policy modification
        
        PID:2700
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        136⤵
        Windows security bypass
        
        PID:2568
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        137⤵
        System policy modification
        
        PID:2844
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        138⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        System policy modification
        
        PID:2920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        139⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        140⤵
        Disables RegEdit via registry modification
        Adds Run key to start application
        System policy modification
        
        PID:2936
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        141⤵
        Modifies security service
        Windows security modification
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        142⤵
        Adds Run key to start application
        System policy modification
        
        PID:2544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        143⤵
        Disables RegEdit via registry modification
        
        PID:1136
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        144⤵
        Adds Run key to start application
        
        PID:1596
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        145⤵
        Adds Run key to start application
        
        PID:876
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        146⤵
        Adds Run key to start application
        
        PID:2812
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        147⤵
        Disables RegEdit via registry modification
        
        PID:1012
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        148⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:596
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        149⤵
        
        PID:576
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        150⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        151⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        152⤵
        Windows security bypass
        Windows security modification
        
        PID:1160
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        153⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        154⤵
        Modifies security service
        Windows security bypass
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        155⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        156⤵
        Modifies security service
        Windows security bypass
        
        PID:1460
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        157⤵
        Modifies security service
        
        PID:2200
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        158⤵
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        
        PID:2820
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        159⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        160⤵
        Modifies security service
        
        PID:2836
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        161⤵
        Windows security modification
        
        PID:2524
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        162⤵
        Windows security modification
        
        PID:2176
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        163⤵
        System policy modification
        
        PID:2484
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        164⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2460
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        165⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        
        PID:2920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        166⤵
        Windows security modification
        
        PID:1332
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        167⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        168⤵
        
        PID:896
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        169⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        170⤵
        Windows security bypass
        
        PID:1388
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        171⤵
        Windows security modification
        Adds Run key to start application
        
        PID:684
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        172⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        173⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        174⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        System policy modification
        
        PID:2572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        175⤵
        Windows security bypass
        
        PID:812
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        176⤵
        Modifies security service
        
        PID:1912
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        177⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        178⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        179⤵
        Windows security modification
        System policy modification
        
        PID:1532
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        180⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        181⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        182⤵
        Disables RegEdit via registry modification
        
        PID:2332
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        183⤵
        Adds Run key to start application
        
        PID:2768
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        184⤵
        Modifies security service
        Windows security modification
        
        PID:2968
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        185⤵
        Adds Run key to start application
        
        PID:2620
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        186⤵
        Disables RegEdit via registry modification
        Windows security modification
        Adds Run key to start application
        
        PID:2632
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        187⤵
        Adds Run key to start application
        
        PID:2644
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        188⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        189⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        190⤵
        Modifies security service
        
        PID:800
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        191⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        192⤵
        Windows security bypass
        System policy modification
        
        PID:1676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        193⤵
        Adds Run key to start application
        System policy modification
        
        PID:1780
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        194⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        195⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        196⤵
        System policy modification
        
        PID:1752
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        197⤵
        Windows security bypass
        System policy modification
        
        PID:2940
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        198⤵
        Disables RegEdit via registry modification
        
        PID:2184
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        199⤵
        Modifies security service
        
        PID:2876
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        200⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        201⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        202⤵
        Modifies security service
        Windows security bypass
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        203⤵
        Windows security bypass
        Windows security modification
        
        PID:972
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        204⤵
        Modifies security service
        Windows security bypass
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        205⤵
        Modifies security service
        Drops file in System32 directory
        System policy modification
        
        PID:1132
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        206⤵
        Adds Run key to start application
        
        PID:884
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        207⤵
        Modifies security service
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2400
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        208⤵
        Windows security modification
        Adds Run key to start application
        
        PID:1544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        209⤵
        Disables RegEdit via registry modification
        
        PID:2884
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        210⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        211⤵
        Modifies security service
        
        PID:2488
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        212⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        213⤵
        Modifies security service
        Windows security bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        214⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        215⤵
        Windows security bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        216⤵
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:2460
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        217⤵
        Modifies security service
        Disables RegEdit via registry modification
        
        PID:320
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        218⤵
        System policy modification
        
        PID:2564
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        219⤵
        Modifies security service
        
        PID:932
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        220⤵
        Modifies security service
        Disables RegEdit via registry modification
        Windows security modification
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        221⤵
        Modifies security service
        Windows security bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        222⤵
        Adds Run key to start application
        System policy modification
        
        PID:2544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        223⤵
        Modifies security service
        Adds Run key to start application
        
        PID:688
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        224⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        225⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        226⤵
        Windows security modification
        
        PID:1764
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        227⤵
        System policy modification
        
        PID:268
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        228⤵
        Modifies security service
        Disables RegEdit via registry modification
        
        PID:1496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        229⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        230⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        231⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        System policy modification
        
        PID:1532
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        232⤵
        System policy modification
        
        PID:1156
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        233⤵
        System policy modification
        
        PID:1180
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        234⤵
        Modifies security service
        
        PID:2956
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        235⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        236⤵
        Adds Run key to start application
        
        PID:3016
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        237⤵
        System policy modification
        
        PID:2740
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        238⤵
        Disables RegEdit via registry modification
        
        PID:2568
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        239⤵
        Adds Run key to start application
        System policy modification
        
        PID:1796
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        240⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        241⤵
        Windows security bypass
        Windows security modification
        
        PID:2836
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        242⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        243⤵
        Disables RegEdit via registry modification
        
        PID:816
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        244⤵
        Windows security modification
        Adds Run key to start application
        System policy modification
        
        PID:1376
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        245⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:1036
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        246⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        247⤵
        Modifies security service
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        248⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        249⤵
        Windows security bypass
        Windows security modification
        
        PID:1632
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        250⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        251⤵
        Modifies security service
        
        PID:2412
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        252⤵
        Modifies security service
        Adds Run key to start application
        
        PID:536
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        253⤵
        Disables RegEdit via registry modification
        
        PID:2432
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        254⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        255⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        256⤵
        Disables RegEdit via registry modification
        Windows security modification
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        257⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:2668
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        258⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2212
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        259⤵
        Modifies security service
        
        PID:1500
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        260⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        261⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        262⤵
        Disables RegEdit via registry modification
        
        PID:1156
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        263⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        264⤵
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        265⤵
        Windows security modification
        Drops file in System32 directory
        System policy modification
        
        PID:2344
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        266⤵
        Modifies security service
        System policy modification
        
        PID:2488
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        267⤵
        Modifies security service
        Windows security bypass
        Adds Run key to start application
        System policy modification
        
        PID:2712
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        268⤵
        Adds Run key to start application
        
        PID:2072
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        269⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        270⤵
        
        PID:840
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        271⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2536
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        272⤵
        Windows security bypass
        System policy modification
        
        PID:1672
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        273⤵
        Windows security modification
        Adds Run key to start application
        
        PID:2916
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        274⤵
        Modifies security service
        Drops file in System32 directory
        System policy modification
        
        PID:1844
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        275⤵
        Disables RegEdit via registry modification
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        276⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        277⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        278⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        279⤵
        Adds Run key to start application
        
        PID:1388
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        280⤵
        Windows security bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        281⤵
        Drops file in System32 directory
        System policy modification
        
        PID:2128
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        282⤵
        Windows security bypass
        Disables RegEdit via registry modification
        
        PID:348
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        283⤵
        Disables RegEdit via registry modification
        Windows security modification
        
        PID:1204
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        284⤵
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        285⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        286⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        287⤵
        Disables RegEdit via registry modification
        
        PID:1048
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        288⤵
        Disables RegEdit via registry modification
        
        PID:2020
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        289⤵
        Adds Run key to start application
        
        PID:564
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        290⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        291⤵
        Modifies security service
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2768
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        292⤵
        Modifies security service
        Windows security modification
        
        PID:1884
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        293⤵
        Modifies security service
        Disables RegEdit via registry modification
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        294⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        295⤵
        Windows security bypass
        
        PID:2724
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        296⤵
        Disables RegEdit via registry modification
        
        PID:2712
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        297⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        298⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        299⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        300⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        301⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        302⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        303⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        304⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        305⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        306⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        307⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        308⤵
        
        PID:680
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        309⤵
        
        PID:684
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        310⤵
        
        PID:784
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        311⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        312⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        313⤵
        
        PID:444
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        314⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        315⤵
        
        PID:612
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        316⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        317⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        318⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        319⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        320⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        321⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        322⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        323⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        324⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        325⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        326⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        327⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        328⤵
        
        PID:944
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        329⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        330⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        331⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        332⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        333⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        334⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        335⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        336⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        337⤵
        
        PID:680
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        338⤵
        
        PID:596
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        339⤵
        
        PID:784
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        340⤵
        
        PID:968
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        341⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        342⤵
        
        PID:268
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        343⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        344⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        345⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        346⤵
        
        PID:564
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        347⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        348⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        349⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        350⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        351⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        352⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        353⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        354⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        355⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        356⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        357⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        358⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        359⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        360⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        361⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        362⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        363⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        364⤵
        
        PID:828
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        365⤵
        
        PID:572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        366⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        367⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        368⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        369⤵
        
        PID:684
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        370⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        371⤵
        
        PID:268
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        372⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        373⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        374⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        375⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        376⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        377⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        378⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        379⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        380⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        381⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        382⤵
        
        PID:840
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        383⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        384⤵
        
        PID:816
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        385⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        386⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        387⤵
        
        PID:932
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        388⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        389⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        390⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        391⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        392⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        393⤵
        
        PID:828
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        394⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        395⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        396⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        397⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        398⤵
        
        PID:444
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        399⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        400⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        401⤵
        
        PID:960
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        402⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        403⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        404⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        405⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        406⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        407⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        408⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        409⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        410⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        411⤵
        
        PID:840
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        412⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        413⤵
        
        PID:816
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        414⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        415⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        416⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        417⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        418⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        419⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        420⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        421⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        422⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        423⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        424⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        425⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        426⤵
        
        PID:616
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        427⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        428⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        429⤵
        
        PID:952
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        430⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        431⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        432⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        433⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        434⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        435⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        436⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        437⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        438⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        439⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        440⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        441⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        442⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        443⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        444⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        445⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        446⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        447⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        448⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        449⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        450⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        451⤵
        
        PID:596
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        452⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        453⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        454⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        455⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        456⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        457⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        458⤵
        
        PID:952
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        459⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        460⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        461⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        462⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        463⤵
        
        PID:900
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        464⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        465⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        466⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        467⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        468⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        469⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        470⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        471⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        472⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        473⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        474⤵
        
        PID:320
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        475⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        476⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        477⤵
        
        PID:688
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        478⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        479⤵
        
        PID:572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        480⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        481⤵
        
        PID:576
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        482⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        483⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        484⤵
        
        PID:752
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        485⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        486⤵
        
        PID:920
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        487⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        488⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\windows\DarkCoderSc.exe
        
        "C:\Windows\system32\windows\DarkCoderSc.exe"
        489⤵
        
        PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\windows\DarkCoderSc.exe

Filesize
717KB

MD5
1aef6ee78795c04d46e161af2900ea53

SHA1
64fa4950cd61f624ac6df1ca8f83eb60ab96b849

SHA256
e0bb93e404ee1f2858f1360e55af52ffd428389c43f8a69a8d0318cda79c9499

SHA512
467bec1a949dae06feaced999f4717381342d19d135338c4623ac2de4d231c07762784178fb5e1458c5e96531f9349074f3fff9a3bd60779bc7e8e8df4859a2c

Download Submit
memory/556-107-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/752-112-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/872-115-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/896-41-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/900-113-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1028-77-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1036-98-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1044-100-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1060-33-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1060-125-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1060-97-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1116-114-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1152-111-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1216-103-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1324-87-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1448-106-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1484-130-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1516-110-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1544-88-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1556-108-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1620-116-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1628-84-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1648-86-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1668-46-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1676-37-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1708-105-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1724-89-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1736-99-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1772-101-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1772-129-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1804-109-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1808-73-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1832-123-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1848-96-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1848-124-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1872-85-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2128-64-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2148-117-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2152-91-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2152-119-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2156-120-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2156-92-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2160-118-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2240-104-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2272-127-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2300-59-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2412-102-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2456-68-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2528-25-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2532-29-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2572-55-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2664-128-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2668-81-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2676-126-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2692-21-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2720-93-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2720-121-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2884-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2884-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2892-50-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2928-95-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2936-122-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2964-90-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2992-94-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3012-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads