darkcomet | 07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815

Analysis

max time kernel
8s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2025, 10:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Size

1.5MB
MD5

e57571c566215a879481ec67a322a5e6
SHA1

742e9e26092fd619d939f31946775a6fbd5f94d7
SHA256

07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815
SHA512

d00ac43c9e178a570e10c1e54166f55f3afd977e40537843135da80e580cb4cae7ce844bfeef69b3c279c2b0b79e7e710198ff732115efe41b2f47f602b65578
SSDEEP

24576:I3nbWmJVJFwSddIXvfhqbiaxvRxq9r3nbWmJVJFwSddIXvfhqbiaxvRxq9:OamdZdcBYqamdZdcBY

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

lololol.hopto.org:4444

Mutex

DC_MUTEX-4HX0C0M

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
*LMqJ+V0%FYq
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5080	attrib.exe
2076	attrib.exe
1616	attrib.exe
708	attrib.exe
1568	attrib.exe
4016	attrib.exe
840	attrib.exe
4588	attrib.exe
2384	attrib.exe
1372	attrib.exe
544	attrib.exe
2280	attrib.exe
1212	attrib.exe
2568	attrib.exe
872	attrib.exe
2180	attrib.exe
3436	attrib.exe
2036	attrib.exe
5028	attrib.exe
2724	attrib.exe
3700	attrib.exe
1896	attrib.exe
920	attrib.exe
4432	attrib.exe
2704	attrib.exe
4316	attrib.exe
4988	attrib.exe
412	attrib.exe
4084	attrib.exe
212	attrib.exe
4000	attrib.exe
4504	attrib.exe
4300	attrib.exe
2568	attrib.exe
1696	attrib.exe
1464	attrib.exe
1984	attrib.exe
5052	attrib.exe
1324	attrib.exe
2376	attrib.exe
3640	attrib.exe
1476	attrib.exe
2600	attrib.exe
2956	attrib.exe
2412	attrib.exe
540	attrib.exe
4172	attrib.exe
4216	attrib.exe
2988	attrib.exe
2204	attrib.exe
4624	attrib.exe
4948	attrib.exe
4564	attrib.exe
3024	attrib.exe
3436	attrib.exe
928	attrib.exe
2312	attrib.exe
3020	attrib.exe
2564	attrib.exe
2444	attrib.exe
1324	attrib.exe
928	attrib.exe
4692	attrib.exe
3240	attrib.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	TEST.EXE

Executes dropped EXE 21 IoCs

pid	Process
3452	TEST.EXE
2388	msdcsc.exe
2492	msdcsc.exe
1572	TEST.EXE
1692	msdcsc.exe
4540	msdcsc.exe
3352	TEST.EXE
1556	msdcsc.exe
3792	msdcsc.exe
2008	TEST.EXE
1188	msdcsc.exe
2464	msdcsc.exe
3252	TEST.EXE
2704	msdcsc.exe
2924	msdcsc.exe
1584	TEST.EXE
3084	msdcsc.exe
2768	msdcsc.exe
4480	TEST.EXE
1464	msdcsc.exe
2044	msdcsc.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSecurityPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeTakeOwnershipPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeLoadDriverPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemProfilePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemtimePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeProfSingleProcessPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeIncBasePriorityPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeCreatePagefilePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeBackupPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeRestorePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeShutdownPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeDebugPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemEnvironmentPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeChangeNotifyPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeRemoteShutdownPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeUndockPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeManageVolumePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeImpersonatePrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeCreateGlobalPrivilege	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 33	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 34	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 35	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 36	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeIncreaseQuotaPrivilege	3452	TEST.EXE
Token: SeSecurityPrivilege	3452	TEST.EXE
Token: SeTakeOwnershipPrivilege	3452	TEST.EXE
Token: SeLoadDriverPrivilege	3452	TEST.EXE
Token: SeSystemProfilePrivilege	3452	TEST.EXE
Token: SeSystemtimePrivilege	3452	TEST.EXE
Token: SeProfSingleProcessPrivilege	3452	TEST.EXE
Token: SeIncBasePriorityPrivilege	3452	TEST.EXE
Token: SeCreatePagefilePrivilege	3452	TEST.EXE
Token: SeBackupPrivilege	3452	TEST.EXE
Token: SeRestorePrivilege	3452	TEST.EXE
Token: SeShutdownPrivilege	3452	TEST.EXE
Token: SeDebugPrivilege	3452	TEST.EXE
Token: SeSystemEnvironmentPrivilege	3452	TEST.EXE
Token: SeChangeNotifyPrivilege	3452	TEST.EXE
Token: SeRemoteShutdownPrivilege	3452	TEST.EXE
Token: SeUndockPrivilege	3452	TEST.EXE
Token: SeManageVolumePrivilege	3452	TEST.EXE
Token: SeImpersonatePrivilege	3452	TEST.EXE
Token: SeCreateGlobalPrivilege	3452	TEST.EXE
Token: 33	3452	TEST.EXE
Token: 34	3452	TEST.EXE
Token: 35	3452	TEST.EXE
Token: 36	3452	TEST.EXE
Token: SeIncreaseQuotaPrivilege	2388	msdcsc.exe
Token: SeSecurityPrivilege	2388	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2388	msdcsc.exe
Token: SeLoadDriverPrivilege	2388	msdcsc.exe
Token: SeSystemProfilePrivilege	2388	msdcsc.exe
Token: SeSystemtimePrivilege	2388	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2388	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2388	msdcsc.exe
Token: SeCreatePagefilePrivilege	2388	msdcsc.exe
Token: SeBackupPrivilege	2388	msdcsc.exe
Token: SeRestorePrivilege	2388	msdcsc.exe
Token: SeShutdownPrivilege	2388	msdcsc.exe
Token: SeDebugPrivilege	2388	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2388	msdcsc.exe
Token: SeChangeNotifyPrivilege	2388	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2388	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2388	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3756	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	84
PID 1088 wrote to memory of 3756	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	84
PID 1088 wrote to memory of 3756	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	84
PID 1088 wrote to memory of 2204	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	86
PID 1088 wrote to memory of 2204	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	86
PID 1088 wrote to memory of 2204	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	86
PID 1088 wrote to memory of 3452	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	88
PID 1088 wrote to memory of 3452	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	88
PID 1088 wrote to memory of 3452	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	88
PID 2204 wrote to memory of 1324	2204	cmd.exe	90
PID 2204 wrote to memory of 1324	2204	cmd.exe	90
PID 2204 wrote to memory of 1324	2204	cmd.exe	90
PID 3756 wrote to memory of 4624	3756	cmd.exe	89
PID 3756 wrote to memory of 4624	3756	cmd.exe	89
PID 3756 wrote to memory of 4624	3756	cmd.exe	89
PID 3452 wrote to memory of 1580	3452	TEST.EXE	91
PID 3452 wrote to memory of 1580	3452	TEST.EXE	91
PID 3452 wrote to memory of 1580	3452	TEST.EXE	91
PID 3452 wrote to memory of 1444	3452	TEST.EXE	93
PID 3452 wrote to memory of 1444	3452	TEST.EXE	93
PID 3452 wrote to memory of 1444	3452	TEST.EXE	93
PID 3452 wrote to memory of 2388	3452	TEST.EXE	95
PID 3452 wrote to memory of 2388	3452	TEST.EXE	95
PID 3452 wrote to memory of 2388	3452	TEST.EXE	95
PID 1580 wrote to memory of 2280	1580	cmd.exe	96
PID 1580 wrote to memory of 2280	1580	cmd.exe	96
PID 1580 wrote to memory of 2280	1580	cmd.exe	96
PID 1444 wrote to memory of 224	1444	cmd.exe	97
PID 1444 wrote to memory of 224	1444	cmd.exe	97
PID 1444 wrote to memory of 224	1444	cmd.exe	97
PID 1088 wrote to memory of 2492	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	99
PID 1088 wrote to memory of 2492	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	99
PID 1088 wrote to memory of 2492	1088	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	99
PID 2492 wrote to memory of 1584	2492	msdcsc.exe	165
PID 2492 wrote to memory of 1584	2492	msdcsc.exe	165
PID 2492 wrote to memory of 1584	2492	msdcsc.exe	165
PID 2492 wrote to memory of 1944	2492	msdcsc.exe	101
PID 2492 wrote to memory of 1944	2492	msdcsc.exe	101
PID 2492 wrote to memory of 1944	2492	msdcsc.exe	101
PID 2492 wrote to memory of 1572	2492	msdcsc.exe	104
PID 2492 wrote to memory of 1572	2492	msdcsc.exe	104
PID 2492 wrote to memory of 1572	2492	msdcsc.exe	104
PID 1572 wrote to memory of 3276	1572	TEST.EXE	105
PID 1572 wrote to memory of 3276	1572	TEST.EXE	105
PID 1572 wrote to memory of 3276	1572	TEST.EXE	105
PID 1944 wrote to memory of 3420	1944	cmd.exe	106
PID 1944 wrote to memory of 3420	1944	cmd.exe	106
PID 1944 wrote to memory of 3420	1944	cmd.exe	106
PID 1584 wrote to memory of 4048	1584	cmd.exe	159
PID 1584 wrote to memory of 4048	1584	cmd.exe	159
PID 1584 wrote to memory of 4048	1584	cmd.exe	159
PID 1572 wrote to memory of 3480	1572	TEST.EXE	108
PID 1572 wrote to memory of 3480	1572	TEST.EXE	108
PID 1572 wrote to memory of 3480	1572	TEST.EXE	108
PID 1572 wrote to memory of 1692	1572	TEST.EXE	160
PID 1572 wrote to memory of 1692	1572	TEST.EXE	160
PID 1572 wrote to memory of 1692	1572	TEST.EXE	160
PID 2492 wrote to memory of 4540	2492	msdcsc.exe	112
PID 2492 wrote to memory of 4540	2492	msdcsc.exe	112
PID 2492 wrote to memory of 4540	2492	msdcsc.exe	112
PID 3276 wrote to memory of 4000	3276	cmd.exe	114
PID 3276 wrote to memory of 4000	3276	cmd.exe	114
PID 3276 wrote to memory of 4000	3276	cmd.exe	114
PID 3480 wrote to memory of 4884	3480	cmd.exe	113

Views/modifies file attributes 1 TTPs 64 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1324	attrib.exe
2532	attrib.exe
4000	attrib.exe
840	attrib.exe
4272	attrib.exe
2412	attrib.exe
1224	attrib.exe
4600	attrib.exe
4316	attrib.exe
4884	attrib.exe
2600	attrib.exe
4432	attrib.exe
2376	attrib.exe
2464	attrib.exe
928	attrib.exe
2724	attrib.exe
4084	attrib.exe
636	attrib.exe
2444	attrib.exe
4624	attrib.exe
4504	attrib.exe
708	attrib.exe
3188	attrib.exe
60	attrib.exe
2092	attrib.exe
2180	attrib.exe
2384	attrib.exe
2940	attrib.exe
3436	attrib.exe
1148	attrib.exe
224	attrib.exe
4088	attrib.exe
1616	attrib.exe
3024	attrib.exe
2280	attrib.exe
3640	attrib.exe
4048	attrib.exe
2740	attrib.exe
1592	attrib.exe
5008	attrib.exe
1452	attrib.exe
3036	attrib.exe
432	attrib.exe
2312	attrib.exe
4564	attrib.exe
4172	attrib.exe
4028	attrib.exe
920	attrib.exe
1324	attrib.exe
4692	attrib.exe
3436	attrib.exe
544	attrib.exe
412	attrib.exe
1212	attrib.exe
4216	attrib.exe
2204	attrib.exe
1896	attrib.exe
2076	attrib.exe
3240	attrib.exe
212	attrib.exe
452	attrib.exe
872	attrib.exe
4000	attrib.exe
3700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\TEST.EXE
  "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:224
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2388
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
    "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4884
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    "C:\Windows\system32\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4172
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\TEST.EXE" +s +h
        5⤵
        Sets file to hidden
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      PID:724
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\TEST.EXE" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
      "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:664
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1324
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4088
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
    - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        7⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        7⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4564
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
      - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        9⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4692
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        8⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        10⤵
        Views/modifies file attributes
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1896
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        9⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        10⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        10⤵
        Views/modifies file attributes
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        9⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        10⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3240
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        11⤵
        Sets file to hidden
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        10⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        11⤵
        Views/modifies file attributes
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        10⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        12⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        11⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        12⤵
        Views/modifies file attributes
        
        PID:432
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        11⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        10⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        11⤵
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        12⤵
        Sets file to hidden
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        11⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        12⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        12⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        13⤵
        Sets file to hidden
        
        PID:2564
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        12⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        11⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        13⤵
        Sets file to hidden
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        12⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        13⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        13⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        14⤵
        Views/modifies file attributes
        
        PID:4028
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        12⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        13⤵
        
        PID:552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        14⤵
        Views/modifies file attributes
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        14⤵
        Sets file to hidden
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        13⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        14⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        14⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1616
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        14⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        13⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        15⤵
        Views/modifies file attributes
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        14⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        14⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        15⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        16⤵
        Views/modifies file attributes
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        15⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        16⤵
        
        PID:4640
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        15⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        14⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        15⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        15⤵
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        15⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        16⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        17⤵
        Views/modifies file attributes
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        16⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3640
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        16⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        15⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        16⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        17⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        16⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        17⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        16⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        17⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        18⤵
        Sets file to hidden
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        17⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        18⤵
        
        PID:760
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        17⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        16⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        17⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        18⤵
        Sets file to hidden
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        17⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        18⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        17⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        18⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        19⤵
        Views/modifies file attributes
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        18⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        19⤵
        
        PID:3544
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        18⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        17⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        18⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        18⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        19⤵
        Sets file to hidden
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        18⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        19⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        20⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        19⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:544
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        19⤵
        
        PID:740
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        18⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        19⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        20⤵
        Views/modifies file attributes
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        19⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        20⤵
        Sets file to hidden
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        19⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        20⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        21⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        20⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        21⤵
        Sets file to hidden
        
        PID:1464
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        20⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        19⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        20⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        21⤵
        Sets file to hidden
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        20⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        21⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        20⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        21⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        22⤵
        Sets file to hidden
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        21⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        22⤵
        
        PID:4272
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        21⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        20⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        21⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        22⤵
        Views/modifies file attributes
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        21⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        21⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        22⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        23⤵
        Views/modifies file attributes
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        22⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1212
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        22⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        21⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        22⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        23⤵
        Sets file to hidden
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        22⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        23⤵
        Sets file to hidden
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        22⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        23⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        23⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        24⤵
        Views/modifies file attributes
        
        PID:2092
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        23⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        22⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        23⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        24⤵
        Sets file to hidden
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        23⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        23⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        24⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        25⤵
        Sets file to hidden
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        24⤵
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        25⤵
        Sets file to hidden
        
        PID:4948
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        24⤵
        
        PID:708
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        23⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        24⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        25⤵
        Sets file to hidden
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        24⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        24⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        25⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        25⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:2464
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        25⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        24⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        25⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        26⤵
        Sets file to hidden
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        25⤵
        
        PID:636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        25⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        26⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        26⤵
        
        PID:740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        27⤵
        Views/modifies file attributes
        
        PID:4000
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        26⤵
        
        PID:224
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        25⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        26⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        26⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        27⤵
        Sets file to hidden
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        26⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        27⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        27⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        28⤵
        Views/modifies file attributes
        
        PID:1148
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        27⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        26⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        27⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        28⤵
        Views/modifies file attributes
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        27⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        28⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        27⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        28⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        29⤵
        Sets file to hidden
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        28⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2444
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        28⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        27⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        28⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        29⤵
        Sets file to hidden
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        28⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        28⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        29⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        30⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        29⤵
        
        PID:3684
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        29⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        28⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        29⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        29⤵
        
        PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
754KB

MD5
7c8451454c078352d19e7f3f01f2d340

SHA1
056769cebab6f2df146e5095807024f18171eb63

SHA256
dbb7441b265974145f28155e89ba8038c641519ecac7c73f665b13fb7dcb74a3

SHA512
7eadee3041a3c37b76f0ea7887daa754f981371bb04f58a3bdcccbbb8f57869b0d471da93058332ad289cb9cec23b644051dad69aad527af954463d7bfe111ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
59B

MD5
862cce3bb332dc4cf9fd6e9113de973b

SHA1
0d05e0eda29c8dc9b4da76af58d9611da135645f

SHA256
2a598ebaf355a0c08709a19b66f5a5f0799fb308d0f5c0847c4012ec36fe4533

SHA512
230b5da321f6bf68114447fbc63e65f2b78bb0d646f1c0fac4dbd8b7e01a69b84dadefefe510fc555b27ed89e18bb39b909fb3702290e636dd0b535e5076c7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
54B

MD5
b960305e23cbfd65106f326e54e2edfd

SHA1
522c5e95a4306797b3e71bbe62158087f779ee7a

SHA256
c31911cf00619f811195612355d7c762cd7e65d7d06756f62815b029cda65855

SHA512
294181df282b6901de3e2743a6986637303f7bc63555ad171c07f6457d2895907aeae800eb7f948ac6380ba87e76423eb150792d05754aa6152c9d9921edc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
43B

MD5
54552c311a8c2081eefdad310b19b5db

SHA1
718edabb22a5b5481815682eb1b3cd17c316c1dc

SHA256
233765af9f5b64cdcae82b709e94f3d26d9486c90e3074a79ebeb915e386bfea

SHA512
dc004dfaacba0417a6e631099c46ca99a832000286baabfa035a176e5b99fdd78f61c97a37d7d1b8e29711b657bc5df4bc601a28c431c38b2395347858cd4f02

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
e57571c566215a879481ec67a322a5e6

SHA1
742e9e26092fd619d939f31946775a6fbd5f94d7

SHA256
07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815

SHA512
d00ac43c9e178a570e10c1e54166f55f3afd977e40537843135da80e580cb4cae7ce844bfeef69b3c279c2b0b79e7e710198ff732115efe41b2f47f602b65578

Download Submit
memory/552-216-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/640-326-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/740-370-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/928-371-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/996-398-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1088-51-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1088-236-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1088-0-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1188-130-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1464-195-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1556-110-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1572-258-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1572-80-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1584-172-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1588-397-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1596-354-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1692-81-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1796-396-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1800-408-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2008-128-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2044-220-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2100-339-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2124-277-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2164-240-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2352-309-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2376-260-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2376-425-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2388-259-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2388-373-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2464-153-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2492-83-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2588-238-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2704-152-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2768-198-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2924-176-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2968-338-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3084-173-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3192-424-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3252-150-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3348-340-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3352-109-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3452-22-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3452-40-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3576-409-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3624-217-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3652-262-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3764-385-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3792-132-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3816-353-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3820-279-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3872-387-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4036-386-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4132-407-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4228-296-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4272-352-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4272-295-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4380-310-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4480-194-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4540-112-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4584-325-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4664-294-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4824-308-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4900-426-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4948-278-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/5008-369-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/5116-324-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads