Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-06-2024 06:48
General
-
Target
192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
192c731e822a64cce6dc9a6725d7b651
-
SHA1
288c85400ea2abad7f29cde9f90658e9876d1710
-
SHA256
11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e
-
SHA512
b6f7925f4cd8b445092a947d89f492744520132abacd9bfc3535e2b406ed797490cebb3315dffd93413bba61e8f333d0429c5c942b0362b85c783e5611980006
-
SSDEEP
24576:Kb2/DbTeyIuPVJFFDHZWCaIYm1hCcDOmi:f/lDoC1O
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
darkcomet2013.no-ip.biz:1500
192.168.1.71:1500
Mutex
DC_MUTEX-9LQ2QJ5
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
30ibXWq2y5dh
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 23 IoCs
-
Sets file to hidden 1 TTPs 44 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 22 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 23 IoCs
-
Adds Run key to start application 2 TTPs 23 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\186.exeC:\Users\Admin\AppData\Local\Temp\186.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\186.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\186.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\186.exeFilesize
692KB
MD592cebc5cd470ea94f6cf3c228a09f903
SHA1982e38abbb25f8783569326c9dd2c5e51fb051f9
SHA25611e73e162c3f6dab132b6d7dd33bae321f30a6a703f9c082a79359c501d2d887
SHA51262be2cc36bb5bf376b73bbb09c1c2577d98a56bfae844bd6963ca746936209121da05549ca9923793c0318420c8bc4aa3777c8f91d1ca7b055f67319bfc1ea0e
-
memory/452-444-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1200-754-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1624-135-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2072-568-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2184-320-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2404-506-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/2576-878-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3796-816-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4208-14-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4208-8-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/4208-73-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4292-0-0x00007FFC4ED55000-0x00007FFC4ED56000-memory.dmpFilesize
4KB
-
memory/4292-10-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmpFilesize
9.6MB
-
memory/4292-3-0x000000001B6D0000-0x000000001B776000-memory.dmpFilesize
664KB
-
memory/4292-2-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmpFilesize
9.6MB
-
memory/4292-1-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmpFilesize
9.6MB
-
memory/4368-1312-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4440-630-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4488-382-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4736-692-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4996-258-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5024-940-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5084-196-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5168-1126-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5328-1002-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5640-1188-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5824-1064-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/6024-1374-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/6044-1250-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB