darkcomet | b2145db16c8b923e9734aa05cd5c05a160aabc24f6e4fd81cea5e95ffe14973b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe
Size

6.6MB
MD5

b8413f3c5293f5469a55af23f502e3e9
SHA1

38c42a6edc62b48af0795166b146f0cdead1ee00
SHA256

b2145db16c8b923e9734aa05cd5c05a160aabc24f6e4fd81cea5e95ffe14973b
SHA512

1d7697b58a015d2ca688a754d42fc4eeff7b3680ab437afe2fcbabcc9505695156b50756bad5ecb570f0a58beb047f09f99dc079077a2640519c21134f87d7a2
SSDEEP

196608:aaP5IKXAaH0CdugLKVI2htNnEfK0A5t5ApVzDyuD:aaDXAKT62K0A5nA/zDyI

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

loveayada.zapto.org:82

Mutex

DC_MUTEX-QLHXCM9

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
t4ncNQbXdKme
install
true
offline_keylogger
true
password
ayada
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	123.exe

Modifies firewall policy service 3 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe

Modifies security service 2 TTPs 22 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 44 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	123.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\123.exe	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe

Executes dropped EXE 48 IoCs

pid	Process
2996	123.exe
3084	Pro Facebook Hack v 1.5.exe
4668	autorun.exe
1064	123.exe
2956	msdcsc.exe
5584	msdcsc.exe
1048	msdcsc.exe
3496	msdcsc.exe
956	msdcsc.exe
2600	msdcsc.exe
3792	msdcsc.exe
5760	msdcsc.exe
2488	msdcsc.exe
224	msdcsc.exe
3532	msdcsc.exe
3756	msdcsc.exe
4512	msdcsc.exe
4712	msdcsc.exe
6040	msdcsc.exe
5668	msdcsc.exe
4664	msdcsc.exe
5284	msdcsc.exe
1964	msdcsc.exe
4216	msdcsc.exe
1184	msdcsc.exe
1540	msdcsc.exe
4360	msdcsc.exe
5920	msdcsc.exe
1648	msdcsc.exe
3792	msdcsc.exe
2832	msdcsc.exe
3692	msdcsc.exe
1456	msdcsc.exe
5264	msdcsc.exe
1268	msdcsc.exe
1712	msdcsc.exe
4280	msdcsc.exe
5412	msdcsc.exe
5980	msdcsc.exe
5336	msdcsc.exe
4484	msdcsc.exe
4704	msdcsc.exe
6056	msdcsc.exe
5388	msdcsc.exe
4620	msdcsc.exe
828	msdcsc.exe
4688	msdcsc.exe
4648	msdcsc.exe

Loads dropped DLL 1 IoCs

pid	Process
4668	autorun.exe

Windows security modification 2 TTPs 44 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	123.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\desktop.ini	Pro Facebook Hack v 1.5.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\desktop.ini	Pro Facebook Hack v 1.5.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/5564-23-0x0000000000400000-0x00000000004D6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 1064	2996	123.exe	90
PID 2956 set thread context of 1048	2956	msdcsc.exe	96
PID 5584 set thread context of 956	5584	msdcsc.exe	100
PID 3496 set thread context of 2600	3496	msdcsc.exe	102
PID 3792 set thread context of 5760	3792	msdcsc.exe	106
PID 2488 set thread context of 224	2488	msdcsc.exe	111
PID 3532 set thread context of 3756	3532	msdcsc.exe	118
PID 4512 set thread context of 4712	4512	msdcsc.exe	126
PID 6040 set thread context of 5668	6040	msdcsc.exe	130
PID 4664 set thread context of 5284	4664	msdcsc.exe	134
PID 1964 set thread context of 4216	1964	msdcsc.exe	139
PID 1184 set thread context of 1540	1184	msdcsc.exe	143
PID 4360 set thread context of 5920	4360	msdcsc.exe	147
PID 1648 set thread context of 3792	1648	msdcsc.exe	151
PID 2832 set thread context of 3692	2832	msdcsc.exe	155
PID 1456 set thread context of 5264	1456	msdcsc.exe	159
PID 1268 set thread context of 1712	1268	msdcsc.exe	163
PID 4280 set thread context of 5412	4280	msdcsc.exe	167
PID 5980 set thread context of 5336	5980	msdcsc.exe	171
PID 4484 set thread context of 4704	4484	msdcsc.exe	175
PID 6056 set thread context of 5388	6056	msdcsc.exe	179
PID 4620 set thread context of 828	4620	msdcsc.exe	183
PID 4688 set thread context of 4648	4688	msdcsc.exe	187

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5564-0-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/5564-23-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1064-215-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1064-218-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1064-219-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1064-217-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1064-256-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-262-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-263-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-266-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-265-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-264-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-261-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/956-279-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/956-283-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2600-292-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2600-290-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5760-307-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5760-303-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-308-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-310-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/224-319-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/224-321-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-324-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/3756-334-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/3756-335-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-338-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/4712-348-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/4712-349-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1048-352-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5668-365-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5284-380-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/4216-395-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1540-410-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5920-424-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/3792-439-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/3692-452-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5264-467-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1712-482-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5412-497-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5336-512-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/4704-527-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/5388-540-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/828-553-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/4648-567-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pro Facebook Hack v 1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	123.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4668	autorun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	6112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6112	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	1064	123.exe
Token: SeSecurityPrivilege	1064	123.exe
Token: SeTakeOwnershipPrivilege	1064	123.exe
Token: SeLoadDriverPrivilege	1064	123.exe
Token: SeSystemProfilePrivilege	1064	123.exe
Token: SeSystemtimePrivilege	1064	123.exe
Token: SeProfSingleProcessPrivilege	1064	123.exe
Token: SeIncBasePriorityPrivilege	1064	123.exe
Token: SeCreatePagefilePrivilege	1064	123.exe
Token: SeBackupPrivilege	1064	123.exe
Token: SeRestorePrivilege	1064	123.exe
Token: SeShutdownPrivilege	1064	123.exe
Token: SeDebugPrivilege	1064	123.exe
Token: SeSystemEnvironmentPrivilege	1064	123.exe
Token: SeChangeNotifyPrivilege	1064	123.exe
Token: SeRemoteShutdownPrivilege	1064	123.exe
Token: SeUndockPrivilege	1064	123.exe
Token: SeManageVolumePrivilege	1064	123.exe
Token: SeImpersonatePrivilege	1064	123.exe
Token: SeCreateGlobalPrivilege	1064	123.exe
Token: 33	1064	123.exe
Token: 34	1064	123.exe
Token: 35	1064	123.exe
Token: 36	1064	123.exe
Token: SeIncreaseQuotaPrivilege	1048	msdcsc.exe
Token: SeSecurityPrivilege	1048	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1048	msdcsc.exe
Token: SeLoadDriverPrivilege	1048	msdcsc.exe
Token: SeSystemProfilePrivilege	1048	msdcsc.exe
Token: SeSystemtimePrivilege	1048	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1048	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1048	msdcsc.exe
Token: SeCreatePagefilePrivilege	1048	msdcsc.exe
Token: SeBackupPrivilege	1048	msdcsc.exe
Token: SeRestorePrivilege	1048	msdcsc.exe
Token: SeShutdownPrivilege	1048	msdcsc.exe
Token: SeDebugPrivilege	1048	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1048	msdcsc.exe
Token: SeChangeNotifyPrivilege	1048	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1048	msdcsc.exe
Token: SeUndockPrivilege	1048	msdcsc.exe
Token: SeManageVolumePrivilege	1048	msdcsc.exe
Token: SeImpersonatePrivilege	1048	msdcsc.exe
Token: SeCreateGlobalPrivilege	1048	msdcsc.exe
Token: 33	1048	msdcsc.exe
Token: 34	1048	msdcsc.exe
Token: 35	1048	msdcsc.exe
Token: 36	1048	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	956	msdcsc.exe
Token: SeSecurityPrivilege	956	msdcsc.exe
Token: SeTakeOwnershipPrivilege	956	msdcsc.exe
Token: SeLoadDriverPrivilege	956	msdcsc.exe
Token: SeSystemProfilePrivilege	956	msdcsc.exe
Token: SeSystemtimePrivilege	956	msdcsc.exe
Token: SeProfSingleProcessPrivilege	956	msdcsc.exe
Token: SeIncBasePriorityPrivilege	956	msdcsc.exe
Token: SeCreatePagefilePrivilege	956	msdcsc.exe
Token: SeBackupPrivilege	956	msdcsc.exe
Token: SeRestorePrivilege	956	msdcsc.exe
Token: SeShutdownPrivilege	956	msdcsc.exe
Token: SeDebugPrivilege	956	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	956	msdcsc.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2996	123.exe
3084	Pro Facebook Hack v 1.5.exe
4668	autorun.exe
4668	autorun.exe
4668	autorun.exe
4668	autorun.exe
4668	autorun.exe
2956	msdcsc.exe
5584	msdcsc.exe
1048	msdcsc.exe
3496	msdcsc.exe
3792	msdcsc.exe
2488	msdcsc.exe
3532	msdcsc.exe
4512	msdcsc.exe
6040	msdcsc.exe
4664	msdcsc.exe
1964	msdcsc.exe
1184	msdcsc.exe
4360	msdcsc.exe
1648	msdcsc.exe
2832	msdcsc.exe
1456	msdcsc.exe
1268	msdcsc.exe
4280	msdcsc.exe
5980	msdcsc.exe
4484	msdcsc.exe
6056	msdcsc.exe
4620	msdcsc.exe
4688	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5564 wrote to memory of 2996	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	86
PID 5564 wrote to memory of 2996	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	86
PID 5564 wrote to memory of 2996	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	86
PID 5564 wrote to memory of 3084	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	87
PID 5564 wrote to memory of 3084	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	87
PID 5564 wrote to memory of 3084	5564	JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe	87
PID 3084 wrote to memory of 4668	3084	Pro Facebook Hack v 1.5.exe	88
PID 3084 wrote to memory of 4668	3084	Pro Facebook Hack v 1.5.exe	88
PID 3084 wrote to memory of 4668	3084	Pro Facebook Hack v 1.5.exe	88
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2996 wrote to memory of 1064	2996	123.exe	90
PID 2880 wrote to memory of 2956	2880	cmd.exe	94
PID 2880 wrote to memory of 2956	2880	cmd.exe	94
PID 2880 wrote to memory of 2956	2880	cmd.exe	94
PID 1064 wrote to memory of 5584	1064	123.exe	95
PID 1064 wrote to memory of 5584	1064	123.exe	95
PID 1064 wrote to memory of 5584	1064	123.exe	95
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2956 wrote to memory of 1048	2956	msdcsc.exe	96
PID 2640 wrote to memory of 3496	2640	cmd.exe	99
PID 2640 wrote to memory of 3496	2640	cmd.exe	99
PID 2640 wrote to memory of 3496	2640	cmd.exe	99
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 5584 wrote to memory of 956	5584	msdcsc.exe	100
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 3496 wrote to memory of 2600	3496	msdcsc.exe	102
PID 4944 wrote to memory of 3792	4944	cmd.exe	105
PID 4944 wrote to memory of 3792	4944	cmd.exe	105
PID 4944 wrote to memory of 3792	4944	cmd.exe	105
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 3792 wrote to memory of 5760	3792	msdcsc.exe	106
PID 5992 wrote to memory of 2488	5992	cmd.exe	110
PID 5992 wrote to memory of 2488	5992	cmd.exe	110
PID 5992 wrote to memory of 2488	5992	cmd.exe	110

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8413f3c5293f5469a55af23f502e3e9.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5564
- C:\Users\Admin\AppData\Local\Temp\123.exe
  C:\Users\Admin\AppData\Local\Temp/123.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\123.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5584
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        5⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
- C:\Users\Admin\AppData\Local\Temp\Pro Facebook Hack v 1.5.exe
  "C:\Users\Admin\AppData\Local\Temp/Pro Facebook Hack v 1.5.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
    "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\Pro Facebook Hack v 1.5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2488
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3580
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3532
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4364
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4512
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5248
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6040
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4816
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4664
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5368
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1964
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1448
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1184
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5912
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4360
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2776
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1648
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3952
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2832
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3092
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1456
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:256
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1268
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4860
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4280
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5740
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5980
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4520
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4484
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5196
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6056
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3700
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4620
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1260
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4688
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - System policy modification
    PID:4648

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
610KB

MD5
d4d4061986e649291c70481a5a0f6541

SHA1
6e5826b9743321f83846cf4ad2609395b0e8a853

SHA256
d29d299d6402311ff71d09a3caa68b3b5d8aefba1c79308d3c0dd188f1780629

SHA512
e76ce6ce23c7cb51382f931e0eb2db179564bc550490b222aa33b2073450750ab0221047702b802aaedc081eaa28db73053c0b7594175d56b8a7921c7366b67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6C48.tmp

Filesize
5.7MB

MD5
f736f0725c11aff463acdcf64f6e8763

SHA1
03cab6e246940fa20587a3650ffc58fdbcadec8f

SHA256
aa367e9f7f9ae5c4b44af27e63b951a8f78565c632bb789dec3c261b699ddba8

SHA512
46ef18f1cc334bdc05bdc355888c08a954b0ef764f40069a75abcd28ac4b935955473266a141e52cb525a959f2b12462c79d16fd09445f096768cc090accc913

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Flash\Untitled_2.swf

Filesize
1KB

MD5
7d69c336bbb65e394da0930e3ff9d0eb

SHA1
80667622dfe2780a77a1f3f51ba6688d1813998c

SHA256
9030c6c0f9be976ac8c1a097ee571865768b1cd277f7e07fc6c36345becb6679

SHA512
a2535c73ae2b31167b9ab9b69368a52af74b17e27e6b08f322abfe201fb4f1d59cf74176577c1002156b8cab8da55250469099f2238c53e607cedba6d84666ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Network_Connection_Internet_2.png

Filesize
93KB

MD5
07acb2c102a2cf751de4a694dc40f73b

SHA1
e72b6761e6a4ae5128b759389b4f1c853f3802d4

SHA256
1e93c3b35edb5c82f70a0fae1d123ee69516a70a1fa88ef2b8bedddd83989c52

SHA512
3e58d435106a7c14c4bc72ef936d67f536f238ca5bb84da92bbdaffd8dc2aa75e2f74d37f9441fbc7364e66903a9782306d00e789c411ea38d9c04139ac6852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\The_HackersSkull.jpg

Filesize
249KB

MD5
3e635ad0e3e596868645f2fb38fcef05

SHA1
8349333a0c971ee6dfda341d25adef8b221e4d1d

SHA256
e8fe9c685669862606de20e64205a4a7c749abab1a1325b2a32c739d64ba39fa

SHA512
5bffcf31fc6d47aeabbd23d6537655fead192f91cc9a538cdd1479e6ac648ed259af4c5a05c0c9e7172dc08ebd14feeab92a34835cc2e78042f82693ae458383

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\off10.jpg

Filesize
16KB

MD5
6d75e7eef79bac66881f0d4e509bec67

SHA1
518a3642744dc9969e1c1331a68d1899998d921d

SHA256
98eea2a37ad12488552269eea6d11727a9d304fb3207e3ba0361f26d57bd202b

SHA512
0fbc9e84f9d5ca631c1b01262a255269b2a8f79c1f55dc711a6c559a31632dee6bd2273dc55fe738f4329655c76fc3e111222773ba537462feb335054c8276cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WINBUTTON\WINBUTTON.APO

Filesize
244KB

MD5
af3ce8c6458eea17e0e14ffe01c30f21

SHA1
79bb92bb161a33ae261b3f9af6ab7d4eb62b557c

SHA256
702fa08d54ec1180cd007565f43b99ca070c45513f2dc84dc8ba9e80593106dc

SHA512
d689e52f9c1b7ca3b740792da5d1bdc1367586fb424398f76017ed044747423bf8e59dad1e083c054aec3656f1f41459a77f0682f0914c2df2ee593a5a64770d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
1.7MB

MD5
103523bd83c1795de73fb35bf54e348b

SHA1
7f8266b48251ec6c490c40e67c9f31aa3f6e38e4

SHA256
51fc7b902a71803adf52dbcecbaf5596d3c6b1e69792de02a579c2e7e2e8d2e6

SHA512
3cd0b099cd0dd0018ff2853c4130c85d83552a4332ee9ffc06aab3222fe451b74e5fac5f4a7a89ce3b0797076c45f23fcb2a7b2cde620e83f59db43eaf01291b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.6MB

MD5
2e99d967bac162c7074ad5de85691690

SHA1
61d26660131cc7ee98bc0348c519ba09b710c678

SHA256
19b08f2bb3792afeda71f678cec80b0e49398b0a696782003be9e6a476856f07

SHA512
61c4efe2298fd1e73e1c9f82f7ab6b3aa8d5a2deb40ab475471da8c6b713bd81aeb73bcd5997c6d50bd5999231c84bdb7af8d3157415d90f8f0795746719e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\skull.ico

Filesize
83KB

MD5
e0d7d3dc0a3372322e3f87e322e7781c

SHA1
03022a3cb318bdca254cb0466f22ac0ec3316a21

SHA256
d814e88a83c43e213fe9280da9d68ee64155d9bcdc05df8c872ca49f98b609ab

SHA512
af0c2fa4c6b7dd418de9495b31b0d2b8a141322c1d0dc7f15f6d84dc9aeb15b359592f0d599e8685be86aa07647053e3243b35371b9f11651e7da9321a628c08

Download Submit
memory/224-321-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/224-319-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/828-553-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/956-279-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/956-283-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-324-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-261-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-338-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-308-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-310-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-262-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-263-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-352-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-266-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-265-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1048-264-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1064-219-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1064-218-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1064-215-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1064-254-0x00000000004C0000-0x0000000000589000-memory.dmp

Filesize
804KB

Download
memory/1064-256-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1064-217-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1184-398-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/1184-406-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/1268-477-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/1456-462-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/1540-410-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1648-434-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/1712-482-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-390-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/2488-318-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/2600-290-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2600-292-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2832-448-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/2956-268-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/2996-18-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/2996-221-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3496-289-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3496-270-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3532-333-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3532-325-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3692-452-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3756-334-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3756-335-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3792-302-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/3792-439-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4216-395-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4280-492-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4360-420-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4484-522-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4512-347-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4512-339-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4620-549-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4648-567-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4664-375-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4688-562-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/4704-527-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4712-349-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4712-348-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5264-467-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5284-380-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5336-512-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5388-540-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5412-497-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5564-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5564-23-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5584-278-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/5668-365-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5760-307-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5760-303-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5920-424-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5980-507-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/6040-360-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download
memory/6056-536-0x0000000000400000-0x000000000055E8E8-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads