Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 12:11
Behavioral task
behavioral1
Sample
Facebook Account Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Facebook Account Hacker.exe
Resource
win10v2004-20240611-en
General
-
Target
Facebook Account Hacker.exe
-
Size
1002KB
-
MD5
810ee30f3831206f115a9de523d553ea
-
SHA1
cce8aa42fff602345db5baa6b20bf663481ccb07
-
SHA256
16af77f601bb55b12c0d4f4ec36c600fa651bb3c085b6342bd93437d287024d1
-
SHA512
ec00695ba3aacb276b7a4f12f116e171f978363f5fc4f9c7f6a00ecfa8d4f61fa198f747ba0d107155b7992366655af78c7a00d034845d03a87b477ef7c2f305
-
SSDEEP
24576:M3nbWmJVJFwSddIXvfhqbiaxvRxq9ULjpc:yamdZdcBYtPpc
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeFacebook Account Hacker.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Facebook Account Hacker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 468 attrib.exe 2848 attrib.exe 1972 attrib.exe 2636 attrib.exe 1296 attrib.exe 2228 attrib.exe 700 attrib.exe 884 attrib.exe 548 attrib.exe 2596 attrib.exe 2476 attrib.exe 1688 attrib.exe 1660 attrib.exe 1448 attrib.exe 996 attrib.exe 2768 attrib.exe 2024 attrib.exe 1596 attrib.exe 1708 attrib.exe 2616 attrib.exe 1180 attrib.exe 2580 attrib.exe 2996 attrib.exe 2124 attrib.exe 2360 attrib.exe 2812 attrib.exe 1088 attrib.exe 1900 attrib.exe 2572 attrib.exe 2188 attrib.exe 1052 attrib.exe 2228 attrib.exe 1048 attrib.exe 2624 attrib.exe 612 attrib.exe 2844 attrib.exe 2036 attrib.exe 2240 attrib.exe 652 attrib.exe 1100 attrib.exe 1848 attrib.exe 2356 attrib.exe 1404 attrib.exe 2812 attrib.exe 1352 attrib.exe 1932 attrib.exe -
Executes dropped EXE 46 IoCs
Processes:
FACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exeFACEBOOK HACK BY ANONYMOUS.EXEmsdcsc.exepid process 2700 FACEBOOK HACK BY ANONYMOUS.EXE 2624 msdcsc.exe 2788 FACEBOOK HACK BY ANONYMOUS.EXE 352 msdcsc.exe 2132 FACEBOOK HACK BY ANONYMOUS.EXE 1256 msdcsc.exe 2836 FACEBOOK HACK BY ANONYMOUS.EXE 2996 msdcsc.exe 3052 FACEBOOK HACK BY ANONYMOUS.EXE 1852 msdcsc.exe 2072 FACEBOOK HACK BY ANONYMOUS.EXE 2164 msdcsc.exe 2632 FACEBOOK HACK BY ANONYMOUS.EXE 2488 msdcsc.exe 2344 FACEBOOK HACK BY ANONYMOUS.EXE 1656 msdcsc.exe 348 FACEBOOK HACK BY ANONYMOUS.EXE 2076 msdcsc.exe 832 FACEBOOK HACK BY ANONYMOUS.EXE 748 msdcsc.exe 2320 FACEBOOK HACK BY ANONYMOUS.EXE 2156 msdcsc.exe 628 FACEBOOK HACK BY ANONYMOUS.EXE 2740 msdcsc.exe 1784 FACEBOOK HACK BY ANONYMOUS.EXE 2100 msdcsc.exe 1964 FACEBOOK HACK BY ANONYMOUS.EXE 2248 msdcsc.exe 1100 FACEBOOK HACK BY ANONYMOUS.EXE 2304 msdcsc.exe 1344 FACEBOOK HACK BY ANONYMOUS.EXE 1708 msdcsc.exe 1664 FACEBOOK HACK BY ANONYMOUS.EXE 2572 msdcsc.exe 2580 FACEBOOK HACK BY ANONYMOUS.EXE 2668 msdcsc.exe 1808 FACEBOOK HACK BY ANONYMOUS.EXE 2284 msdcsc.exe 1788 FACEBOOK HACK BY ANONYMOUS.EXE 1608 msdcsc.exe 2348 FACEBOOK HACK BY ANONYMOUS.EXE 876 msdcsc.exe 1916 FACEBOOK HACK BY ANONYMOUS.EXE 2164 msdcsc.exe 564 FACEBOOK HACK BY ANONYMOUS.EXE 1148 msdcsc.exe -
Loads dropped DLL 64 IoCs
Processes:
Facebook Account Hacker.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exepid process 1492 Facebook Account Hacker.exe 1492 Facebook Account Hacker.exe 1492 Facebook Account Hacker.exe 2624 msdcsc.exe 2624 msdcsc.exe 2624 msdcsc.exe 352 msdcsc.exe 352 msdcsc.exe 352 msdcsc.exe 1256 msdcsc.exe 1256 msdcsc.exe 1256 msdcsc.exe 2996 msdcsc.exe 2996 msdcsc.exe 2996 msdcsc.exe 1852 msdcsc.exe 1852 msdcsc.exe 1852 msdcsc.exe 2164 msdcsc.exe 2164 msdcsc.exe 2164 msdcsc.exe 2488 msdcsc.exe 2488 msdcsc.exe 2488 msdcsc.exe 1656 msdcsc.exe 1656 msdcsc.exe 1656 msdcsc.exe 2076 msdcsc.exe 2076 msdcsc.exe 2076 msdcsc.exe 748 msdcsc.exe 748 msdcsc.exe 748 msdcsc.exe 2156 msdcsc.exe 2156 msdcsc.exe 2156 msdcsc.exe 2740 msdcsc.exe 2740 msdcsc.exe 2740 msdcsc.exe 2100 msdcsc.exe 2100 msdcsc.exe 2100 msdcsc.exe 2248 msdcsc.exe 2248 msdcsc.exe 2248 msdcsc.exe 2304 msdcsc.exe 2304 msdcsc.exe 2304 msdcsc.exe 1708 msdcsc.exe 1708 msdcsc.exe 1708 msdcsc.exe 2572 msdcsc.exe 2572 msdcsc.exe 2572 msdcsc.exe 2668 msdcsc.exe 2668 msdcsc.exe 2668 msdcsc.exe 2284 msdcsc.exe 2284 msdcsc.exe 2284 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 876 msdcsc.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeFacebook Account Hacker.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Facebook Account Hacker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 64 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeFacebook Account Hacker.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ Facebook Account Hacker.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe Facebook Account Hacker.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Facebook Account Hacker.exemsdcsc.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1492 Facebook Account Hacker.exe Token: SeSecurityPrivilege 1492 Facebook Account Hacker.exe Token: SeTakeOwnershipPrivilege 1492 Facebook Account Hacker.exe Token: SeLoadDriverPrivilege 1492 Facebook Account Hacker.exe Token: SeSystemProfilePrivilege 1492 Facebook Account Hacker.exe Token: SeSystemtimePrivilege 1492 Facebook Account Hacker.exe Token: SeProfSingleProcessPrivilege 1492 Facebook Account Hacker.exe Token: SeIncBasePriorityPrivilege 1492 Facebook Account Hacker.exe Token: SeCreatePagefilePrivilege 1492 Facebook Account Hacker.exe Token: SeBackupPrivilege 1492 Facebook Account Hacker.exe Token: SeRestorePrivilege 1492 Facebook Account Hacker.exe Token: SeShutdownPrivilege 1492 Facebook Account Hacker.exe Token: SeDebugPrivilege 1492 Facebook Account Hacker.exe Token: SeSystemEnvironmentPrivilege 1492 Facebook Account Hacker.exe Token: SeChangeNotifyPrivilege 1492 Facebook Account Hacker.exe Token: SeRemoteShutdownPrivilege 1492 Facebook Account Hacker.exe Token: SeUndockPrivilege 1492 Facebook Account Hacker.exe Token: SeManageVolumePrivilege 1492 Facebook Account Hacker.exe Token: SeImpersonatePrivilege 1492 Facebook Account Hacker.exe Token: SeCreateGlobalPrivilege 1492 Facebook Account Hacker.exe Token: 33 1492 Facebook Account Hacker.exe Token: 34 1492 Facebook Account Hacker.exe Token: 35 1492 Facebook Account Hacker.exe Token: SeIncreaseQuotaPrivilege 2624 msdcsc.exe Token: SeSecurityPrivilege 2624 msdcsc.exe Token: SeTakeOwnershipPrivilege 2624 msdcsc.exe Token: SeLoadDriverPrivilege 2624 msdcsc.exe Token: SeSystemProfilePrivilege 2624 msdcsc.exe Token: SeSystemtimePrivilege 2624 msdcsc.exe Token: SeProfSingleProcessPrivilege 2624 msdcsc.exe Token: SeIncBasePriorityPrivilege 2624 msdcsc.exe Token: SeCreatePagefilePrivilege 2624 msdcsc.exe Token: SeBackupPrivilege 2624 msdcsc.exe Token: SeRestorePrivilege 2624 msdcsc.exe Token: SeShutdownPrivilege 2624 msdcsc.exe Token: SeDebugPrivilege 2624 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2624 msdcsc.exe Token: SeChangeNotifyPrivilege 2624 msdcsc.exe Token: SeRemoteShutdownPrivilege 2624 msdcsc.exe Token: SeUndockPrivilege 2624 msdcsc.exe Token: SeManageVolumePrivilege 2624 msdcsc.exe Token: SeImpersonatePrivilege 2624 msdcsc.exe Token: SeCreateGlobalPrivilege 2624 msdcsc.exe Token: 33 2624 msdcsc.exe Token: 34 2624 msdcsc.exe Token: 35 2624 msdcsc.exe Token: SeIncreaseQuotaPrivilege 352 msdcsc.exe Token: SeSecurityPrivilege 352 msdcsc.exe Token: SeTakeOwnershipPrivilege 352 msdcsc.exe Token: SeLoadDriverPrivilege 352 msdcsc.exe Token: SeSystemProfilePrivilege 352 msdcsc.exe Token: SeSystemtimePrivilege 352 msdcsc.exe Token: SeProfSingleProcessPrivilege 352 msdcsc.exe Token: SeIncBasePriorityPrivilege 352 msdcsc.exe Token: SeCreatePagefilePrivilege 352 msdcsc.exe Token: SeBackupPrivilege 352 msdcsc.exe Token: SeRestorePrivilege 352 msdcsc.exe Token: SeShutdownPrivilege 352 msdcsc.exe Token: SeDebugPrivilege 352 msdcsc.exe Token: SeSystemEnvironmentPrivilege 352 msdcsc.exe Token: SeChangeNotifyPrivilege 352 msdcsc.exe Token: SeRemoteShutdownPrivilege 352 msdcsc.exe Token: SeUndockPrivilege 352 msdcsc.exe Token: SeManageVolumePrivilege 352 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Facebook Account Hacker.execmd.execmd.exemsdcsc.execmd.execmd.exemsdcsc.execmd.exedescription pid process target process PID 1492 wrote to memory of 2052 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2052 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2052 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2052 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2676 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2676 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2676 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2676 1492 Facebook Account Hacker.exe cmd.exe PID 1492 wrote to memory of 2700 1492 Facebook Account Hacker.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 1492 wrote to memory of 2700 1492 Facebook Account Hacker.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 1492 wrote to memory of 2700 1492 Facebook Account Hacker.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 1492 wrote to memory of 2700 1492 Facebook Account Hacker.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 2052 wrote to memory of 2360 2052 cmd.exe attrib.exe PID 2052 wrote to memory of 2360 2052 cmd.exe attrib.exe PID 2052 wrote to memory of 2360 2052 cmd.exe attrib.exe PID 2052 wrote to memory of 2360 2052 cmd.exe attrib.exe PID 2676 wrote to memory of 2812 2676 cmd.exe attrib.exe PID 2676 wrote to memory of 2812 2676 cmd.exe attrib.exe PID 2676 wrote to memory of 2812 2676 cmd.exe attrib.exe PID 2676 wrote to memory of 2812 2676 cmd.exe attrib.exe PID 1492 wrote to memory of 2624 1492 Facebook Account Hacker.exe msdcsc.exe PID 1492 wrote to memory of 2624 1492 Facebook Account Hacker.exe msdcsc.exe PID 1492 wrote to memory of 2624 1492 Facebook Account Hacker.exe msdcsc.exe PID 1492 wrote to memory of 2624 1492 Facebook Account Hacker.exe msdcsc.exe PID 2624 wrote to memory of 2344 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2344 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2344 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2344 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2768 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2768 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2768 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2768 2624 msdcsc.exe cmd.exe PID 2624 wrote to memory of 2788 2624 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 2624 wrote to memory of 2788 2624 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 2624 wrote to memory of 2788 2624 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 2624 wrote to memory of 2788 2624 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 2344 wrote to memory of 1404 2344 cmd.exe attrib.exe PID 2344 wrote to memory of 1404 2344 cmd.exe attrib.exe PID 2344 wrote to memory of 1404 2344 cmd.exe attrib.exe PID 2344 wrote to memory of 1404 2344 cmd.exe attrib.exe PID 2768 wrote to memory of 2240 2768 cmd.exe attrib.exe PID 2768 wrote to memory of 2240 2768 cmd.exe attrib.exe PID 2768 wrote to memory of 2240 2768 cmd.exe attrib.exe PID 2768 wrote to memory of 2240 2768 cmd.exe attrib.exe PID 2624 wrote to memory of 352 2624 msdcsc.exe msdcsc.exe PID 2624 wrote to memory of 352 2624 msdcsc.exe msdcsc.exe PID 2624 wrote to memory of 352 2624 msdcsc.exe msdcsc.exe PID 2624 wrote to memory of 352 2624 msdcsc.exe msdcsc.exe PID 352 wrote to memory of 1032 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1032 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1032 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1032 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1808 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1808 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1808 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 1808 352 msdcsc.exe cmd.exe PID 352 wrote to memory of 2132 352 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 352 wrote to memory of 2132 352 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 352 wrote to memory of 2132 352 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 352 wrote to memory of 2132 352 msdcsc.exe FACEBOOK HACK BY ANONYMOUS.EXE PID 1032 wrote to memory of 1972 1032 cmd.exe attrib.exe PID 1032 wrote to memory of 1972 1032 cmd.exe attrib.exe PID 1032 wrote to memory of 1972 1032 cmd.exe attrib.exe PID 1032 wrote to memory of 1972 1032 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 46 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2228 attrib.exe 2360 attrib.exe 884 attrib.exe 700 attrib.exe 2188 attrib.exe 2124 attrib.exe 996 attrib.exe 2356 attrib.exe 1708 attrib.exe 2572 attrib.exe 1180 attrib.exe 2996 attrib.exe 2812 attrib.exe 1404 attrib.exe 2616 attrib.exe 468 attrib.exe 2848 attrib.exe 1848 attrib.exe 2476 attrib.exe 1900 attrib.exe 612 attrib.exe 2024 attrib.exe 2228 attrib.exe 1596 attrib.exe 1296 attrib.exe 2844 attrib.exe 1448 attrib.exe 2240 attrib.exe 652 attrib.exe 1048 attrib.exe 2624 attrib.exe 1052 attrib.exe 1660 attrib.exe 1972 attrib.exe 1100 attrib.exe 2812 attrib.exe 2580 attrib.exe 1352 attrib.exe 548 attrib.exe 2596 attrib.exe 1932 attrib.exe 1088 attrib.exe 2636 attrib.exe 1688 attrib.exe 2036 attrib.exe 2768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Facebook Account Hacker.exe"C:\Users\Admin\AppData\Local\Temp\Facebook Account Hacker.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"20⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXEFilesize
180KB
MD57d8c2af7a794c92ab5f99c39b3ea412b
SHA194fde30b423cadcf2459410e10227545f370bfc1
SHA256cc166ff5aa7a0a1aaf0463139d1a8bd069707a1ec43f9680155219a4786ce333
SHA51289d96f9edaff9ce5b950398ebf467096cbfd9a704d640cb3b1d97aedcf1786790fde928d5e86a514167be5135e06c29bdd0a2697da9de6040410d13e0da1223a
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
78B
MD59f9fce0aaa63f0ad4003dc6f5cde1f59
SHA15d9df8d4cffc9575c297008b36a91b0160182f7d
SHA2565dd4c0d6fcd6b71f214641d6e7f0b9cd81c87fdf9dad47ee499a277699e7be72
SHA5128569281415a0c5c0ad1a7ceaf2261c6846249f3c8f76d9e2d498ab174fc6a9f7236d7437b76993495f1b398cfff8729775e88021450b4d3bacd4ca49ff9c241e
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
54B
MD5b960305e23cbfd65106f326e54e2edfd
SHA1522c5e95a4306797b3e71bbe62158087f779ee7a
SHA256c31911cf00619f811195612355d7c762cd7e65d7d06756f62815b029cda65855
SHA512294181df282b6901de3e2743a6986637303f7bc63555ad171c07f6457d2895907aeae800eb7f948ac6380ba87e76423eb150792d05754aa6152c9d9921edc024
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
43B
MD554552c311a8c2081eefdad310b19b5db
SHA1718edabb22a5b5481815682eb1b3cd17c316c1dc
SHA256233765af9f5b64cdcae82b709e94f3d26d9486c90e3074a79ebeb915e386bfea
SHA512dc004dfaacba0417a6e631099c46ca99a832000286baabfa035a176e5b99fdd78f61c97a37d7d1b8e29711b657bc5df4bc601a28c431c38b2395347858cd4f02
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
1002KB
MD5810ee30f3831206f115a9de523d553ea
SHA1cce8aa42fff602345db5baa6b20bf663481ccb07
SHA25616af77f601bb55b12c0d4f4ec36c600fa651bb3c085b6342bd93437d287024d1
SHA512ec00695ba3aacb276b7a4f12f116e171f978363f5fc4f9c7f6a00ecfa8d4f61fa198f747ba0d107155b7992366655af78c7a00d034845d03a87b477ef7c2f305
-
memory/352-87-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/748-274-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/876-478-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1256-112-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1492-38-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1492-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1608-458-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1656-234-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1708-382-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1852-161-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2076-256-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2100-328-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2156-292-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2164-186-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2164-496-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2248-346-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2284-438-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2304-364-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2488-210-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2572-400-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2624-63-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2668-420-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2700-29-0x00000000001E0000-0x0000000000214000-memory.dmpFilesize
208KB
-
memory/2740-310-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2996-137-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB