Malware Analysis Report

2024-10-19 07:33

Sample ID 240725-sl2ssazana
Target 701e418837c6325340b5b4e3cdc30803_JaffaCakes118
SHA256 a6d49f10562fc3a4e5110847859ec9e69a1bf8ec0e6829dbca5c95c2ef68dc1f
Tags
darkcomet guest16 discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6d49f10562fc3a4e5110847859ec9e69a1bf8ec0e6829dbca5c95c2ef68dc1f

Threat Level: Known bad

The file 701e418837c6325340b5b4e3cdc30803_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 discovery evasion persistence rat trojan

Modifies WinLogon for persistence

Windows security bypass

Darkcomet

Modifies security service

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Sets file to hidden

Windows security modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 15:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 15:13

Reported

2024-07-25 15:20

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1956 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 1956 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 1956 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 1956 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 1736 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 2196 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2196 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2932 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2932 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2196 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2196 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2196 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2196 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2924 wrote to memory of 2648 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2924 wrote to memory of 2648 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2924 wrote to memory of 2648 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2924 wrote to memory of 2648 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2924 wrote to memory of 2648 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hstj.exe

"C:\Users\Admin\AppData\Local\Temp\hstj.exe"

C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe

"C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe"

C:\Users\Admin\AppData\Local\Temp\hstj.exe

C:\Users\Admin\AppData\Local\Temp\hstj.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 darkcomet2013.no-ip.biz udp
N/A 192.168.1.71:1500 tcp
N/A 192.168.1.71:1500 tcp
N/A 192.168.1.71:1500 tcp
N/A 192.168.1.71:1500 tcp
N/A 192.168.1.71:1500 tcp
N/A 192.168.1.71:1500 tcp

Files

memory/1956-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

memory/1956-1-0x0000000000940000-0x0000000000950000-memory.dmp

memory/1956-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hstj.exe

MD5 7bbe2da9d59af22de8ef4ae7a9c4d94d
SHA1 d699be178976118eb2ebb193144ce173031cdf2b
SHA256 db940a7ef59596660c87b4bc91e0cbd4cd46e7853dca836348bf046b68fde50a
SHA512 4415847ac260501d9d0ef447a6e4e74489c8ae53e9fd8ae4d01cf97adb733ec6dccb02bdd344d6713b7d7ac367e4045ba97121c02c92d582d172c9d0417e620a

memory/1736-13-0x0000000000020000-0x0000000000023000-memory.dmp

memory/1736-12-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe

MD5 c8083b3690812fd277fb980f46d68b16
SHA1 7fa7426988fe56396e089b2b0d9b50f8e3159436
SHA256 57e1e5f734ea8d0d1aebf39a6aeb8a26ccba872dd47bb282fe439987efe10aed
SHA512 f402bd9aee318c32d2f8e74fc937e88116d96bb1619910020bac28ac1b05f00a1825f34d544ad4debb23e7c0cce1a214c1ba72d56808eb51a5d1933a6a8b3ef6

memory/2196-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1736-23-0x0000000000370000-0x0000000000392000-memory.dmp

memory/2196-37-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1956-41-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/2196-40-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1736-43-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2196-39-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1712-38-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/2196-35-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2196-33-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-32-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-31-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-30-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-28-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-26-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-29-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2196-46-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1660-76-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1660-48-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2196-84-0x0000000005400000-0x0000000005422000-memory.dmp

memory/2196-89-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2924-90-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2196-85-0x0000000005400000-0x0000000005422000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940600906-3464502421-4240639183-1000\699c4b9cdebca7aaea5193cae8a50098_c13b6b87-25b1-4e34-a420-7feacfe0b8db

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/2924-115-0x0000000000400000-0x0000000000422000-memory.dmp

memory/336-161-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2648-153-0x0000000003E40000-0x0000000003E62000-memory.dmp

memory/336-185-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2180-223-0x0000000003E40000-0x0000000003E62000-memory.dmp

memory/2476-231-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2476-256-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 15:13

Reported

2024-07-25 15:22

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4984 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 3516 set thread context of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 432 set thread context of 4472 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
PID 3804 set thread context of 3312 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
PID 4384 set thread context of 1632 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2956 set thread context of 1888 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
PID 4428 set thread context of 4520 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
PID 4336 set thread context of 3744 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2956 set thread context of 2496 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
PID 5108 set thread context of 5000 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
PID 736 set thread context of 1716 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 1148 set thread context of 5108 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
PID 768 set thread context of 1140 N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 32 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 32 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 32 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 32 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 32 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 4984 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Users\Admin\AppData\Local\Temp\hstj.exe
PID 2404 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 2404 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\notepad.exe
PID 4324 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4324 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4324 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2404 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2404 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2404 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\hstj.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3516 wrote to memory of 1692 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hstj.exe

"C:\Users\Admin\AppData\Local\Temp\hstj.exe"

C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe

"C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe"

C:\Users\Admin\AppData\Local\Temp\hstj.exe

C:\Users\Admin\AppData\Local\Temp\hstj.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

"C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 darkcomet2013.no-ip.biz udp
N/A 192.168.1.71:1500 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 darkcomet2013.no-ip.biz udp
N/A 192.168.1.71:1500 tcp
US 8.8.8.8:53 darkcomet2013.no-ip.biz udp
N/A 192.168.1.71:1500 tcp

Files

memory/32-0-0x00007FF9D9C83000-0x00007FF9D9C85000-memory.dmp

memory/32-1-0x0000000000050000-0x0000000000060000-memory.dmp

memory/32-2-0x00007FF9D9C80000-0x00007FF9DA741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hstj.exe

MD5 7bbe2da9d59af22de8ef4ae7a9c4d94d
SHA1 d699be178976118eb2ebb193144ce173031cdf2b
SHA256 db940a7ef59596660c87b4bc91e0cbd4cd46e7853dca836348bf046b68fde50a
SHA512 4415847ac260501d9d0ef447a6e4e74489c8ae53e9fd8ae4d01cf97adb733ec6dccb02bdd344d6713b7d7ac367e4045ba97121c02c92d582d172c9d0417e620a

C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe

MD5 c8083b3690812fd277fb980f46d68b16
SHA1 7fa7426988fe56396e089b2b0d9b50f8e3159436
SHA256 57e1e5f734ea8d0d1aebf39a6aeb8a26ccba872dd47bb282fe439987efe10aed
SHA512 f402bd9aee318c32d2f8e74fc937e88116d96bb1619910020bac28ac1b05f00a1825f34d544ad4debb23e7c0cce1a214c1ba72d56808eb51a5d1933a6a8b3ef6

memory/4984-21-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4984-27-0x00000000001C0000-0x00000000001C3000-memory.dmp

memory/868-31-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/2404-34-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2404-32-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/868-36-0x0000000000620000-0x000000000063C000-memory.dmp

memory/2404-35-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/868-39-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

memory/4984-38-0x0000000000400000-0x0000000000422000-memory.dmp

memory/32-40-0x00007FF9D9C80000-0x00007FF9DA741000-memory.dmp

memory/868-42-0x0000000005540000-0x0000000005AE4000-memory.dmp

memory/2404-41-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/868-43-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/868-44-0x0000000004F90000-0x0000000004F9A000-memory.dmp

memory/868-45-0x00000000051C0000-0x0000000005216000-memory.dmp

memory/2404-48-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1716-50-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2404-109-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2990742725-2267136959-192470804-1000\699c4b9cdebca7aaea5193cae8a50098_788ae237-ee4c-4efc-8ed7-d59fbc591025

MD5 5b63d4dd8c04c88c0e30e494ec6a609a
SHA1 884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA256 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA512 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

memory/1692-116-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3516-118-0x0000000000400000-0x0000000000422000-memory.dmp

memory/432-182-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1692-183-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/432-190-0x0000000000400000-0x0000000000422000-memory.dmp

memory/868-194-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/3804-257-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4472-255-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3804-265-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3312-327-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4384-337-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1632-399-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2956-409-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1888-472-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4428-481-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4520-543-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4336-553-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2956-617-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3744-615-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2956-625-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2496-688-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/5108-698-0x0000000000400000-0x0000000000422000-memory.dmp

memory/736-769-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1148-842-0x0000000000400000-0x0000000000422000-memory.dmp

memory/768-913-0x0000000000400000-0x0000000000422000-memory.dmp