darkcomet | 11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe
Size

1.8MB
MD5

192c731e822a64cce6dc9a6725d7b651
SHA1

288c85400ea2abad7f29cde9f90658e9876d1710
SHA256

11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e
SHA512

b6f7925f4cd8b445092a947d89f492744520132abacd9bfc3535e2b406ed797490cebb3315dffd93413bba61e8f333d0429c5c942b0362b85c783e5611980006
SSDEEP

24576:Kb2/DbTeyIuPVJFFDHZWCaIYm1hCcDOmi:f/lDoC1O

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-9LQ2QJ5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
30ibXWq2y5dh
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe926.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 46 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2396	attrib.exe
2032	attrib.exe
1720	attrib.exe
1388	attrib.exe
1476	attrib.exe
2948	attrib.exe
772	attrib.exe
1332	attrib.exe
2976	attrib.exe
1972	attrib.exe
2924	attrib.exe
2256	attrib.exe
2800	attrib.exe
2972	attrib.exe
1708	attrib.exe
1652	attrib.exe
3048	attrib.exe
2560	attrib.exe
2104	attrib.exe
2740	attrib.exe
1708	attrib.exe
2116	attrib.exe
620	attrib.exe
2360	attrib.exe
712	attrib.exe
1692	attrib.exe
1696	attrib.exe
1104	attrib.exe
2192	attrib.exe
1648	attrib.exe
1616	attrib.exe
1780	attrib.exe
2296	attrib.exe
1200	attrib.exe
2848	attrib.exe
2940	attrib.exe
2008	attrib.exe
2260	attrib.exe
2828	attrib.exe
2472	attrib.exe
2032	attrib.exe
2780	attrib.exe
1700	attrib.exe
952	attrib.exe
1488	attrib.exe
592	attrib.exe

Executes dropped EXE 24 IoCs

Processes:

926.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2736	926.exe
2848	msdcsc.exe
2928	msdcsc.exe
964	msdcsc.exe
1688	msdcsc.exe
3000	msdcsc.exe
2056	msdcsc.exe
1800	msdcsc.exe
1700	msdcsc.exe
2704	msdcsc.exe
2920	msdcsc.exe
968	msdcsc.exe
1304	msdcsc.exe
1488	msdcsc.exe
2484	msdcsc.exe
1580	msdcsc.exe
2808	msdcsc.exe
2968	msdcsc.exe
1720	msdcsc.exe
2832	msdcsc.exe
1448	msdcsc.exe
2348	msdcsc.exe
2360	msdcsc.exe
2912	msdcsc.exe

Loads dropped DLL 46 IoCs

Processes:

pid	process
2736	926.exe
2736	926.exe
2848	msdcsc.exe
2848	msdcsc.exe
2928	msdcsc.exe
2928	msdcsc.exe
964	msdcsc.exe
964	msdcsc.exe
1688	msdcsc.exe
1688	msdcsc.exe
3000	msdcsc.exe
3000	msdcsc.exe
2056	msdcsc.exe
2056	msdcsc.exe
1800	msdcsc.exe
1800	msdcsc.exe
1700	msdcsc.exe
1700	msdcsc.exe
2704	msdcsc.exe
2704	msdcsc.exe
2920	msdcsc.exe
2920	msdcsc.exe
968	msdcsc.exe
968	msdcsc.exe
1304	msdcsc.exe
1304	msdcsc.exe
1488	msdcsc.exe
1488	msdcsc.exe
2484	msdcsc.exe
2484	msdcsc.exe
1580	msdcsc.exe
1580	msdcsc.exe
2808	msdcsc.exe
2808	msdcsc.exe
2968	msdcsc.exe
2968	msdcsc.exe
1720	msdcsc.exe
1720	msdcsc.exe
2832	msdcsc.exe
2832	msdcsc.exe
1448	msdcsc.exe
1448	msdcsc.exe
2348	msdcsc.exe
2348	msdcsc.exe
2360	msdcsc.exe
2360	msdcsc.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe926.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	926.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

attrib.exemsdcsc.exeattrib.exemsdcsc.exe926.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	926.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	926.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	926.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

926.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2736	926.exe
Token: SeSecurityPrivilege	2736	926.exe
Token: SeTakeOwnershipPrivilege	2736	926.exe
Token: SeLoadDriverPrivilege	2736	926.exe
Token: SeSystemProfilePrivilege	2736	926.exe
Token: SeSystemtimePrivilege	2736	926.exe
Token: SeProfSingleProcessPrivilege	2736	926.exe
Token: SeIncBasePriorityPrivilege	2736	926.exe
Token: SeCreatePagefilePrivilege	2736	926.exe
Token: SeBackupPrivilege	2736	926.exe
Token: SeRestorePrivilege	2736	926.exe
Token: SeShutdownPrivilege	2736	926.exe
Token: SeDebugPrivilege	2736	926.exe
Token: SeSystemEnvironmentPrivilege	2736	926.exe
Token: SeChangeNotifyPrivilege	2736	926.exe
Token: SeRemoteShutdownPrivilege	2736	926.exe
Token: SeUndockPrivilege	2736	926.exe
Token: SeManageVolumePrivilege	2736	926.exe
Token: SeImpersonatePrivilege	2736	926.exe
Token: SeCreateGlobalPrivilege	2736	926.exe
Token: 33	2736	926.exe
Token: 34	2736	926.exe
Token: 35	2736	926.exe
Token: SeIncreaseQuotaPrivilege	2848	msdcsc.exe
Token: SeSecurityPrivilege	2848	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2848	msdcsc.exe
Token: SeLoadDriverPrivilege	2848	msdcsc.exe
Token: SeSystemProfilePrivilege	2848	msdcsc.exe
Token: SeSystemtimePrivilege	2848	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2848	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2848	msdcsc.exe
Token: SeCreatePagefilePrivilege	2848	msdcsc.exe
Token: SeBackupPrivilege	2848	msdcsc.exe
Token: SeRestorePrivilege	2848	msdcsc.exe
Token: SeShutdownPrivilege	2848	msdcsc.exe
Token: SeDebugPrivilege	2848	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2848	msdcsc.exe
Token: SeChangeNotifyPrivilege	2848	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2848	msdcsc.exe
Token: SeUndockPrivilege	2848	msdcsc.exe
Token: SeManageVolumePrivilege	2848	msdcsc.exe
Token: SeImpersonatePrivilege	2848	msdcsc.exe
Token: SeCreateGlobalPrivilege	2848	msdcsc.exe
Token: 33	2848	msdcsc.exe
Token: 34	2848	msdcsc.exe
Token: 35	2848	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2928	msdcsc.exe
Token: SeSecurityPrivilege	2928	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2928	msdcsc.exe
Token: SeLoadDriverPrivilege	2928	msdcsc.exe
Token: SeSystemProfilePrivilege	2928	msdcsc.exe
Token: SeSystemtimePrivilege	2928	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2928	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2928	msdcsc.exe
Token: SeCreatePagefilePrivilege	2928	msdcsc.exe
Token: SeBackupPrivilege	2928	msdcsc.exe
Token: SeRestorePrivilege	2928	msdcsc.exe
Token: SeShutdownPrivilege	2928	msdcsc.exe
Token: SeDebugPrivilege	2928	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2928	msdcsc.exe
Token: SeChangeNotifyPrivilege	2928	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2928	msdcsc.exe
Token: SeUndockPrivilege	2928	msdcsc.exe
Token: SeManageVolumePrivilege	2928	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe926.execmd.execmd.exemsdcsc.execmd.execmd.exemsdcsc.execmd.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2736	2240	192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe	926.exe
PID 2240 wrote to memory of 2736	2240	192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe	926.exe
PID 2240 wrote to memory of 2736	2240	192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe	926.exe
PID 2240 wrote to memory of 2736	2240	192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe	926.exe
PID 2736 wrote to memory of 2812	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2812	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2812	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2812	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2836	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2836	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2836	2736	926.exe	cmd.exe
PID 2736 wrote to memory of 2836	2736	926.exe	cmd.exe
PID 2836 wrote to memory of 2560	2836	cmd.exe	attrib.exe
PID 2836 wrote to memory of 2560	2836	cmd.exe	attrib.exe
PID 2836 wrote to memory of 2560	2836	cmd.exe	attrib.exe
PID 2836 wrote to memory of 2560	2836	cmd.exe	attrib.exe
PID 2812 wrote to memory of 2360	2812	cmd.exe	attrib.exe
PID 2812 wrote to memory of 2360	2812	cmd.exe	attrib.exe
PID 2812 wrote to memory of 2360	2812	cmd.exe	attrib.exe
PID 2812 wrote to memory of 2360	2812	cmd.exe	attrib.exe
PID 2736 wrote to memory of 2848	2736	926.exe	msdcsc.exe
PID 2736 wrote to memory of 2848	2736	926.exe	msdcsc.exe
PID 2736 wrote to memory of 2848	2736	926.exe	msdcsc.exe
PID 2736 wrote to memory of 2848	2736	926.exe	msdcsc.exe
PID 2848 wrote to memory of 2100	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2100	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2100	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2100	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2044	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2044	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2044	2848	msdcsc.exe	cmd.exe
PID 2848 wrote to memory of 2044	2848	msdcsc.exe	cmd.exe
PID 2100 wrote to memory of 2924	2100	cmd.exe	attrib.exe
PID 2100 wrote to memory of 2924	2100	cmd.exe	attrib.exe
PID 2100 wrote to memory of 2924	2100	cmd.exe	attrib.exe
PID 2100 wrote to memory of 2924	2100	cmd.exe	attrib.exe
PID 2044 wrote to memory of 2940	2044	cmd.exe	attrib.exe
PID 2044 wrote to memory of 2940	2044	cmd.exe	attrib.exe
PID 2044 wrote to memory of 2940	2044	cmd.exe	attrib.exe
PID 2044 wrote to memory of 2940	2044	cmd.exe	attrib.exe
PID 2848 wrote to memory of 2928	2848	msdcsc.exe	msdcsc.exe
PID 2848 wrote to memory of 2928	2848	msdcsc.exe	msdcsc.exe
PID 2848 wrote to memory of 2928	2848	msdcsc.exe	msdcsc.exe
PID 2848 wrote to memory of 2928	2848	msdcsc.exe	msdcsc.exe
PID 2928 wrote to memory of 2184	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 2184	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 2184	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 2184	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 1912	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 1912	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 1912	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 1912	2928	msdcsc.exe	cmd.exe
PID 2928 wrote to memory of 964	2928	msdcsc.exe	msdcsc.exe
PID 2928 wrote to memory of 964	2928	msdcsc.exe	msdcsc.exe
PID 2928 wrote to memory of 964	2928	msdcsc.exe	msdcsc.exe
PID 2928 wrote to memory of 964	2928	msdcsc.exe	msdcsc.exe
PID 1912 wrote to memory of 2008	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2008	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2008	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2008	1912	cmd.exe	attrib.exe
PID 2184 wrote to memory of 1708	2184	cmd.exe	attrib.exe
PID 2184 wrote to memory of 1708	2184	cmd.exe	attrib.exe
PID 2184 wrote to memory of 1708	2184	cmd.exe	attrib.exe
PID 2184 wrote to memory of 1708	2184	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
2740	attrib.exe
1780	attrib.exe
1648	attrib.exe
3048	attrib.exe
2940	attrib.exe
2104	attrib.exe
2472	attrib.exe
2260	attrib.exe
2924	attrib.exe
1104	attrib.exe
2296	attrib.exe
1200	attrib.exe
2032	attrib.exe
2800	attrib.exe
1708	attrib.exe
1720	attrib.exe
1972	attrib.exe
2116	attrib.exe
2360	attrib.exe
2008	attrib.exe
2780	attrib.exe
1708	attrib.exe
1476	attrib.exe
1696	attrib.exe
2192	attrib.exe
712	attrib.exe
2828	attrib.exe
1332	attrib.exe
2396	attrib.exe
772	attrib.exe
1616	attrib.exe
2976	attrib.exe
1692	attrib.exe
2848	attrib.exe
1652	attrib.exe
952	attrib.exe
2948	attrib.exe
592	attrib.exe
2256	attrib.exe
1388	attrib.exe
2972	attrib.exe
620	attrib.exe
1700	attrib.exe
2560	attrib.exe
1488	attrib.exe
2032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\926.exe
C:\Users\Admin\AppData\Local\Temp\926.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\926.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\926.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2560

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2940

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2008

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
6⤵
PID:2892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
6⤵
PID:2728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:952

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
7⤵
PID:824

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
7⤵
PID:2536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:592

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
8⤵
PID:1060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
8⤵
PID:1492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1104

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
9⤵
PID:1748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
9⤵
PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2256

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
10⤵
PID:1756

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
10⤵
PID:892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2260

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
11⤵
PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
11⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2800

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
12⤵
PID:1772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
12⤵
PID:2592

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
13⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2948

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
13⤵
PID:2040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
13⤵
PID:1576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:772

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
14⤵
PID:2364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
14⤵
PID:2092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
15⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1780

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
15⤵
PID:2436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
15⤵
PID:1636

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2296

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
16⤵
PID:272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
16⤵
PID:1164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1648

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
17⤵
PID:2128

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
17⤵
PID:1064

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2976

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
18⤵
PID:1140

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
18⤵
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2780

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
19⤵
PID:2860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
19⤵
PID:2624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2972

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
20⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
20⤵
PID:2944

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
21⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1972

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
21⤵
PID:1124

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
21⤵
PID:2060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:620

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
22⤵
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
22⤵
PID:1304

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1696

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
23⤵
PID:1948

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
23⤵
PID:2056

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1652

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
24⤵
PID:2248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
24⤵
PID:3052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2828

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
25⤵
PID:2188

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
25⤵
PID:2704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3048

C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:2912

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\926.exe
Filesize
692KB

MD5
92cebc5cd470ea94f6cf3c228a09f903

SHA1
982e38abbb25f8783569326c9dd2c5e51fb051f9

SHA256
11e73e162c3f6dab132b6d7dd33bae321f30a6a703f9c082a79359c501d2d887

SHA512
62be2cc36bb5bf376b73bbb09c1c2577d98a56bfae844bd6963ca746936209121da05549ca9923793c0318420c8bc4aa3777c8f91d1ca7b055f67319bfc1ea0e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/964-60-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/968-150-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1304-162-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1448-230-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1488-173-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1580-191-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1688-73-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1700-116-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1720-218-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1800-105-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2056-94-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2240-51-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-0-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp

Filesize
4KB

Download
memory/2240-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-101-0x00000000775D0000-0x00000000776CA000-memory.dmp

Filesize
1000KB

Download
memory/2260-100-0x00000000776D0000-0x00000000777EF000-memory.dmp

Filesize
1.1MB

Download
memory/2348-239-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2360-248-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2484-182-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2704-130-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2736-11-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2736-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2808-200-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2832-221-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2848-34-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2920-138-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2928-46-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2968-209-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3000-81-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads