darkcomet | 3d3c0207409076d6c9f7800a4557000aabeec2a6f81462b59f5fc76f1b215839

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21fb8f40424a8f2356dc51ce43d1af22.exe
Size

347KB
MD5

21fb8f40424a8f2356dc51ce43d1af22
SHA1

940c797a0201f182e451ac5e28df4526a0fb6d39
SHA256

3d3c0207409076d6c9f7800a4557000aabeec2a6f81462b59f5fc76f1b215839
SHA512

9d1126b6487788848cc2b79211bf730d7c655794fd7d33e060aaf067e9bda04d8d9ad9ec1d55070497f618e25f2c61b918998159ccaacbdaf5f2eaa609803b39
SSDEEP

6144:8wT5O7pJmNB6dLY6dCnnsyZLHoaIyv6ocU/qxDS2xDWb3cCkdRPlbL:8P+NULZdCn3TbncU2D7Ab3

Score

10^/10

darkcomet down persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

down

epicrypt.no-ip.org:1604

Mutex

DC_MUTEX-V6F2W9Y

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SLDYxgws5n00
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	21fb8f40424a8f2356dc51ce43d1af22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe

Executes dropped EXE 23 IoCs

Processes:

pid	process
2708	msdcsc.exe
2616	msdcsc.exe
1232	msdcsc.exe
2980	msdcsc.exe
1852	msdcsc.exe
1508	msdcsc.exe
1468	msdcsc.exe
696	msdcsc.exe
1664	msdcsc.exe
852	msdcsc.exe
1580	msdcsc.exe
2216	msdcsc.exe
1728	msdcsc.exe
2304	msdcsc.exe
2800	msdcsc.exe
2656	msdcsc.exe
1708	msdcsc.exe
2964	msdcsc.exe
2828	msdcsc.exe
776	msdcsc.exe
2876	msdcsc.exe
1200	msdcsc.exe
2780	msdcsc.exe

Loads dropped DLL 46 IoCs

Processes:

21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2140	21fb8f40424a8f2356dc51ce43d1af22.exe
2140	21fb8f40424a8f2356dc51ce43d1af22.exe
2708	msdcsc.exe
2708	msdcsc.exe
2616	msdcsc.exe
2616	msdcsc.exe
1232	msdcsc.exe
1232	msdcsc.exe
2980	msdcsc.exe
2980	msdcsc.exe
1852	msdcsc.exe
1852	msdcsc.exe
1508	msdcsc.exe
1508	msdcsc.exe
1468	msdcsc.exe
1468	msdcsc.exe
696	msdcsc.exe
696	msdcsc.exe
1664	msdcsc.exe
1664	msdcsc.exe
852	msdcsc.exe
852	msdcsc.exe
1580	msdcsc.exe
1580	msdcsc.exe
2216	msdcsc.exe
2216	msdcsc.exe
1728	msdcsc.exe
1728	msdcsc.exe
2304	msdcsc.exe
2304	msdcsc.exe
2800	msdcsc.exe
2800	msdcsc.exe
2656	msdcsc.exe
2656	msdcsc.exe
1708	msdcsc.exe
1708	msdcsc.exe
2964	msdcsc.exe
2964	msdcsc.exe
2828	msdcsc.exe
2828	msdcsc.exe
776	msdcsc.exe
776	msdcsc.exe
2876	msdcsc.exe
2876	msdcsc.exe
1200	msdcsc.exe
1200	msdcsc.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2708-15-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2140-13-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
\Windows\SysWOW64\MSDCSC\msdcsc.exe	upx
behavioral1/memory/2616-33-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2708-29-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1232-46-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2616-45-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2980-53-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1232-51-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1852-60-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2980-58-0x0000000003E20000-0x0000000003F07000-memory.dmp	upx
behavioral1/memory/2980-57-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1508-69-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1852-66-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1468-83-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1508-80-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1468-89-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/696-91-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1468-90-0x0000000003FF0000-0x00000000040D7000-memory.dmp	upx
behavioral1/memory/1664-97-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/696-96-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1664-102-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/852-104-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1580-112-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/852-110-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2216-127-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1580-125-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	upx
C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	upx
behavioral1/memory/2216-133-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1728-135-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1728-147-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2304-151-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	upx
behavioral1/memory/2304-156-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2800-158-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2656-166-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2800-162-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2656-175-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1708-177-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2964-190-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1708-188-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2964-200-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2828-201-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2828-203-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/776-214-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2876-215-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2876-225-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2780-236-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/1200-235-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	21fb8f40424a8f2356dc51ce43d1af22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\SLDYxgws5n00\\SLDYxgws5n00\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	21fb8f40424a8f2356dc51ce43d1af22.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	21fb8f40424a8f2356dc51ce43d1af22.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeSecurityPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeTakeOwnershipPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeLoadDriverPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeSystemProfilePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeSystemtimePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeProfSingleProcessPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeIncBasePriorityPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeCreatePagefilePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeBackupPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeRestorePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeShutdownPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeDebugPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeSystemEnvironmentPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeChangeNotifyPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeRemoteShutdownPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeUndockPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeManageVolumePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeImpersonatePrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeCreateGlobalPrivilege	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: 33	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: 34	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: 35	2140	21fb8f40424a8f2356dc51ce43d1af22.exe
Token: SeIncreaseQuotaPrivilege	2708	msdcsc.exe
Token: SeSecurityPrivilege	2708	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2708	msdcsc.exe
Token: SeLoadDriverPrivilege	2708	msdcsc.exe
Token: SeSystemProfilePrivilege	2708	msdcsc.exe
Token: SeSystemtimePrivilege	2708	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2708	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2708	msdcsc.exe
Token: SeCreatePagefilePrivilege	2708	msdcsc.exe
Token: SeBackupPrivilege	2708	msdcsc.exe
Token: SeRestorePrivilege	2708	msdcsc.exe
Token: SeShutdownPrivilege	2708	msdcsc.exe
Token: SeDebugPrivilege	2708	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2708	msdcsc.exe
Token: SeChangeNotifyPrivilege	2708	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2708	msdcsc.exe
Token: SeUndockPrivilege	2708	msdcsc.exe
Token: SeManageVolumePrivilege	2708	msdcsc.exe
Token: SeImpersonatePrivilege	2708	msdcsc.exe
Token: SeCreateGlobalPrivilege	2708	msdcsc.exe
Token: 33	2708	msdcsc.exe
Token: 34	2708	msdcsc.exe
Token: 35	2708	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2616	msdcsc.exe
Token: SeSecurityPrivilege	2616	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2616	msdcsc.exe
Token: SeLoadDriverPrivilege	2616	msdcsc.exe
Token: SeSystemProfilePrivilege	2616	msdcsc.exe
Token: SeSystemtimePrivilege	2616	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2616	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2616	msdcsc.exe
Token: SeCreatePagefilePrivilege	2616	msdcsc.exe
Token: SeBackupPrivilege	2616	msdcsc.exe
Token: SeRestorePrivilege	2616	msdcsc.exe
Token: SeShutdownPrivilege	2616	msdcsc.exe
Token: SeDebugPrivilege	2616	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2616	msdcsc.exe
Token: SeChangeNotifyPrivilege	2616	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2616	msdcsc.exe
Token: SeUndockPrivilege	2616	msdcsc.exe
Token: SeManageVolumePrivilege	2616	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21fb8f40424a8f2356dc51ce43d1af22.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 2140 wrote to memory of 2708	2140	21fb8f40424a8f2356dc51ce43d1af22.exe	msdcsc.exe
PID 2140 wrote to memory of 2708	2140	21fb8f40424a8f2356dc51ce43d1af22.exe	msdcsc.exe
PID 2140 wrote to memory of 2708	2140	21fb8f40424a8f2356dc51ce43d1af22.exe	msdcsc.exe
PID 2140 wrote to memory of 2708	2140	21fb8f40424a8f2356dc51ce43d1af22.exe	msdcsc.exe
PID 2708 wrote to memory of 2616	2708	msdcsc.exe	msdcsc.exe
PID 2708 wrote to memory of 2616	2708	msdcsc.exe	msdcsc.exe
PID 2708 wrote to memory of 2616	2708	msdcsc.exe	msdcsc.exe
PID 2708 wrote to memory of 2616	2708	msdcsc.exe	msdcsc.exe
PID 2616 wrote to memory of 1232	2616	msdcsc.exe	msdcsc.exe
PID 2616 wrote to memory of 1232	2616	msdcsc.exe	msdcsc.exe
PID 2616 wrote to memory of 1232	2616	msdcsc.exe	msdcsc.exe
PID 2616 wrote to memory of 1232	2616	msdcsc.exe	msdcsc.exe
PID 1232 wrote to memory of 2980	1232	msdcsc.exe	msdcsc.exe
PID 1232 wrote to memory of 2980	1232	msdcsc.exe	msdcsc.exe
PID 1232 wrote to memory of 2980	1232	msdcsc.exe	msdcsc.exe
PID 1232 wrote to memory of 2980	1232	msdcsc.exe	msdcsc.exe
PID 2980 wrote to memory of 1852	2980	msdcsc.exe	msdcsc.exe
PID 2980 wrote to memory of 1852	2980	msdcsc.exe	msdcsc.exe
PID 2980 wrote to memory of 1852	2980	msdcsc.exe	msdcsc.exe
PID 2980 wrote to memory of 1852	2980	msdcsc.exe	msdcsc.exe
PID 1852 wrote to memory of 1508	1852	msdcsc.exe	msdcsc.exe
PID 1852 wrote to memory of 1508	1852	msdcsc.exe	msdcsc.exe
PID 1852 wrote to memory of 1508	1852	msdcsc.exe	msdcsc.exe
PID 1852 wrote to memory of 1508	1852	msdcsc.exe	msdcsc.exe
PID 1508 wrote to memory of 1468	1508	msdcsc.exe	msdcsc.exe
PID 1508 wrote to memory of 1468	1508	msdcsc.exe	msdcsc.exe
PID 1508 wrote to memory of 1468	1508	msdcsc.exe	msdcsc.exe
PID 1508 wrote to memory of 1468	1508	msdcsc.exe	msdcsc.exe
PID 1468 wrote to memory of 696	1468	msdcsc.exe	msdcsc.exe
PID 1468 wrote to memory of 696	1468	msdcsc.exe	msdcsc.exe
PID 1468 wrote to memory of 696	1468	msdcsc.exe	msdcsc.exe
PID 1468 wrote to memory of 696	1468	msdcsc.exe	msdcsc.exe
PID 696 wrote to memory of 1664	696	msdcsc.exe	msdcsc.exe
PID 696 wrote to memory of 1664	696	msdcsc.exe	msdcsc.exe
PID 696 wrote to memory of 1664	696	msdcsc.exe	msdcsc.exe
PID 696 wrote to memory of 1664	696	msdcsc.exe	msdcsc.exe
PID 1664 wrote to memory of 852	1664	msdcsc.exe	msdcsc.exe
PID 1664 wrote to memory of 852	1664	msdcsc.exe	msdcsc.exe
PID 1664 wrote to memory of 852	1664	msdcsc.exe	msdcsc.exe
PID 1664 wrote to memory of 852	1664	msdcsc.exe	msdcsc.exe
PID 852 wrote to memory of 1580	852	msdcsc.exe	msdcsc.exe
PID 852 wrote to memory of 1580	852	msdcsc.exe	msdcsc.exe
PID 852 wrote to memory of 1580	852	msdcsc.exe	msdcsc.exe
PID 852 wrote to memory of 1580	852	msdcsc.exe	msdcsc.exe
PID 1580 wrote to memory of 2216	1580	msdcsc.exe	msdcsc.exe
PID 1580 wrote to memory of 2216	1580	msdcsc.exe	msdcsc.exe
PID 1580 wrote to memory of 2216	1580	msdcsc.exe	msdcsc.exe
PID 1580 wrote to memory of 2216	1580	msdcsc.exe	msdcsc.exe
PID 2216 wrote to memory of 1728	2216	msdcsc.exe	msdcsc.exe
PID 2216 wrote to memory of 1728	2216	msdcsc.exe	msdcsc.exe
PID 2216 wrote to memory of 1728	2216	msdcsc.exe	msdcsc.exe
PID 2216 wrote to memory of 1728	2216	msdcsc.exe	msdcsc.exe
PID 1728 wrote to memory of 2304	1728	msdcsc.exe	msdcsc.exe
PID 1728 wrote to memory of 2304	1728	msdcsc.exe	msdcsc.exe
PID 1728 wrote to memory of 2304	1728	msdcsc.exe	msdcsc.exe
PID 1728 wrote to memory of 2304	1728	msdcsc.exe	msdcsc.exe
PID 2304 wrote to memory of 2800	2304	msdcsc.exe	msdcsc.exe
PID 2304 wrote to memory of 2800	2304	msdcsc.exe	msdcsc.exe
PID 2304 wrote to memory of 2800	2304	msdcsc.exe	msdcsc.exe
PID 2304 wrote to memory of 2800	2304	msdcsc.exe	msdcsc.exe
PID 2800 wrote to memory of 2656	2800	msdcsc.exe	msdcsc.exe
PID 2800 wrote to memory of 2656	2800	msdcsc.exe	msdcsc.exe
PID 2800 wrote to memory of 2656	2800	msdcsc.exe	msdcsc.exe
PID 2800 wrote to memory of 2656	2800	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\21fb8f40424a8f2356dc51ce43d1af22.exe
"C:\Users\Admin\AppData\Local\Temp\21fb8f40424a8f2356dc51ce43d1af22.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1708

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2828

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:776

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2876

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1200

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
"C:\Windows\system32\MSDCSC\SLDYxgws5n00\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2780

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
Filesize
93KB

MD5
195b3908ba6ae90fa16d6918be2be2a3

SHA1
1425a5700648e7cd8e6bdc807ceb87a2363268ac

SHA256
71e766a6349a4e75e50cc7cc053890825401ff164f324168f04e2d708111c1cd

SHA512
843564105df8f1056016ae150a11be36fde7e9ccb0af524f25bc674269dd8d2655d622319948093a07012afab389ea01a1f25aad88df5b2960546b24df8c740d

Download Submit
C:\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\msdcsc.exe
Filesize
129KB

MD5
1256580e6072ee63436db01a61b67cad

SHA1
0ec365d6a0ae8906c60dd121a30e002b1f77fddd

SHA256
0137cd6222c5d6737a91c0cbc50b9294523fb349cae76c6aea0593899106dbd8

SHA512
20114acb75c20b470d5faa84db891b549bb5b1cab4f704864441019c5b0a35dee23f16485f77fb17e4ea3b842494d08fd3e40d127a0cd543371be4aae5681814

Download Submit
\Windows\SysWOW64\MSDCSC\SLDYxgws5n00\SLDYxgws5n00\msdcsc.exe
Filesize
347KB

MD5
21fb8f40424a8f2356dc51ce43d1af22

SHA1
940c797a0201f182e451ac5e28df4526a0fb6d39

SHA256
3d3c0207409076d6c9f7800a4557000aabeec2a6f81462b59f5fc76f1b215839

SHA512
9d1126b6487788848cc2b79211bf730d7c655794fd7d33e060aaf067e9bda04d8d9ad9ec1d55070497f618e25f2c61b918998159ccaacbdaf5f2eaa609803b39

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-92-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/696-96-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/696-91-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/776-214-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/776-207-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/852-104-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/852-105-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/852-111-0x0000000003F70000-0x0000000004057000-memory.dmp

Filesize
924KB

Download
memory/852-110-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1200-226-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1200-235-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1232-46-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1232-51-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1232-48-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1468-89-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1468-90-0x0000000003FF0000-0x00000000040D7000-memory.dmp

Filesize
924KB

Download
memory/1468-84-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1468-83-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1508-80-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1508-69-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1508-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1508-81-0x0000000005580000-0x0000000005667000-memory.dmp

Filesize
924KB

Download
memory/1580-125-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1580-112-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1580-115-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1664-98-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1664-97-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1664-102-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1708-177-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1708-180-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1708-189-0x0000000003DC0000-0x0000000003EA7000-memory.dmp

Filesize
924KB

Download
memory/1708-188-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1708-204-0x0000000003DC0000-0x0000000003EA7000-memory.dmp

Filesize
924KB

Download
memory/1728-176-0x00000000040C0000-0x00000000041A7000-memory.dmp

Filesize
924KB

Download
memory/1728-138-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1728-149-0x00000000040C0000-0x00000000041A7000-memory.dmp

Filesize
924KB

Download
memory/1728-147-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1728-135-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1852-60-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1852-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1852-66-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2140-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2140-13-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2140-14-0x0000000003DF0000-0x0000000003ED7000-memory.dmp

Filesize
924KB

Download
memory/2140-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2216-133-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2216-127-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2216-128-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2216-134-0x0000000003E90000-0x0000000003F77000-memory.dmp

Filesize
924KB

Download
memory/2304-152-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2304-156-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2304-181-0x0000000005490000-0x0000000005577000-memory.dmp

Filesize
924KB

Download
memory/2304-157-0x0000000005490000-0x0000000005577000-memory.dmp

Filesize
924KB

Download
memory/2304-151-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2616-34-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2616-33-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2616-45-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2656-166-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2656-167-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2656-175-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2708-15-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2708-29-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2708-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2780-237-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2780-236-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2800-159-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2800-158-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2800-162-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2828-203-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2828-202-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2828-201-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2876-218-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2876-215-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2876-225-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2964-190-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2964-191-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2964-200-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2980-53-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2980-54-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2980-58-0x0000000003E20000-0x0000000003F07000-memory.dmp

Filesize
924KB

Download
memory/2980-57-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads