darkcomet | c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274

Analysis

max time kernel
92s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Size

667KB
MD5

1787331fa3f89e5c542066c702026032
SHA1

e0c6d3d7c959a4cdae9347ffc2f2715c0c548489
SHA256

c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274
SHA512

01547c8684f8b1eefd9d11084d43332d52fb5e41363f45946d3530ffed958053a3ee736d9438eb7f7da6b998dae14cd1b6a586c5308a24eccad411a16490e9ed
SSDEEP

12288:revgMsEPjD9BPde812W35dAOgrqet0k3D+EMVMKKcwHk0R8XTCAsQ429EcbxS:a4+PrMW35dAzq8rzBMqKKhHk06ueS

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

qwerrewq.no-ip.biz:82

Mutex

DC_MUTEX-S1SQAX8

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TWVVSyXJvjJa
install
true
offline_keylogger
true
password
0987654321
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 30 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1608 notepad.exe

pid	process
1608	notepad.exe

Executes dropped EXE 29 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
776	msdcsc.exe
588	msdcsc.exe
1648	msdcsc.exe
2716	msdcsc.exe
1028	msdcsc.exe
4832	msdcsc.exe
3196	msdcsc.exe
1884	msdcsc.exe
3256	msdcsc.exe
4808	msdcsc.exe
3188	msdcsc.exe
4340	msdcsc.exe
5032	msdcsc.exe
1656	msdcsc.exe
4556	msdcsc.exe
3372	msdcsc.exe
1936	msdcsc.exe
3480	msdcsc.exe
4884	msdcsc.exe
2812	msdcsc.exe
3724	msdcsc.exe
2292	msdcsc.exe
5004	msdcsc.exe
4324	msdcsc.exe
2128	msdcsc.exe
3000	msdcsc.exe
4828	msdcsc.exe
5024	msdcsc.exe
2396	msdcsc.exe

Molebox Virtualization software 1 IoCs

Detects file using Molebox Virtualization software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	molebox

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSecurityPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeBackupPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeRestorePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeShutdownPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeDebugPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeUndockPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 33	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 34	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 35	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 36	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	776	msdcsc.exe
Token: SeSecurityPrivilege	776	msdcsc.exe
Token: SeTakeOwnershipPrivilege	776	msdcsc.exe
Token: SeLoadDriverPrivilege	776	msdcsc.exe
Token: SeSystemProfilePrivilege	776	msdcsc.exe
Token: SeSystemtimePrivilege	776	msdcsc.exe
Token: SeProfSingleProcessPrivilege	776	msdcsc.exe
Token: SeIncBasePriorityPrivilege	776	msdcsc.exe
Token: SeCreatePagefilePrivilege	776	msdcsc.exe
Token: SeBackupPrivilege	776	msdcsc.exe
Token: SeRestorePrivilege	776	msdcsc.exe
Token: SeShutdownPrivilege	776	msdcsc.exe
Token: SeDebugPrivilege	776	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	776	msdcsc.exe
Token: SeChangeNotifyPrivilege	776	msdcsc.exe
Token: SeRemoteShutdownPrivilege	776	msdcsc.exe
Token: SeUndockPrivilege	776	msdcsc.exe
Token: SeManageVolumePrivilege	776	msdcsc.exe
Token: SeImpersonatePrivilege	776	msdcsc.exe
Token: SeCreateGlobalPrivilege	776	msdcsc.exe
Token: 33	776	msdcsc.exe
Token: 34	776	msdcsc.exe
Token: 35	776	msdcsc.exe
Token: 36	776	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	588	msdcsc.exe
Token: SeSecurityPrivilege	588	msdcsc.exe
Token: SeTakeOwnershipPrivilege	588	msdcsc.exe
Token: SeLoadDriverPrivilege	588	msdcsc.exe
Token: SeSystemProfilePrivilege	588	msdcsc.exe
Token: SeSystemtimePrivilege	588	msdcsc.exe
Token: SeProfSingleProcessPrivilege	588	msdcsc.exe
Token: SeIncBasePriorityPrivilege	588	msdcsc.exe
Token: SeCreatePagefilePrivilege	588	msdcsc.exe
Token: SeBackupPrivilege	588	msdcsc.exe
Token: SeRestorePrivilege	588	msdcsc.exe
Token: SeShutdownPrivilege	588	msdcsc.exe
Token: SeDebugPrivilege	588	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	588	msdcsc.exe
Token: SeChangeNotifyPrivilege	588	msdcsc.exe
Token: SeRemoteShutdownPrivilege	588	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 1608	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 3368 wrote to memory of 776	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 3368 wrote to memory of 776	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 3368 wrote to memory of 776	3368	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 3848	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 588	776	msdcsc.exe	msdcsc.exe
PID 776 wrote to memory of 588	776	msdcsc.exe	msdcsc.exe
PID 776 wrote to memory of 588	776	msdcsc.exe	msdcsc.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 2820	588	msdcsc.exe	notepad.exe
PID 588 wrote to memory of 1648	588	msdcsc.exe	msdcsc.exe
PID 588 wrote to memory of 1648	588	msdcsc.exe	msdcsc.exe
PID 588 wrote to memory of 1648	588	msdcsc.exe	msdcsc.exe
PID 1648 wrote to memory of 3736	1648	msdcsc.exe	notepad.exe
PID 1648 wrote to memory of 3736	1648	msdcsc.exe	notepad.exe
PID 1648 wrote to memory of 3736	1648	msdcsc.exe	notepad.exe
PID 1648 wrote to memory of 3736	1648	msdcsc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1787331fa3f89e5c542066c702026032_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1608

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:3848

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2820

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:3736

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2716

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:2964

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1028

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:1312

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4832

C:\Windows\SysWOW64\notepad.exe
notepad
8⤵
PID:1976

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3196

C:\Windows\SysWOW64\notepad.exe
notepad
9⤵
PID:2108

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1884

C:\Windows\SysWOW64\notepad.exe
notepad
10⤵
PID:740

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3256

C:\Windows\SysWOW64\notepad.exe
notepad
11⤵
PID:2644

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4808

C:\Windows\SysWOW64\notepad.exe
notepad
12⤵
PID:4956

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3188

C:\Windows\SysWOW64\notepad.exe
notepad
13⤵
PID:3588

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4340

C:\Windows\SysWOW64\notepad.exe
notepad
14⤵
PID:4864

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5032

C:\Windows\SysWOW64\notepad.exe
notepad
15⤵
PID:1316

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1656

C:\Windows\SysWOW64\notepad.exe
notepad
16⤵
PID:4804

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4556

C:\Windows\SysWOW64\notepad.exe
notepad
17⤵
PID:4596

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3372

C:\Windows\SysWOW64\notepad.exe
notepad
18⤵
PID:5040

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1936

C:\Windows\SysWOW64\notepad.exe
notepad
19⤵
PID:368

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3480

C:\Windows\SysWOW64\notepad.exe
notepad
20⤵
PID:3684

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4884

C:\Windows\SysWOW64\notepad.exe
notepad
21⤵
PID:2724

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\notepad.exe
notepad
22⤵
PID:3196

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3724

C:\Windows\SysWOW64\notepad.exe
notepad
23⤵
PID:2440

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2292

C:\Windows\SysWOW64\notepad.exe
notepad
24⤵
PID:2888

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5004

C:\Windows\SysWOW64\notepad.exe
notepad
25⤵
PID:1416

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4324

C:\Windows\SysWOW64\notepad.exe
notepad
26⤵
PID:452

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\notepad.exe
notepad
27⤵
PID:1700

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3000

C:\Windows\SysWOW64\notepad.exe
notepad
28⤵
PID:1776

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4828

C:\Windows\SysWOW64\notepad.exe
notepad
29⤵
PID:4512

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5024

C:\Windows\SysWOW64\notepad.exe
notepad
30⤵
PID:4624

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2396

C:\Windows\SysWOW64\notepad.exe
notepad
31⤵
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
667KB

MD5
1787331fa3f89e5c542066c702026032

SHA1
e0c6d3d7c959a4cdae9347ffc2f2715c0c548489

SHA256
c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274

SHA512
01547c8684f8b1eefd9d11084d43332d52fb5e41363f45946d3530ffed958053a3ee736d9438eb7f7da6b998dae14cd1b6a586c5308a24eccad411a16490e9ed

Download Submit
memory/588-71-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/588-56-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/776-39-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-32-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-34-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-35-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-36-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-57-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-38-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-33-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-55-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/776-40-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/776-27-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1028-117-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1028-103-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1608-30-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/1608-44-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/1608-12-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1648-72-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1648-86-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1656-245-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1656-258-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1884-166-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1884-151-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1936-288-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1936-302-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2716-88-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2716-101-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3188-199-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3188-215-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3196-149-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3196-133-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3256-182-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3256-168-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3368-4-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/3368-13-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-9-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-5-0x0000000077BC2000-0x0000000077BC3000-memory.dmp

Filesize
4KB

Download
memory/3368-8-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-15-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-14-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-1-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3368-2-0x0000000002150000-0x000000000219E000-memory.dmp

Filesize
312KB

Download
memory/3368-26-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-28-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3368-31-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/3368-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3368-6-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/3368-29-0x0000000002150000-0x000000000219E000-memory.dmp

Filesize
312KB

Download
memory/3368-3-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3368-7-0x0000000075DC0000-0x0000000075DC1000-memory.dmp

Filesize
4KB

Download
memory/3372-275-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3372-289-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3480-304-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4340-214-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4340-229-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4556-260-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4556-273-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4808-184-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4808-200-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4832-131-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4832-118-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5032-243-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5032-230-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download