darkcomet | 0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Size

650KB
MD5

1d74fad1e7d34e01d3d775528ef60460
SHA1

822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356
SHA256

0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97
SHA512

27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e
SSDEEP

12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+I:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+GB

Score

10^/10

darkcomet blowme evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

blowme

90.207.119.46:443

Mutex

AF48NLA

Attributes

InstallPath
\msdcsc.exe
gencode
roqmzCFsJnuf
install
true
offline_keylogger
true
password
blowmeya
persistence
true
reg_key
update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 30 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

iexplore.exemsdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 29 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
4900	msdcsc.exe
1252	msdcsc.exe
544	msdcsc.exe
4616	msdcsc.exe
3020	msdcsc.exe
3824	msdcsc.exe
2820	msdcsc.exe
3004	msdcsc.exe
3776	msdcsc.exe
4152	msdcsc.exe
2024	msdcsc.exe
1084	msdcsc.exe
4900	msdcsc.exe
4868	msdcsc.exe
4148	msdcsc.exe
2420	msdcsc.exe
1664	msdcsc.exe
712	msdcsc.exe
2972	msdcsc.exe
1524	msdcsc.exe
4920	msdcsc.exe
2948	msdcsc.exe
3004	msdcsc.exe
3000	msdcsc.exe
1984	msdcsc.exe
2080	msdcsc.exe
1364	msdcsc.exe
2300	msdcsc.exe
3088	msdcsc.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 3088 set thread context of 4716 3088 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3088 set thread context of 4716	3088	msdcsc.exe	iexplore.exe

Runs ping.exe 1 TTPs 29 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1912	PING.EXE
2500	PING.EXE
1952	PING.EXE
4784	PING.EXE
4152	PING.EXE
4600	PING.EXE
4592	PING.EXE
2516	PING.EXE
1848	PING.EXE
2128	PING.EXE
4368	PING.EXE
2676	PING.EXE
2368	PING.EXE
1332	PING.EXE
5040	PING.EXE
2216	PING.EXE
3548	PING.EXE
1412	PING.EXE
1028	PING.EXE
4084	PING.EXE
3348	PING.EXE
2652	PING.EXE
1980	PING.EXE
2000	PING.EXE
2500	PING.EXE
3472	PING.EXE
3776	PING.EXE
332	PING.EXE
4168	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4716 iexplore.exe

pid	process
4716	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSecurityPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeBackupPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeRestorePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeShutdownPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeDebugPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeUndockPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 33	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 34	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 35	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 36	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4900	msdcsc.exe
Token: SeSecurityPrivilege	4900	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4900	msdcsc.exe
Token: SeLoadDriverPrivilege	4900	msdcsc.exe
Token: SeSystemProfilePrivilege	4900	msdcsc.exe
Token: SeSystemtimePrivilege	4900	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4900	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4900	msdcsc.exe
Token: SeCreatePagefilePrivilege	4900	msdcsc.exe
Token: SeBackupPrivilege	4900	msdcsc.exe
Token: SeRestorePrivilege	4900	msdcsc.exe
Token: SeShutdownPrivilege	4900	msdcsc.exe
Token: SeDebugPrivilege	4900	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4900	msdcsc.exe
Token: SeChangeNotifyPrivilege	4900	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4900	msdcsc.exe
Token: SeUndockPrivilege	4900	msdcsc.exe
Token: SeManageVolumePrivilege	4900	msdcsc.exe
Token: SeImpersonatePrivilege	4900	msdcsc.exe
Token: SeCreateGlobalPrivilege	4900	msdcsc.exe
Token: 33	4900	msdcsc.exe
Token: 34	4900	msdcsc.exe
Token: 35	4900	msdcsc.exe
Token: 36	4900	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1252	msdcsc.exe
Token: SeSecurityPrivilege	1252	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1252	msdcsc.exe
Token: SeLoadDriverPrivilege	1252	msdcsc.exe
Token: SeSystemProfilePrivilege	1252	msdcsc.exe
Token: SeSystemtimePrivilege	1252	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1252	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1252	msdcsc.exe
Token: SeCreatePagefilePrivilege	1252	msdcsc.exe
Token: SeBackupPrivilege	1252	msdcsc.exe
Token: SeRestorePrivilege	1252	msdcsc.exe
Token: SeShutdownPrivilege	1252	msdcsc.exe
Token: SeDebugPrivilege	1252	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1252	msdcsc.exe
Token: SeChangeNotifyPrivilege	1252	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1252	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

4716 iexplore.exe

pid	process
4716	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1196 wrote to memory of 2364	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 2364	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 2364	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 4900	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 1196 wrote to memory of 4900	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 1196 wrote to memory of 4900	1196	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 2364 wrote to memory of 1848	2364	cmd.exe	cmd.exe
PID 2364 wrote to memory of 1848	2364	cmd.exe	cmd.exe
PID 2364 wrote to memory of 1848	2364	cmd.exe	cmd.exe
PID 4900 wrote to memory of 1168	4900	msdcsc.exe	cmd.exe
PID 4900 wrote to memory of 1168	4900	msdcsc.exe	cmd.exe
PID 4900 wrote to memory of 1168	4900	msdcsc.exe	cmd.exe
PID 4900 wrote to memory of 1252	4900	msdcsc.exe	Conhost.exe
PID 4900 wrote to memory of 1252	4900	msdcsc.exe	Conhost.exe
PID 4900 wrote to memory of 1252	4900	msdcsc.exe	Conhost.exe
PID 1168 wrote to memory of 1912	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 1912	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 1912	1168	cmd.exe	PING.EXE
PID 1252 wrote to memory of 1948	1252	msdcsc.exe	cmd.exe
PID 1252 wrote to memory of 1948	1252	msdcsc.exe	cmd.exe
PID 1252 wrote to memory of 1948	1252	msdcsc.exe	cmd.exe
PID 1252 wrote to memory of 544	1252	msdcsc.exe	msdcsc.exe
PID 1252 wrote to memory of 544	1252	msdcsc.exe	msdcsc.exe
PID 1252 wrote to memory of 544	1252	msdcsc.exe	msdcsc.exe
PID 1948 wrote to memory of 2128	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 2128	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 2128	1948	cmd.exe	PING.EXE
PID 544 wrote to memory of 3468	544	msdcsc.exe	cmd.exe
PID 544 wrote to memory of 3468	544	msdcsc.exe	cmd.exe
PID 544 wrote to memory of 3468	544	msdcsc.exe	cmd.exe
PID 544 wrote to memory of 4616	544	msdcsc.exe	cmd.exe
PID 544 wrote to memory of 4616	544	msdcsc.exe	cmd.exe
PID 544 wrote to memory of 4616	544	msdcsc.exe	cmd.exe
PID 3468 wrote to memory of 3348	3468	cmd.exe	PING.EXE
PID 3468 wrote to memory of 3348	3468	cmd.exe	PING.EXE
PID 3468 wrote to memory of 3348	3468	cmd.exe	PING.EXE
PID 4616 wrote to memory of 2540	4616	msdcsc.exe	cmd.exe
PID 4616 wrote to memory of 2540	4616	msdcsc.exe	cmd.exe
PID 4616 wrote to memory of 2540	4616	msdcsc.exe	cmd.exe
PID 4616 wrote to memory of 3020	4616	msdcsc.exe	msdcsc.exe
PID 4616 wrote to memory of 3020	4616	msdcsc.exe	msdcsc.exe
PID 4616 wrote to memory of 3020	4616	msdcsc.exe	msdcsc.exe
PID 2540 wrote to memory of 4600	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 4600	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 4600	2540	cmd.exe	PING.EXE
PID 3020 wrote to memory of 2520	3020	msdcsc.exe	cmd.exe
PID 3020 wrote to memory of 2520	3020	msdcsc.exe	cmd.exe
PID 3020 wrote to memory of 2520	3020	msdcsc.exe	cmd.exe
PID 3020 wrote to memory of 3824	3020	msdcsc.exe	msdcsc.exe
PID 3020 wrote to memory of 3824	3020	msdcsc.exe	msdcsc.exe
PID 3020 wrote to memory of 3824	3020	msdcsc.exe	msdcsc.exe
PID 2520 wrote to memory of 1332	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 1332	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 1332	2520	cmd.exe	PING.EXE
PID 3824 wrote to memory of 4156	3824	msdcsc.exe	cmd.exe
PID 3824 wrote to memory of 4156	3824	msdcsc.exe	cmd.exe
PID 3824 wrote to memory of 4156	3824	msdcsc.exe	cmd.exe
PID 3824 wrote to memory of 2820	3824	msdcsc.exe	msdcsc.exe
PID 3824 wrote to memory of 2820	3824	msdcsc.exe	msdcsc.exe
PID 3824 wrote to memory of 2820	3824	msdcsc.exe	msdcsc.exe
PID 4156 wrote to memory of 2500	4156	cmd.exe	PING.EXE
PID 4156 wrote to memory of 2500	4156	cmd.exe	PING.EXE
PID 4156 wrote to memory of 2500	4156	cmd.exe	PING.EXE
PID 2820 wrote to memory of 4688	2820	msdcsc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:1848

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\msdcsc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
4⤵
- Runs ping.exe
PID:1912

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
5⤵
- Runs ping.exe
PID:2128

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
6⤵
- Runs ping.exe
PID:3348

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
7⤵
- Runs ping.exe
PID:4600

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
8⤵
- Runs ping.exe
PID:1332

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
9⤵
- Runs ping.exe
PID:2500

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
9⤵
PID:4688

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
10⤵
- Runs ping.exe
PID:3472

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
10⤵
PID:4548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
11⤵
- Runs ping.exe
PID:5040

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
11⤵
PID:4936

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
12⤵
- Runs ping.exe
PID:4368

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
12⤵
PID:4944

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
13⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
13⤵
PID:1788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
14⤵
- Runs ping.exe
PID:1952

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
14⤵
PID:2672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
15⤵
- Runs ping.exe
PID:2652

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
15⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:1252

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
16⤵
- Runs ping.exe
PID:3548

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
16⤵
PID:5092

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
17⤵
- Runs ping.exe
PID:1412

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
17⤵
PID:2172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
18⤵
- Runs ping.exe
PID:1028

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
18⤵
PID:440

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
19⤵
- Runs ping.exe
PID:4084

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
19⤵
PID:532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
20⤵
- Runs ping.exe
PID:3776

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
20⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
21⤵
- Runs ping.exe
PID:332

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
21⤵
PID:3772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
22⤵
- Runs ping.exe
PID:4168

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
22⤵
PID:4616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
23⤵
- Runs ping.exe
PID:2216

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
23⤵
PID:4724

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
24⤵
- Runs ping.exe
PID:4784

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\msdcsc.exe"
24⤵
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
25⤵
- Runs ping.exe
PID:4152

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
25⤵
PID:1888

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
26⤵
- Runs ping.exe
PID:1980

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
26⤵
PID:2972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
27⤵
- Runs ping.exe
PID:2676

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
27⤵
PID:2544

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
28⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
28⤵
PID:2572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
29⤵
- Runs ping.exe
PID:4592

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
29⤵
PID:3004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
30⤵
- Runs ping.exe
PID:2000

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
30⤵
PID:1848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
31⤵
- Runs ping.exe
PID:2500

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
30⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
31⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msdcsc.exe
Filesize
650KB

MD5
1d74fad1e7d34e01d3d775528ef60460

SHA1
822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356

SHA256
0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97

SHA512
27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e

Download Submit
memory/544-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/712-247-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1084-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1196-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1196-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1252-40-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1364-364-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1524-273-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1664-234-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1984-338-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2024-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2080-351-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2300-377-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2420-221-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2820-104-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2948-299-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2972-260-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3000-325-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3004-117-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3004-312-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3020-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3088-380-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3776-130-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3824-91-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4148-208-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4152-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4616-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4716-379-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4868-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4900-182-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4900-27-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4900-14-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4920-286-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download