darkcomet | dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

Resubmissions

14/04/2025, 04:20

250414-ex92msynx2 10

14/04/2025, 03:24

14/04/2025, 02:53

13/04/2025, 19:39

13/04/2025, 01:50

13/04/2025, 01:45

12/04/2025, 16:37

Analysis

max time kernel
150s
max time network
145s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
10/04/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Size

658KB
MD5

3178fcad2d2c2f3c0f4f70aecfb18db7
SHA1

0ecad6522214f9bef4dd8f2f8eb927827bc4971c
SHA256

dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9
SHA512

57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hV:KZ1xuVVjfFoynPaVBUR8f+kN10EBP

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-7X99PTF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
DNgeskLTppzX
install
true
offline_keylogger
true
persistence
true
reg_key
System32.dll

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5996	attrib.exe
1216	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe

Executes dropped EXE 17 IoCs

pid	Process
460	msdcsc.exe
3504	msdcsc.exe
3020	msdcsc.exe
5012	msdcsc.exe
3464	msdcsc.exe
5344	msdcsc.exe
5864	msdcsc.exe
5644	msdcsc.exe
1452	msdcsc.exe
1152	msdcsc.exe
5076	msdcsc.exe
5252	msdcsc.exe
5256	msdcsc.exe
3972	msdcsc.exe
1180	msdcsc.exe
4952	msdcsc.exe
6036	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2512	2440	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133887243209121437"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2067557190-3677960511-2209622391-1000\{02B81A4E-F641-402F-9217-C55AA6B0EA88}	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
460	msdcsc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSecurityPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeBackupPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRestorePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeShutdownPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeDebugPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeUndockPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 33	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 34	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 35	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: 36	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	460	msdcsc.exe
Token: SeSecurityPrivilege	460	msdcsc.exe
Token: SeTakeOwnershipPrivilege	460	msdcsc.exe
Token: SeLoadDriverPrivilege	460	msdcsc.exe
Token: SeSystemProfilePrivilege	460	msdcsc.exe
Token: SeSystemtimePrivilege	460	msdcsc.exe
Token: SeProfSingleProcessPrivilege	460	msdcsc.exe
Token: SeIncBasePriorityPrivilege	460	msdcsc.exe
Token: SeCreatePagefilePrivilege	460	msdcsc.exe
Token: SeBackupPrivilege	460	msdcsc.exe
Token: SeRestorePrivilege	460	msdcsc.exe
Token: SeShutdownPrivilege	460	msdcsc.exe
Token: SeDebugPrivilege	460	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	460	msdcsc.exe
Token: SeChangeNotifyPrivilege	460	msdcsc.exe
Token: SeRemoteShutdownPrivilege	460	msdcsc.exe
Token: SeUndockPrivilege	460	msdcsc.exe
Token: SeManageVolumePrivilege	460	msdcsc.exe
Token: SeImpersonatePrivilege	460	msdcsc.exe
Token: SeCreateGlobalPrivilege	460	msdcsc.exe
Token: 33	460	msdcsc.exe
Token: 34	460	msdcsc.exe
Token: 35	460	msdcsc.exe
Token: 36	460	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	3504	msdcsc.exe
Token: SeSecurityPrivilege	3504	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3504	msdcsc.exe
Token: SeLoadDriverPrivilege	3504	msdcsc.exe
Token: SeSystemProfilePrivilege	3504	msdcsc.exe
Token: SeSystemtimePrivilege	3504	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3504	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3504	msdcsc.exe
Token: SeCreatePagefilePrivilege	3504	msdcsc.exe
Token: SeBackupPrivilege	3504	msdcsc.exe
Token: SeRestorePrivilege	3504	msdcsc.exe
Token: SeShutdownPrivilege	3504	msdcsc.exe
Token: SeDebugPrivilege	3504	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3504	msdcsc.exe
Token: SeChangeNotifyPrivilege	3504	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3504	msdcsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
460	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6032 wrote to memory of 460	6032	cmd.exe	84
PID 6032 wrote to memory of 460	6032	cmd.exe	84
PID 6032 wrote to memory of 460	6032	cmd.exe	84
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 460 wrote to memory of 740	460	msdcsc.exe	86
PID 3124 wrote to memory of 4100	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	88
PID 3124 wrote to memory of 4100	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	88
PID 3124 wrote to memory of 4100	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	88
PID 3124 wrote to memory of 904	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	89
PID 3124 wrote to memory of 904	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	89
PID 3124 wrote to memory of 904	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	89
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 3124 wrote to memory of 2440	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	90
PID 904 wrote to memory of 5996	904	cmd.exe	95
PID 904 wrote to memory of 5996	904	cmd.exe	95
PID 904 wrote to memory of 5996	904	cmd.exe	95
PID 2588 wrote to memory of 3504	2588	cmd.exe	96
PID 2588 wrote to memory of 3504	2588	cmd.exe	96
PID 2588 wrote to memory of 3504	2588	cmd.exe	96
PID 4100 wrote to memory of 1216	4100	cmd.exe	98
PID 4100 wrote to memory of 1216	4100	cmd.exe	98
PID 4100 wrote to memory of 1216	4100	cmd.exe	98
PID 3124 wrote to memory of 3020	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	99
PID 3124 wrote to memory of 3020	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	99
PID 3124 wrote to memory of 3020	3124	3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe	99
PID 4072 wrote to memory of 5012	4072	cmd.exe	107
PID 4072 wrote to memory of 5012	4072	cmd.exe	107
PID 4072 wrote to memory of 5012	4072	cmd.exe	107
PID 4584 wrote to memory of 3464	4584	cmd.exe	112

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5996	attrib.exe
1216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\3178fcad2d2c2f3c0f4f70aecfb18db7_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5996
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 356
    3⤵
    - Program crash
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2440 -ip 2440
1⤵
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffbd62bdcf8,0x7ffbd62bdd04,0x7ffbd62bdd10
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1648,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2124,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2408,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4276 /prefetch:2
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4720,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5340,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5592,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5864,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5856,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5772,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5820,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3260,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3328,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3368,i,17433345633484721148,14060166712915870540,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2904

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6036

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
82f59b6a0fd444ccbfd4c65723038112

SHA1
f1875a1dc39d239e404bb2a81d9c5ce252577c76

SHA256
567360f4d313cdd02982f4d6ce6e5ef68633956d5b6e71f0892053fb6e5cdd81

SHA512
23550cafc69e3dc5e8f0224acb612baaa81138aeb19031a702add707bbc8892d8eda34ca06e708c4fa66be3f2e21e657a7cf6221601e36a3ce9e4e06887dcd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
34KB

MD5
69c35bc1bcbf5240d8725cee085e0155

SHA1
a3e296d13d2ffaa79012672048ae340f04b2c03f

SHA256
04efeda543f3007f15667f0eb0ed33c97955f2d2c4948d3b765147b19fbd0975

SHA512
52d7ccd1bc48ba3c4771bb3e2dea8ffb65d51031f0c2d9feb24a61f72a5e07dbf372d18e4543b0d815d3f749b0a45b0efe36218ffb76634995a064c4a3d6c997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
d530fbcef1f2dcccbea27b2a486d8544

SHA1
361b40ab799f4b9963f530f635234635b7f0d996

SHA256
2715c0e41c0b599ee1859450b68978e7df779e8c68b8cae454f4c8c536b7ce19

SHA512
752580e4480f9c7aeac82fcdb7dfe8b40b6b10e325de572ad0ef5dfab9d81b0ab346939449b840d77ec02f8df4247cd95365b366318ef375df501a3870466aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2da35eaa-6ced-49b0-9e7f-b591ff377b79.tmp

Filesize
7KB

MD5
926c503827c80ef9f00b42b25efac38f

SHA1
831d4dac14e42be8de5d17ced9efaafe147b9233

SHA256
f2177c099217300faca08b3458d72d91bcd62b9e866383e4b983493d9477bb8f

SHA512
879a12997e9422def262e25290246d48e4b676056ac54ff616e428c61427fe0b2701242a88bbd1ed468565e78bb3bbde131a20816b265ffeea7a73db076832d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\db01384f-b380-4aad-9c4f-94e133537928.tmp

Filesize
1KB

MD5
6e41e5e37b91c8beb777034bcf5a0e80

SHA1
e4483ed47abd847a119e9f5123ac82285ac15a1c

SHA256
340522d348600d2ac3998cb81a417f75de796e283549639af6952f662aa10fd9

SHA512
b993768f3d0b6dd2126dd4337d20a470dcfca97f854db308123938b98a88fa1523d46408a3748b14f3225f2431abd738ec6414c3567163a8ff8640bf050985bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
45ad8c363171ec404e5602693e371bdc

SHA1
29ba968f7687f6b14d905569c01bf30737a38eb5

SHA256
a8929f1cb873d62f5f2a55e451cda9d6240ebeaa6e562f7c8876c655afa86e45

SHA512
b00d3ff32ae5dfc6c9e9c5caf653c321fb04ef7252668d63a39f2bb54b69bf3749ffba8eb24c8cef2ef970f468cf9840c1f470f406df7eb944227c7013a312ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
1bf51fa25f9c06bfb8dc283d878bb986

SHA1
cff14d775881baaf40b9ce7c4187ee3905645769

SHA256
6405b6ea44e447f9cd7adc83ef39423667adf86997bdc68d0928e28a4376bb6c

SHA512
debfd1906a6f4541aedb39a92a6ac4c12273c511624dd72f9e77cf91abf08ae546472e62a6a2804135e6479fb2e887affc8e5bee4c842811e5909d07352d9df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
67b67bbe3bda10061123c4d93c69ce7b

SHA1
e35b88bdaed5ff5c061c1def25a0ef3364f1578b

SHA256
7c40e7f97aac032096fce51ab29d70e70245e9b1ab319a6802af61e964bb65c8

SHA512
fc9d5d403a264bd15a586d352e37201a921b8bdafb85955535e128e19362c1b51cf0c8f1e7031795793e44f42bb2821d8a3af15d3994ef611836e50a70bc2dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c8787.TMP

Filesize
48B

MD5
ee20fb5e68c1da8931d7b159b9fb6a6d

SHA1
9a6a73dd5dbc46ab21055e29878db820d6c79342

SHA256
277846e03b8490553cf4f872776d6edf94a9b05b2199de6c76abda9f2e6427f7

SHA512
c95f2b9c7ad578312257726867d55219be0b0a80fa5706f9267dff7ff79640c2fe2368d06c01d14ef1e1cd8c2cf521fff00584e9315fcddcb819a50bd62ef517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
0068661f19dc241d119fd4b62e56488c

SHA1
00775e29d399d11bf25e11c7448207064ecb1f67

SHA256
52d23323347eeca4011725aa76161a168ebdf681341e590546eeb10641948de8

SHA512
f9f4e11d107bc555071834c6a278987c544e504ef2b99c195fcea615fcaf910121c29d02ccb2cd03fb1dc2ea8dbe43072efb85cd0ab4523c170b91b9fb15483a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5c7055.TMP

Filesize
140B

MD5
3ee18c716a924e3cde518e9250907eae

SHA1
98dd92813735c2bcf5d34099bc52a7a4e139bfb0

SHA256
7690c73a187c1f0e7c74187eda5d0f6c84ed8093e202d5b8bf42d58c0c750a0d

SHA512
f5c8ae49583c59acd0af07dacf21738624cfdb001ad4a798895e346ffd6cc48f4da743c1aa96ba806bf9d67b93e49df499fba0796d98dba1fd2d2862c8734e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
eeb05d602eb9e14a5b285374a0933f95

SHA1
47264724859514982eb8eac65471c9dad7222a67

SHA256
3ede4cbdf484b7492039ad0d71c3f1134a752bc3854f92a825f22a2cca227ca9

SHA512
7e092e0c20fd2862d5d264725e0b9e2a7de0e0303c2af7e43c7ebe58e1c88d62813d04a4d97e0e04852297a90abf8a5969ddfc0bae2780c1f229e94cca319c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
129b2bdd6bd24804cbb370613a38e06a

SHA1
eb79d8b2560bd8698614f62968ef39c2f937e3f0

SHA256
05499a7cc8df26be406934432effefeda48fac96dd2ada9c72ad959c990205c7

SHA512
78f9c15d14d47ca3266c8f2d68e2ea0a1b8230ab3bfe6af7eff9a9078b4873d27eddf1683e5727a6cf712d7f54ab0756a11b3a054b3ece7b0739294ce7976e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
b1540d830563962d5f6ea203ceae50de

SHA1
8a835a97d457c4af941f7f63be0dc72bb562d7c3

SHA256
37812e049047b0166a6ffa0a7977a1bf8203e56018c6ed577d9b782727bad44d

SHA512
99e147dbf97a431f0e092a2bf96751f0070a86f746a5036956a5fb3927dff69dd38f0abcd7a49a6dd052d5d23d1fb638cab47e5c739b2b2f995638077cc6cc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3178fcad2d2c2f3c0f4f70aecfb18db7

SHA1
0ecad6522214f9bef4dd8f2f8eb927827bc4971c

SHA256
dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

SHA512
57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

Download Submit
memory/460-468-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-640-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-2-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/740-3-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1152-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1160-642-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-651-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-648-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-649-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-650-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-652-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-653-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-647-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-641-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1160-643-0x00000161328B0000-0x00000161328B1000-memory.dmp

Filesize
4KB

Download
memory/1180-662-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1452-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2440-4-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3020-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3124-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3124-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3464-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3504-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3972-659-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4952-665-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5012-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5076-467-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5252-639-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5256-655-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5344-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5644-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5864-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/6036-668-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download