darkcomet | f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hg.exe
Size

760KB
MD5

cf1fa31e4b8e750e2f9ff5d2563e2cd6
SHA1

b43097d737b0ea7365cea6ad09a51598fb1ff04f
SHA256

f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f
SHA512

d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616
SSDEEP

12288:D3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RCsvvV:7OA4aWNn/m09fKIaaBEtWq3A1Ov8JgbR

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

considered-stars.at.ply.gg:11659

Mutex

DC_MUTEX-4RAEX72

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
741ngBRSJpQj
install
true
offline_keylogger
true
persistence
true
reg_key
MicrosoftUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hg.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	hg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 46 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
680	attrib.exe
5040	attrib.exe
4524	attrib.exe
4216	attrib.exe
4848	attrib.exe
1472	attrib.exe
3276	attrib.exe
4300	attrib.exe
4016	attrib.exe
3956	attrib.exe
2796	attrib.exe
2712	attrib.exe
2184	attrib.exe
2900	attrib.exe
4716	attrib.exe
4612	attrib.exe
3708	attrib.exe
228	attrib.exe
4232	attrib.exe
3308	attrib.exe
4352	attrib.exe
2672	attrib.exe
3452	attrib.exe
4108	attrib.exe
1952	attrib.exe
3308	attrib.exe
5044	attrib.exe
1516	attrib.exe
2712	attrib.exe
3684	attrib.exe
220	attrib.exe
3640	attrib.exe
1784	attrib.exe
1344	attrib.exe
4884	attrib.exe
348	attrib.exe
968	attrib.exe
728	attrib.exe
2340	attrib.exe
1784	attrib.exe
4996	attrib.exe
3724	attrib.exe
448	attrib.exe
1208	attrib.exe
3216	attrib.exe
2816	attrib.exe

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exehg.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	hg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 23 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
992	msdcsc.exe
5092	msdcsc.exe
5052	msdcsc.exe
3632	msdcsc.exe
32	msdcsc.exe
2748	msdcsc.exe
1932	msdcsc.exe
2368	msdcsc.exe
1108	msdcsc.exe
4352	msdcsc.exe
3784	msdcsc.exe
2080	msdcsc.exe
4280	msdcsc.exe
3828	msdcsc.exe
928	msdcsc.exe
1524	msdcsc.exe
4996	msdcsc.exe
4660	msdcsc.exe
1292	msdcsc.exe
1072	msdcsc.exe
3436	msdcsc.exe
2904	msdcsc.exe
3600	msdcsc.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exehg.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	hg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

msdcsc.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exehg.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exeattrib.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	hg.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	hg.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 23 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exehg.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hg.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	388	hg.exe
Token: SeSecurityPrivilege	388	hg.exe
Token: SeTakeOwnershipPrivilege	388	hg.exe
Token: SeLoadDriverPrivilege	388	hg.exe
Token: SeSystemProfilePrivilege	388	hg.exe
Token: SeSystemtimePrivilege	388	hg.exe
Token: SeProfSingleProcessPrivilege	388	hg.exe
Token: SeIncBasePriorityPrivilege	388	hg.exe
Token: SeCreatePagefilePrivilege	388	hg.exe
Token: SeBackupPrivilege	388	hg.exe
Token: SeRestorePrivilege	388	hg.exe
Token: SeShutdownPrivilege	388	hg.exe
Token: SeDebugPrivilege	388	hg.exe
Token: SeSystemEnvironmentPrivilege	388	hg.exe
Token: SeChangeNotifyPrivilege	388	hg.exe
Token: SeRemoteShutdownPrivilege	388	hg.exe
Token: SeUndockPrivilege	388	hg.exe
Token: SeManageVolumePrivilege	388	hg.exe
Token: SeImpersonatePrivilege	388	hg.exe
Token: SeCreateGlobalPrivilege	388	hg.exe
Token: 33	388	hg.exe
Token: 34	388	hg.exe
Token: 35	388	hg.exe
Token: 36	388	hg.exe
Token: SeIncreaseQuotaPrivilege	992	msdcsc.exe
Token: SeSecurityPrivilege	992	msdcsc.exe
Token: SeTakeOwnershipPrivilege	992	msdcsc.exe
Token: SeLoadDriverPrivilege	992	msdcsc.exe
Token: SeSystemProfilePrivilege	992	msdcsc.exe
Token: SeSystemtimePrivilege	992	msdcsc.exe
Token: SeProfSingleProcessPrivilege	992	msdcsc.exe
Token: SeIncBasePriorityPrivilege	992	msdcsc.exe
Token: SeCreatePagefilePrivilege	992	msdcsc.exe
Token: SeBackupPrivilege	992	msdcsc.exe
Token: SeRestorePrivilege	992	msdcsc.exe
Token: SeShutdownPrivilege	992	msdcsc.exe
Token: SeDebugPrivilege	992	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	992	msdcsc.exe
Token: SeChangeNotifyPrivilege	992	msdcsc.exe
Token: SeRemoteShutdownPrivilege	992	msdcsc.exe
Token: SeUndockPrivilege	992	msdcsc.exe
Token: SeManageVolumePrivilege	992	msdcsc.exe
Token: SeImpersonatePrivilege	992	msdcsc.exe
Token: SeCreateGlobalPrivilege	992	msdcsc.exe
Token: 33	992	msdcsc.exe
Token: 34	992	msdcsc.exe
Token: 35	992	msdcsc.exe
Token: 36	992	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	5092	msdcsc.exe
Token: SeSecurityPrivilege	5092	msdcsc.exe
Token: SeTakeOwnershipPrivilege	5092	msdcsc.exe
Token: SeLoadDriverPrivilege	5092	msdcsc.exe
Token: SeSystemProfilePrivilege	5092	msdcsc.exe
Token: SeSystemtimePrivilege	5092	msdcsc.exe
Token: SeProfSingleProcessPrivilege	5092	msdcsc.exe
Token: SeIncBasePriorityPrivilege	5092	msdcsc.exe
Token: SeCreatePagefilePrivilege	5092	msdcsc.exe
Token: SeBackupPrivilege	5092	msdcsc.exe
Token: SeRestorePrivilege	5092	msdcsc.exe
Token: SeShutdownPrivilege	5092	msdcsc.exe
Token: SeDebugPrivilege	5092	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	5092	msdcsc.exe
Token: SeChangeNotifyPrivilege	5092	msdcsc.exe
Token: SeRemoteShutdownPrivilege	5092	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hg.execmd.execmd.exemsdcsc.execmd.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 2668	388	hg.exe	cmd.exe
PID 388 wrote to memory of 2668	388	hg.exe	cmd.exe
PID 388 wrote to memory of 2668	388	hg.exe	cmd.exe
PID 388 wrote to memory of 3872	388	hg.exe	cmd.exe
PID 388 wrote to memory of 3872	388	hg.exe	cmd.exe
PID 388 wrote to memory of 3872	388	hg.exe	cmd.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 388 wrote to memory of 4288	388	hg.exe	notepad.exe
PID 2668 wrote to memory of 5044	2668	cmd.exe	attrib.exe
PID 2668 wrote to memory of 5044	2668	cmd.exe	attrib.exe
PID 2668 wrote to memory of 5044	2668	cmd.exe	attrib.exe
PID 3872 wrote to memory of 2796	3872	cmd.exe	attrib.exe
PID 3872 wrote to memory of 2796	3872	cmd.exe	attrib.exe
PID 3872 wrote to memory of 2796	3872	cmd.exe	attrib.exe
PID 388 wrote to memory of 992	388	hg.exe	msdcsc.exe
PID 388 wrote to memory of 992	388	hg.exe	msdcsc.exe
PID 388 wrote to memory of 992	388	hg.exe	msdcsc.exe
PID 992 wrote to memory of 4376	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 4376	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 4376	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 4260	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 4260	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 4260	992	msdcsc.exe	cmd.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 992 wrote to memory of 3112	992	msdcsc.exe	notepad.exe
PID 4376 wrote to memory of 3724	4376	cmd.exe	attrib.exe
PID 4376 wrote to memory of 3724	4376	cmd.exe	attrib.exe
PID 4376 wrote to memory of 3724	4376	cmd.exe	attrib.exe
PID 4260 wrote to memory of 2712	4260	cmd.exe	attrib.exe
PID 4260 wrote to memory of 2712	4260	cmd.exe	attrib.exe
PID 4260 wrote to memory of 2712	4260	cmd.exe	attrib.exe
PID 992 wrote to memory of 5092	992	msdcsc.exe	msdcsc.exe
PID 992 wrote to memory of 5092	992	msdcsc.exe	msdcsc.exe
PID 992 wrote to memory of 5092	992	msdcsc.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

pid	process
228	attrib.exe
3708	attrib.exe
2712	attrib.exe
4524	attrib.exe
4848	attrib.exe
4352	attrib.exe
3452	attrib.exe
3216	attrib.exe
4716	attrib.exe
5040	attrib.exe
5044	attrib.exe
4612	attrib.exe
4884	attrib.exe
2900	attrib.exe
680	attrib.exe
348	attrib.exe
968	attrib.exe
2184	attrib.exe
728	attrib.exe
3308	attrib.exe
3684	attrib.exe
1208	attrib.exe
1952	attrib.exe
4216	attrib.exe
1784	attrib.exe
2672	attrib.exe
448	attrib.exe
3640	attrib.exe
2712	attrib.exe
3276	attrib.exe
3308	attrib.exe
2340	attrib.exe
4016	attrib.exe
2796	attrib.exe
3724	attrib.exe
4108	attrib.exe
1516	attrib.exe
1784	attrib.exe
2816	attrib.exe
220	attrib.exe
4996	attrib.exe
4232	attrib.exe
1472	attrib.exe
1344	attrib.exe
4300	attrib.exe
3956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hg.exe
"C:\Users\Admin\AppData\Local\Temp\hg.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hg.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\hg.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2796

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:4288

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2712

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:3112

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
4⤵
PID:1792

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
4⤵
PID:1876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3452

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3328

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
5⤵
PID:2016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4108

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
5⤵
PID:4192

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:448

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
6⤵
PID:536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
6⤵
PID:4496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:228

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:2560

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:32

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
7⤵
PID:5028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
7⤵
PID:3932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3640

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:2636

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
8⤵
PID:4044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
8⤵
PID:3004

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2712

C:\Windows\SysWOW64\notepad.exe
notepad
8⤵
PID:1936

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
9⤵
PID:4400

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
9⤵
PID:4384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1784

C:\Windows\SysWOW64\notepad.exe
notepad
9⤵
PID:4368

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
10⤵
PID:3220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
10⤵
PID:4048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3276

C:\Windows\SysWOW64\notepad.exe
notepad
10⤵
PID:1300

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
11⤵
PID:232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
11⤵
PID:4000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4524

C:\Windows\SysWOW64\notepad.exe
notepad
11⤵
PID:4160

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
12⤵
PID:180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
12⤵
PID:4388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:728

C:\Windows\SysWOW64\notepad.exe
notepad
12⤵
PID:1116

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
13⤵
PID:4372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
13⤵
PID:1460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3308

C:\Windows\SysWOW64\notepad.exe
notepad
13⤵
PID:3420

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
14⤵
PID:3444

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3216

C:\Windows\SysWOW64\notepad.exe
notepad
14⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
14⤵
PID:2368

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2340

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
15⤵
PID:2388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
15⤵
PID:1976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4848

C:\Windows\SysWOW64\notepad.exe
notepad
15⤵
PID:2748

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
16⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
16⤵
PID:1656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4016

C:\Windows\SysWOW64\notepad.exe
notepad
16⤵
PID:3636

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
17⤵
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4716

C:\Windows\SysWOW64\notepad.exe
notepad
17⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
17⤵
PID:4876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3956

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
18⤵
PID:812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
18⤵
PID:4724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3684

C:\Windows\SysWOW64\notepad.exe
notepad
18⤵
PID:908

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
19⤵
PID:3108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
19⤵
PID:4916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1208

C:\Windows\SysWOW64\notepad.exe
notepad
19⤵
PID:3308

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
20⤵
PID:2396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
21⤵
- Sets file to hidden
- Views/modifies file attributes
PID:680

C:\Windows\SysWOW64\notepad.exe
notepad
20⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
20⤵
PID:4572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4612

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
21⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
21⤵
PID:3324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:5040

C:\Windows\SysWOW64\notepad.exe
notepad
21⤵
PID:2700

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
22⤵
PID:2060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
22⤵
PID:2696

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:348

C:\Windows\SysWOW64\notepad.exe
notepad
22⤵
PID:3244

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
23⤵
PID:5040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
23⤵
PID:2544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4352

C:\Windows\SysWOW64\notepad.exe
notepad
23⤵
PID:4928

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
24⤵
PID:3596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
25⤵
- Sets file to hidden
- Views/modifies file attributes
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
24⤵
PID:3884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4996

C:\Windows\SysWOW64\notepad.exe
notepad
24⤵
PID:4704

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
25⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
25⤵
PID:4656

C:\Windows\SysWOW64\notepad.exe
notepad
25⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
760KB

MD5
cf1fa31e4b8e750e2f9ff5d2563e2cd6

SHA1
b43097d737b0ea7365cea6ad09a51598fb1ff04f

SHA256
f4b3313b4b8135a1e7bce029b33e79ec60376da9bb7faf320f625e6c4a87373f

SHA512
d0f58c9a38bc2295bc28d22857fdab9f82ecfb028de57dbf470ed4df1eefaa08d5b47b1e81b2b7b4a01ad358d0ccc929205f04b23e1d03ce266017e734f12616

Download Submit
memory/32-213-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/32-218-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/388-135-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/388-197-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/928-258-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/928-253-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/992-202-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/992-196-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1072-277-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1072-272-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1108-229-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1108-234-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1292-273-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1292-268-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1524-261-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1524-257-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1932-226-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1932-221-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2080-246-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2080-241-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2368-230-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2368-225-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2748-217-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2748-222-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2904-280-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2904-285-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3436-276-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3436-281-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3600-284-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3632-209-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3632-214-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3784-242-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3784-237-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3828-254-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3828-249-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4280-245-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4280-250-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4288-137-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4352-238-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4352-233-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4660-265-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4660-269-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4996-264-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5052-205-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/5052-210-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5092-201-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5092-206-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download