Malware Analysis Report

2024-08-06 18:52

Sample ID 240705-2bhrlazenf
Target 272b27c346bc90197560e4d20005e64d_JaffaCakes118
SHA256 a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
Tags
darkcomet sality guest16_min backdoor evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021

Threat Level: Known bad

The file 272b27c346bc90197560e4d20005e64d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet sality guest16_min backdoor evasion persistence rat trojan upx

UAC bypass

Sality

Modifies WinLogon for persistence

Modifies firewall policy service

Darkcomet

Windows security bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

UPX packed file

Deletes itself

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-05 22:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 22:24

Reported

2024-07-05 22:26

Platform

win7-20240220-en

Max time kernel

13s

Max time network

146s

Command Line

"taskhost.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: 34 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: 35 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 3036 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 3036 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3036 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 3036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 2384 wrote to memory of 1068 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\taskhost.exe
PID 2384 wrote to memory of 1168 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\Dwm.exe
PID 2384 wrote to memory of 1192 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1596 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\DllHost.exe
PID 2384 wrote to memory of 1068 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\taskhost.exe
PID 2384 wrote to memory of 1168 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\Dwm.exe
PID 2384 wrote to memory of 1192 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 para23.no-ip.biz udp
IT 78.159.131.80:1604 para23.no-ip.biz tcp
IT 78.159.131.80:1604 para23.no-ip.biz tcp
IT 78.159.131.80:1604 para23.no-ip.biz tcp
US 8.8.8.8:53 para23.no-ip.biz udp

Files

memory/3036-0-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-4-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-2-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-8-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-5-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/3036-7-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-9-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-6-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-3-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-23-0x00000000039C0000-0x00000000039C1000-memory.dmp

memory/3036-21-0x00000000039C0000-0x00000000039C1000-memory.dmp

memory/3036-20-0x0000000001F40000-0x0000000001F42000-memory.dmp

memory/1068-11-0x0000000000390000-0x0000000000392000-memory.dmp

memory/3036-10-0x0000000002090000-0x000000000311E000-memory.dmp

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

MD5 272b27c346bc90197560e4d20005e64d
SHA1 cf3477547e2db74b9f44f97290027a4c2b64418d
SHA256 a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
SHA512 9494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31

C:\Windows\SYSTEM.INI

MD5 eb16cc3010bdbabeee4d6517e72f6416
SHA1 598d6ef3966a163c64cd0f061c3115a5d3a673e3
SHA256 4ff89e3861f195b0afb777e488c5a57715f60ea34f6000195b07fb0b7fe7d876
SHA512 886f6c8227ad25aeaf891e87319dce09bdc12692b3e452c4db0c68d01c5987cf937baff7fd4d6730eeb4ca19ceaf744ea24ea28c15996d6e9afaae0ce67980b2

memory/3036-30-0x0000000001F40000-0x0000000001F42000-memory.dmp

memory/3036-26-0x0000000002090000-0x000000000311E000-memory.dmp

memory/2384-54-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-81-0x00000000040D0000-0x00000000040D2000-memory.dmp

memory/2384-65-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-80-0x00000000040D0000-0x00000000040D2000-memory.dmp

memory/2384-79-0x0000000005260000-0x0000000005261000-memory.dmp

memory/2384-66-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-58-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-56-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-64-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2384-62-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-61-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-59-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-57-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-55-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-52-0x0000000002080000-0x000000000310E000-memory.dmp

memory/3036-50-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-27-0x0000000002090000-0x000000000311E000-memory.dmp

memory/3036-49-0x0000000000400000-0x0000000000527000-memory.dmp

memory/3036-46-0x0000000001F40000-0x0000000001F42000-memory.dmp

memory/2384-141-0x0000000002080000-0x000000000310E000-memory.dmp

memory/2384-147-0x00000000040D0000-0x00000000040D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 22:24

Reported

2024-07-05 22:26

Platform

win10v2004-20240508-en

Max time kernel

28s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2516 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2516 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2516 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2516 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2516 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2516 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2516 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2516 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2516 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2516 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2516 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 2516 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 2516 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 2424 wrote to memory of 772 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\fontdrvhost.exe
PID 2424 wrote to memory of 780 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\fontdrvhost.exe
PID 2424 wrote to memory of 1020 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\dwm.exe
PID 2424 wrote to memory of 2552 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\sihost.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\svchost.exe
PID 2424 wrote to memory of 2644 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\taskhostw.exe
PID 2424 wrote to memory of 3492 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 3648 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\svchost.exe
PID 2424 wrote to memory of 3844 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\DllHost.exe
PID 2424 wrote to memory of 3944 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2424 wrote to memory of 4004 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe
PID 2424 wrote to memory of 404 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2424 wrote to memory of 60 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe
PID 2424 wrote to memory of 4220 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2424 wrote to memory of 2376 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe
PID 2424 wrote to memory of 772 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\fontdrvhost.exe
PID 2424 wrote to memory of 780 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\fontdrvhost.exe
PID 2424 wrote to memory of 1020 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\dwm.exe
PID 2424 wrote to memory of 2552 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\sihost.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\svchost.exe
PID 2424 wrote to memory of 2644 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\taskhostw.exe
PID 2424 wrote to memory of 3492 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 3648 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\svchost.exe
PID 2424 wrote to memory of 3844 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\system32\DllHost.exe
PID 2424 wrote to memory of 3944 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2424 wrote to memory of 4004 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe
PID 2424 wrote to memory of 404 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2424 wrote to memory of 60 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe
PID 2424 wrote to memory of 4220 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2424 wrote to memory of 2376 N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\272b27c346bc90197560e4d20005e64d_JaffaCakes118.exe"

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp
US 8.8.8.8:53 para23.no-ip.biz udp

Files

memory/2516-0-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-4-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-5-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-10-0x00000000008E0000-0x00000000008E2000-memory.dmp

memory/2516-12-0x00000000008E0000-0x00000000008E2000-memory.dmp

memory/2516-11-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-13-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/2516-6-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-8-0x0000000000940000-0x0000000000941000-memory.dmp

memory/2516-27-0x00000000008E0000-0x00000000008E2000-memory.dmp

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

MD5 272b27c346bc90197560e4d20005e64d
SHA1 cf3477547e2db74b9f44f97290027a4c2b64418d
SHA256 a54a2e38e9474952b6a3663963178cc62b16b94d8f1fab0f4b1435cd1684c021
SHA512 9494016d3e5877b7763aa26aced3889c4f54541abd3a994204ada3b97e6e594b6b9cb84271b55b9a7ff5e99ce6e760280aab89957437566c20cc69061318fe31

memory/2516-30-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-36-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2516-9-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2516-7-0x00000000008E0000-0x00000000008E2000-memory.dmp

memory/2516-3-0x0000000002380000-0x000000000340E000-memory.dmp

memory/2424-37-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/2424-42-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-47-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-41-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-38-0x0000000003010000-0x000000000409E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e4d109abd67e3edb10675f7c3a498519
SHA1 624b3e106af51bc3a02e8bb27036015f872ded65
SHA256 ba655322e9b9ef1478acfed3e635926a0aade2035847322e742e06975e77b515
SHA512 8201acf9605db6e47dc1366649cba4c622710fd6c9d82a611b34366d4cfa73aa8c3c7df20555c3a32546320c11c7f9beecc1f4f45e86dad531c1bcedd02c746d

memory/2424-45-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-48-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-51-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

memory/2424-52-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

memory/2424-49-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-46-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-43-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2424-40-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-53-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

memory/2424-54-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-55-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-56-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-57-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-58-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-59-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-61-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-64-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-65-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-66-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-67-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2424-70-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-72-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-75-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-76-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-79-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-80-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-114-0x0000000003010000-0x000000000409E000-memory.dmp

memory/2424-116-0x0000000002BA0000-0x0000000002BA2000-memory.dmp