darkcomet | 14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232

General

Target

c0e0ef92f69f8a30ca35b125b74b8294.exe
Size

484KB
MD5

c0e0ef92f69f8a30ca35b125b74b8294
SHA1

2ca329e5230bdb1e2f1e4ab5db928a3ccfce86ce
SHA256

14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232
SHA512

414f5e430bdfced787703692879a89888fc2c42ab6d1741c3acbcd79f73ff941caae4eea151f5d3137d79d3c24ba92faf45b6f3572782391a0ec0c4630ee3831
SSDEEP

6144:3snxekcgA04STi+/ZxkSs9O2vFBc93d1ZBjpfVRV1Qyt56d+strP8MJaLdcp6Nk4:cxekhA04LBJNKJpfLTDcPHaBcw3

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

alpachino.zapto.org:1606

127.0.0.1:1606

Mutex

DC_MUTEX-Z42UGJP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jXzF8jNN2epT
install
true
offline_keylogger
true
password
k1c2d3i4
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c0e0ef92f69f8a30ca35b125b74b8294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe

Executes dropped EXE 46 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2500	msdcsc.exe
2884	msdcsc.exe
2432	msdcsc.exe
1528	msdcsc.exe
1576	msdcsc.exe
2312	msdcsc.exe
1664	msdcsc.exe
1496	msdcsc.exe
2920	msdcsc.exe
2068	msdcsc.exe
1788	msdcsc.exe
1380	msdcsc.exe
1492	msdcsc.exe
2204	msdcsc.exe
2588	msdcsc.exe
1996	msdcsc.exe
2424	msdcsc.exe
2900	msdcsc.exe
3024	msdcsc.exe
1636	msdcsc.exe
1824	msdcsc.exe
1648	msdcsc.exe
2752	msdcsc.exe
1312	msdcsc.exe
1400	msdcsc.exe
1928	msdcsc.exe
2968	msdcsc.exe
2220	msdcsc.exe
2028	msdcsc.exe
2040	msdcsc.exe
2428	msdcsc.exe
3008	msdcsc.exe
2676	msdcsc.exe
2700	msdcsc.exe
528	msdcsc.exe
664	msdcsc.exe
868	msdcsc.exe
2100	msdcsc.exe
2336	msdcsc.exe
3048	msdcsc.exe
1700	msdcsc.exe
3044	msdcsc.exe
876	msdcsc.exe
1864	msdcsc.exe
2888	msdcsc.exe
2340	msdcsc.exe

Loads dropped DLL 47 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
2500	msdcsc.exe
2884	msdcsc.exe
2884	msdcsc.exe
1528	msdcsc.exe
1528	msdcsc.exe
2312	msdcsc.exe
2312	msdcsc.exe
1496	msdcsc.exe
1496	msdcsc.exe
2068	msdcsc.exe
2068	msdcsc.exe
1380	msdcsc.exe
1380	msdcsc.exe
2204	msdcsc.exe
2204	msdcsc.exe
1996	msdcsc.exe
1996	msdcsc.exe
2900	msdcsc.exe
2900	msdcsc.exe
1636	msdcsc.exe
1636	msdcsc.exe
1648	msdcsc.exe
1648	msdcsc.exe
1312	msdcsc.exe
1312	msdcsc.exe
1928	msdcsc.exe
1928	msdcsc.exe
2220	msdcsc.exe
2220	msdcsc.exe
2040	msdcsc.exe
2040	msdcsc.exe
3008	msdcsc.exe
3008	msdcsc.exe
2700	msdcsc.exe
2700	msdcsc.exe
664	msdcsc.exe
664	msdcsc.exe
2100	msdcsc.exe
2100	msdcsc.exe
3048	msdcsc.exe
3048	msdcsc.exe
3044	msdcsc.exe
3044	msdcsc.exe
1864	msdcsc.exe
1864	msdcsc.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c0e0ef92f69f8a30ca35b125b74b8294.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 61 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	c0e0ef92f69f8a30ca35b125b74b8294.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 2224 set thread context of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2500 set thread context of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2432 set thread context of 1528	2432	msdcsc.exe	msdcsc.exe
PID 1576 set thread context of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1664 set thread context of 1496	1664	msdcsc.exe	msdcsc.exe
PID 2920 set thread context of 2068	2920	msdcsc.exe	msdcsc.exe
PID 1788 set thread context of 1380	1788	msdcsc.exe	msdcsc.exe
PID 1492 set thread context of 2204	1492	msdcsc.exe	msdcsc.exe
PID 2588 set thread context of 1996	2588	msdcsc.exe	msdcsc.exe
PID 2424 set thread context of 2900	2424	msdcsc.exe	msdcsc.exe
PID 3024 set thread context of 1636	3024	msdcsc.exe	msdcsc.exe
PID 1824 set thread context of 1648	1824	msdcsc.exe	msdcsc.exe
PID 2752 set thread context of 1312	2752	msdcsc.exe	msdcsc.exe
PID 1400 set thread context of 1928	1400	msdcsc.exe	msdcsc.exe
PID 2968 set thread context of 2220	2968	msdcsc.exe	msdcsc.exe
PID 2028 set thread context of 2040	2028	msdcsc.exe	msdcsc.exe
PID 2428 set thread context of 3008	2428	msdcsc.exe	msdcsc.exe
PID 2676 set thread context of 2700	2676	msdcsc.exe	msdcsc.exe
PID 528 set thread context of 664	528	msdcsc.exe	msdcsc.exe
PID 868 set thread context of 2100	868	msdcsc.exe	msdcsc.exe
PID 2336 set thread context of 3048	2336	msdcsc.exe	msdcsc.exe
PID 1700 set thread context of 3044	1700	msdcsc.exe	msdcsc.exe
PID 876 set thread context of 1864	876	msdcsc.exe	msdcsc.exe
PID 2888 set thread context of 2340	2888	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSecurityPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeTakeOwnershipPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeLoadDriverPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemProfilePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemtimePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeProfSingleProcessPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeIncBasePriorityPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeCreatePagefilePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeBackupPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeRestorePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeShutdownPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeDebugPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemEnvironmentPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeChangeNotifyPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeRemoteShutdownPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeUndockPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeManageVolumePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeImpersonatePrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeCreateGlobalPrivilege	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 33	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 34	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 35	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeIncreaseQuotaPrivilege	2884	msdcsc.exe
Token: SeSecurityPrivilege	2884	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2884	msdcsc.exe
Token: SeLoadDriverPrivilege	2884	msdcsc.exe
Token: SeSystemProfilePrivilege	2884	msdcsc.exe
Token: SeSystemtimePrivilege	2884	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2884	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2884	msdcsc.exe
Token: SeCreatePagefilePrivilege	2884	msdcsc.exe
Token: SeBackupPrivilege	2884	msdcsc.exe
Token: SeRestorePrivilege	2884	msdcsc.exe
Token: SeShutdownPrivilege	2884	msdcsc.exe
Token: SeDebugPrivilege	2884	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2884	msdcsc.exe
Token: SeChangeNotifyPrivilege	2884	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2884	msdcsc.exe
Token: SeUndockPrivilege	2884	msdcsc.exe
Token: SeManageVolumePrivilege	2884	msdcsc.exe
Token: SeImpersonatePrivilege	2884	msdcsc.exe
Token: SeCreateGlobalPrivilege	2884	msdcsc.exe
Token: 33	2884	msdcsc.exe
Token: 34	2884	msdcsc.exe
Token: 35	2884	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1528	msdcsc.exe
Token: SeSecurityPrivilege	1528	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1528	msdcsc.exe
Token: SeLoadDriverPrivilege	1528	msdcsc.exe
Token: SeSystemProfilePrivilege	1528	msdcsc.exe
Token: SeSystemtimePrivilege	1528	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1528	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1528	msdcsc.exe
Token: SeCreatePagefilePrivilege	1528	msdcsc.exe
Token: SeBackupPrivilege	1528	msdcsc.exe
Token: SeRestorePrivilege	1528	msdcsc.exe
Token: SeShutdownPrivilege	1528	msdcsc.exe
Token: SeDebugPrivilege	1528	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1528	msdcsc.exe
Token: SeChangeNotifyPrivilege	1528	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1528	msdcsc.exe
Token: SeUndockPrivilege	1528	msdcsc.exe
Token: SeManageVolumePrivilege	1528	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2224 wrote to memory of 2956	2224	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2956 wrote to memory of 2500	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2956 wrote to memory of 2500	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2956 wrote to memory of 2500	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2956 wrote to memory of 2500	2956	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2500 wrote to memory of 2884	2500	msdcsc.exe	msdcsc.exe
PID 2884 wrote to memory of 2432	2884	msdcsc.exe	msdcsc.exe
PID 2884 wrote to memory of 2432	2884	msdcsc.exe	msdcsc.exe
PID 2884 wrote to memory of 2432	2884	msdcsc.exe	msdcsc.exe
PID 2884 wrote to memory of 2432	2884	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 2432 wrote to memory of 1528	2432	msdcsc.exe	msdcsc.exe
PID 1528 wrote to memory of 1576	1528	msdcsc.exe	msdcsc.exe
PID 1528 wrote to memory of 1576	1528	msdcsc.exe	msdcsc.exe
PID 1528 wrote to memory of 1576	1528	msdcsc.exe	msdcsc.exe
PID 1528 wrote to memory of 1576	1528	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe
PID 1576 wrote to memory of 2312	1576	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe
"C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe
"C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2312

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1664

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1496

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2920

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2068

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1788

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1380

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1492

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2204

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2588

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1996

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2424

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1636

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1824

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1648

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2752

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1312

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1400

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1928

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2968

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2220

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2028

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2040

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2428

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2700

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:528

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:664

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:868

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2100

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2336

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3048

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1700

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3044

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:876

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1864

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2888

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:2340

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
49⤵
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
Filesize
436KB

MD5
e12c0514f9135ed277c82783d20a702a

SHA1
f8216d1cc4a9c2e00696326774b09f1661d3ab8d

SHA256
a855d0f9b918e4c58a98e0858f47c66f4db69cbb66e6afd75488e82306d03652

SHA512
ca204ed078aa34236e2609fba7f0ced4231bfc6e518e8b8b0880661bc025ad6c807f6cd188374e30753ad88981cf5234539c494ded19655bb6a57e4f245d8c44

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
484KB

MD5
c0e0ef92f69f8a30ca35b125b74b8294

SHA1
2ca329e5230bdb1e2f1e4ab5db928a3ccfce86ce

SHA256
14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232

SHA512
414f5e430bdfced787703692879a89888fc2c42ab6d1741c3acbcd79f73ff941caae4eea151f5d3137d79d3c24ba92faf45b6f3572782391a0ec0c4630ee3831

Download Submit
memory/664-741-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1312-516-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1380-264-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1496-182-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1528-106-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1636-428-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1648-472-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1864-885-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1928-558-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1996-346-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2040-624-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2068-226-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2100-774-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2204-302-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2220-592-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2224-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2312-144-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2500-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2700-702-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2884-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2884-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2884-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2900-390-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2956-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-22-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-10-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-6-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-4-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2956-8-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-16-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-20-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-2-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2956-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-663-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3044-846-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-807-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads