darkcomet | 1d34ccc414f59436188e5c8a29963e16b0913b1f148c4f51eafe6ae23176ea55

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Size

938KB
MD5

83c698151d075740628ae7d8aaf39023
SHA1

f4725174c66a837870f74222b7cc4fa19160731b
SHA256

1d34ccc414f59436188e5c8a29963e16b0913b1f148c4f51eafe6ae23176ea55
SHA512

7a970cc742bb5103c4b7296b6f9ac11ee3870be5a8bebba75ebd2d7a0403dacbf5723b3e13bdd7dd40d628c00678feaf5f86b2a5cbe3d947cbcd23c3fa5bb04d
SSDEEP

24576:2FTqADbP4qXsZejCxQZPUQz/neABpcIssX0viImQG:ETvgqcZnQRUQbeAvcIhGi

Score

10^/10

darkcomet tonkman defense_evasion discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Tonkman

iiili.in:5300

iiili.in:5310

iiili.in:5320

iiili.in:5330

iiili.in:5340

iiili.in:5350

iiili.in:5360

iiili.in:5370

iiili.in:5380

iiili.in:5390

illiil.in:5300

illiil.in:5310

illiil.in:5320

illiil.in:5330

illiil.in:5340

illiil.in:5350

illiil.in:5360

illiil.in:5370

illiil.in:5380

illiil.in:5390

Mutex

BugTestingReporter

Attributes

gencode
5d7taAMln2CM
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2488	netsh.exe
1944	netsh.exe
1756	netsh.exe
1492	netsh.exe
2516	netsh.exe
2464	netsh.exe

Sets file to hidden 1 TTPs 11 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2544	attrib.exe
2228	attrib.exe
1804	attrib.exe
1600	attrib.exe
1736	attrib.exe
2844	attrib.exe
1360	attrib.exe
1772	attrib.exe
2972	attrib.exe
2344	attrib.exe
2528	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
696	errorreporter.exe

Loads dropped DLL 3 IoCs

pid	Process
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidgfx = "C:\\Users\\Admin\\AppData\\Roaming\\nvidgfx.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidgfx = "C:\\Users\\Admin\\AppData\\Roaming\\nvidgfx.exe"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\J:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\L:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\M:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\W:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\G:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\A:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\B:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\E:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Q:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\T:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\X:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\V:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Z:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\N:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\H:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\K:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\R:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\S:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\U:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Y:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\O:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\P:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\W:	wmplayer.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\Z:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File created	F:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File created	D:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File created	C:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 2388	696	errorreporter.exe	81

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2972	sc.exe
2344	sc.exe
716	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	errorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Modifies Control Panel 5 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveActive = "1"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveActive = "1"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "0x1.96cd80p+321ppdata\\Microsoft\\Windows\\(null).scr"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Show_URLinStatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Show_FullURL = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Show_StatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\CompressedFolder\ShellNew	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\CompressedFolder\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2388	vbc.exe
Token: SeSecurityPrivilege	2388	vbc.exe
Token: SeTakeOwnershipPrivilege	2388	vbc.exe
Token: SeLoadDriverPrivilege	2388	vbc.exe
Token: SeSystemProfilePrivilege	2388	vbc.exe
Token: SeSystemtimePrivilege	2388	vbc.exe
Token: SeProfSingleProcessPrivilege	2388	vbc.exe
Token: SeIncBasePriorityPrivilege	2388	vbc.exe
Token: SeCreatePagefilePrivilege	2388	vbc.exe
Token: SeBackupPrivilege	2388	vbc.exe
Token: SeRestorePrivilege	2388	vbc.exe
Token: SeShutdownPrivilege	2388	vbc.exe
Token: SeDebugPrivilege	2388	vbc.exe
Token: SeSystemEnvironmentPrivilege	2388	vbc.exe
Token: SeChangeNotifyPrivilege	2388	vbc.exe
Token: SeRemoteShutdownPrivilege	2388	vbc.exe
Token: SeUndockPrivilege	2388	vbc.exe
Token: SeManageVolumePrivilege	2388	vbc.exe
Token: SeImpersonatePrivilege	2388	vbc.exe
Token: SeCreateGlobalPrivilege	2388	vbc.exe
Token: 33	2388	vbc.exe
Token: 34	2388	vbc.exe
Token: 35	2388	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2388	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2772	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	30
PID 2156 wrote to memory of 2772	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	30
PID 2156 wrote to memory of 2772	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	30
PID 2156 wrote to memory of 2772	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	30
PID 2772 wrote to memory of 2816	2772	cmd.exe	32
PID 2772 wrote to memory of 2816	2772	cmd.exe	32
PID 2772 wrote to memory of 2816	2772	cmd.exe	32
PID 2772 wrote to memory of 2816	2772	cmd.exe	32
PID 2156 wrote to memory of 2752	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	33
PID 2156 wrote to memory of 2752	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	33
PID 2156 wrote to memory of 2752	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	33
PID 2156 wrote to memory of 2752	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	33
PID 2156 wrote to memory of 2688	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	35
PID 2156 wrote to memory of 2688	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	35
PID 2156 wrote to memory of 2688	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	35
PID 2156 wrote to memory of 2688	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	35
PID 2156 wrote to memory of 2568	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	36
PID 2156 wrote to memory of 2568	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	36
PID 2156 wrote to memory of 2568	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	36
PID 2156 wrote to memory of 2568	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	36
PID 2156 wrote to memory of 1924	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	37
PID 2156 wrote to memory of 1924	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	37
PID 2156 wrote to memory of 1924	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	37
PID 2156 wrote to memory of 1924	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	37
PID 2568 wrote to memory of 2584	2568	cmd.exe	42
PID 2568 wrote to memory of 2584	2568	cmd.exe	42
PID 2568 wrote to memory of 2584	2568	cmd.exe	42
PID 2568 wrote to memory of 2584	2568	cmd.exe	42
PID 1924 wrote to memory of 2756	1924	cmd.exe	41
PID 1924 wrote to memory of 2756	1924	cmd.exe	41
PID 1924 wrote to memory of 2756	1924	cmd.exe	41
PID 1924 wrote to memory of 2756	1924	cmd.exe	41
PID 2688 wrote to memory of 2228	2688	cmd.exe	43
PID 2688 wrote to memory of 2228	2688	cmd.exe	43
PID 2688 wrote to memory of 2228	2688	cmd.exe	43
PID 2688 wrote to memory of 2228	2688	cmd.exe	43
PID 2156 wrote to memory of 2572	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	44
PID 2156 wrote to memory of 2572	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	44
PID 2156 wrote to memory of 2572	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	44
PID 2156 wrote to memory of 2572	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	44
PID 2156 wrote to memory of 2632	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	46
PID 2156 wrote to memory of 2632	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	46
PID 2156 wrote to memory of 2632	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	46
PID 2156 wrote to memory of 2632	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	46
PID 2156 wrote to memory of 2684	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	47
PID 2156 wrote to memory of 2684	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	47
PID 2156 wrote to memory of 2684	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	47
PID 2156 wrote to memory of 2684	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	47
PID 2632 wrote to memory of 1360	2632	cmd.exe	50
PID 2632 wrote to memory of 1360	2632	cmd.exe	50
PID 2632 wrote to memory of 1360	2632	cmd.exe	50
PID 2632 wrote to memory of 1360	2632	cmd.exe	50
PID 2156 wrote to memory of 2000	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	51
PID 2156 wrote to memory of 2000	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	51
PID 2156 wrote to memory of 2000	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	51
PID 2156 wrote to memory of 2000	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	51
PID 2000 wrote to memory of 2440	2000	cmd.exe	53
PID 2000 wrote to memory of 2440	2000	cmd.exe	53
PID 2000 wrote to memory of 2440	2000	cmd.exe	53
PID 2000 wrote to memory of 2440	2000	cmd.exe	53
PID 2156 wrote to memory of 920	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	54
PID 2156 wrote to memory of 920	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	54
PID 2156 wrote to memory of 920	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	54
PID 2156 wrote to memory of 920	2156	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	54

Views/modifies file attributes 1 TTPs 18 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2816	attrib.exe
1600	attrib.exe
2544	attrib.exe
1736	attrib.exe
2972	attrib.exe
2584	attrib.exe
2344	attrib.exe
2844	attrib.exe
1036	attrib.exe
2588	attrib.exe
2756	attrib.exe
2228	attrib.exe
1360	attrib.exe
2440	attrib.exe
1772	attrib.exe
2712	attrib.exe
1804	attrib.exe
2528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%appdata%\nvidgfx.exe"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\nvidgfx.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "nvidgfx" /t REG_SZ /d "%appdata%\nvidgfx.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "nvidgfx" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\atlsyn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Windows\system32\atlsyn.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%windir%\system32\atlsyn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\atlsyn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Windows\system32\atlsyn.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr"
    3⤵
    - Views/modifies file attributes
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\spacedots.scr" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr" /f
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Users\Admin\AppData\Roaming\errorreporter.exe
  "C:\Users\Admin\AppData\Roaming\errorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:1600
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.zip\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.zip\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - Modifies registry class
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.zip\CompressedFolder\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.zip\CompressedFolder\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.rar\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.rar\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - Modifies registry class
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\plugininstall.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe" "winhttpsvc" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1756
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="winhttpsvc" profile=public dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1492
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 5220 "Open Port 5220"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2516
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Open Port 5220" profile=public dir=in action=allow protocol=TCP localport=5220
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2488
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode DISABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc config upnphost start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\sc.exe
    sc config SSDPSRV start= auto
    3⤵
    - Launches sc.exe
    PID:2344
- - C:\Windows\SysWOW64\sc.exe
    sc config browser start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:716
- - C:\Windows\SysWOW64\net.exe
    net start seclogon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start seclogon
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800
- - C:\Windows\SysWOW64\net.exe
    net start upnphost
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\net.exe
    net start SSDPSRV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV
      4⤵
      PID:1680
- - C:\Windows\SysWOW64\net.exe
    net start browser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start browser
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2828
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2820
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:328
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:908
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "F:\autorun.inf"
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "C:\autorun.inf"
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "F:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "C:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Views/modifies file attributes
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Views/modifies file attributes
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" "C:\protect.bat"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" "F:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- - C:\Windows\SysWOW64\attrib.exe
    attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "F:\protect.bat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "C:\protect.bat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\errorreporter.exe

Filesize
692KB

MD5
479f8bcbe5729d18e3c42a9b4aeddfac

SHA1
dcb37fb7bc0c067c08b4d0b60163b00db59cc411

SHA256
7a8efe13b9e02f29c582541a9890282c1e1004b699463517b5ef1de898db8cd3

SHA512
2f980051619245d1eba473fd43bf4046b3a2504bdf053180b2ae65058faa0a097517111853261ff88da944ec520d659fb2ab0236f966056fb2e0158958e35888

Download Submit
C:\Users\Admin\AppData\Roaming\plugininstall.bat

Filesize
2KB

MD5
9592aa50bf0bfeefbc47eb4bdacfbaab

SHA1
21a7b9683f6f1374f5f785882a1c1bd05f392c9e

SHA256
7a6717ff7d2b63a879b504c0826ec8e3cf25d1616035c8fb70c7d0d932e74ed4

SHA512
bfa01bc5c62dbcb3be8f853ca1f1569600f07a3d54b9e19f93fc2353ad201486074c7b9372721e43fb39b0aa3403b010d31475e4d2de8e74fc9719eda3cbcf00

Download Submit
C:\autorun.inf

Filesize
63B

MD5
f64baf418f685884efec59a9d80bc5f6

SHA1
9c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9

SHA256
4b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f

SHA512
dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69

Download Submit
\Users\Admin\AppData\Roaming\auth.dll

Filesize
195KB

MD5
15b8f3be2d9a25def6093dc2d6e1c6b8

SHA1
d9adbe4762882de29e0c1dc4aeddf89016a7f94e

SHA256
6aff3d70fdc4eb3bfaf610fdad422040e25ab82f7d993d88dc94ccd2f5a96c86

SHA512
310a1d6336d4ced1d956fad8b490cafdda697612db0f8e4f98ed7ad76817171cd5af2e8e9778ec803a40a768fa41e52d176f0a2ebc4e6a4182c61b82203d7658

Download Submit
memory/1860-91-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1860-53-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/2388-52-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-92-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-93-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-51-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2388-48-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-46-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-44-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-42-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-40-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-38-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-36-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download