darkcomet | 14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232

General

Target

c0e0ef92f69f8a30ca35b125b74b8294.exe
Size

484KB
MD5

c0e0ef92f69f8a30ca35b125b74b8294
SHA1

2ca329e5230bdb1e2f1e4ab5db928a3ccfce86ce
SHA256

14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232
SHA512

414f5e430bdfced787703692879a89888fc2c42ab6d1741c3acbcd79f73ff941caae4eea151f5d3137d79d3c24ba92faf45b6f3572782391a0ec0c4630ee3831
SSDEEP

6144:3snxekcgA04STi+/ZxkSs9O2vFBc93d1ZBjpfVRV1Qyt56d+strP8MJaLdcp6Nk4:cxekhA04LBJNKJpfLTDcPHaBcw3

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

alpachino.zapto.org:1606

127.0.0.1:1606

Mutex

DC_MUTEX-Z42UGJP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jXzF8jNN2epT
install
true
offline_keylogger
true
password
k1c2d3i4
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 25 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c0e0ef92f69f8a30ca35b125b74b8294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	c0e0ef92f69f8a30ca35b125b74b8294.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 48 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
4676	msdcsc.exe
2024	msdcsc.exe
3168	msdcsc.exe
4116	msdcsc.exe
5116	msdcsc.exe
3616	msdcsc.exe
1448	msdcsc.exe
2768	msdcsc.exe
5020	msdcsc.exe
4212	msdcsc.exe
4072	msdcsc.exe
2304	msdcsc.exe
2012	msdcsc.exe
4676	msdcsc.exe
3820	msdcsc.exe
4216	msdcsc.exe
1308	msdcsc.exe
1008	msdcsc.exe
3008	msdcsc.exe
1708	msdcsc.exe
3872	msdcsc.exe
3988	msdcsc.exe
4944	msdcsc.exe
1604	msdcsc.exe
3384	msdcsc.exe
1836	msdcsc.exe
4892	msdcsc.exe
4756	msdcsc.exe
4856	msdcsc.exe
3684	msdcsc.exe
5016	msdcsc.exe
2400	msdcsc.exe
3688	msdcsc.exe
2544	msdcsc.exe
2844	msdcsc.exe
3324	msdcsc.exe
3220	msdcsc.exe
4528	msdcsc.exe
1572	msdcsc.exe
4448	msdcsc.exe
3548	msdcsc.exe
4636	msdcsc.exe
1520	msdcsc.exe
4488	msdcsc.exe
4972	msdcsc.exe
2884	msdcsc.exe
4056	msdcsc.exe
3480	msdcsc.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	c0e0ef92f69f8a30ca35b125b74b8294.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\jXzF8jNN2epT\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	c0e0ef92f69f8a30ca35b125b74b8294.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe	msdcsc.exe

Suspicious use of SetThreadContext 25 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1736 set thread context of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 4676 set thread context of 2024	4676	msdcsc.exe	msdcsc.exe
PID 3168 set thread context of 4116	3168	msdcsc.exe	msdcsc.exe
PID 5116 set thread context of 3616	5116	msdcsc.exe	msdcsc.exe
PID 1448 set thread context of 2768	1448	msdcsc.exe	msdcsc.exe
PID 5020 set thread context of 4212	5020	msdcsc.exe	msdcsc.exe
PID 4072 set thread context of 2304	4072	msdcsc.exe	msdcsc.exe
PID 2012 set thread context of 4676	2012	msdcsc.exe	msdcsc.exe
PID 3820 set thread context of 4216	3820	msdcsc.exe	msdcsc.exe
PID 1308 set thread context of 1008	1308	msdcsc.exe	msdcsc.exe
PID 3008 set thread context of 1708	3008	msdcsc.exe	msdcsc.exe
PID 3872 set thread context of 3988	3872	msdcsc.exe	msdcsc.exe
PID 4944 set thread context of 1604	4944	msdcsc.exe	msdcsc.exe
PID 3384 set thread context of 1836	3384	msdcsc.exe	msdcsc.exe
PID 4892 set thread context of 4756	4892	msdcsc.exe	msdcsc.exe
PID 4856 set thread context of 3684	4856	msdcsc.exe	msdcsc.exe
PID 5016 set thread context of 2400	5016	msdcsc.exe	msdcsc.exe
PID 3688 set thread context of 2544	3688	msdcsc.exe	msdcsc.exe
PID 2844 set thread context of 3324	2844	msdcsc.exe	msdcsc.exe
PID 3220 set thread context of 4528	3220	msdcsc.exe	msdcsc.exe
PID 1572 set thread context of 4448	1572	msdcsc.exe	msdcsc.exe
PID 3548 set thread context of 4636	3548	msdcsc.exe	msdcsc.exe
PID 1520 set thread context of 4488	1520	msdcsc.exe	msdcsc.exe
PID 4972 set thread context of 2884	4972	msdcsc.exe	msdcsc.exe
PID 4056 set thread context of 3480	4056	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSecurityPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeTakeOwnershipPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeLoadDriverPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemProfilePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemtimePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeProfSingleProcessPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeIncBasePriorityPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeCreatePagefilePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeBackupPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeRestorePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeShutdownPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeDebugPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeSystemEnvironmentPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeChangeNotifyPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeRemoteShutdownPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeUndockPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeManageVolumePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeImpersonatePrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeCreateGlobalPrivilege	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 33	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 34	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 35	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: 36	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe
Token: SeIncreaseQuotaPrivilege	2024	msdcsc.exe
Token: SeSecurityPrivilege	2024	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2024	msdcsc.exe
Token: SeLoadDriverPrivilege	2024	msdcsc.exe
Token: SeSystemProfilePrivilege	2024	msdcsc.exe
Token: SeSystemtimePrivilege	2024	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2024	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2024	msdcsc.exe
Token: SeCreatePagefilePrivilege	2024	msdcsc.exe
Token: SeBackupPrivilege	2024	msdcsc.exe
Token: SeRestorePrivilege	2024	msdcsc.exe
Token: SeShutdownPrivilege	2024	msdcsc.exe
Token: SeDebugPrivilege	2024	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2024	msdcsc.exe
Token: SeChangeNotifyPrivilege	2024	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2024	msdcsc.exe
Token: SeUndockPrivilege	2024	msdcsc.exe
Token: SeManageVolumePrivilege	2024	msdcsc.exe
Token: SeImpersonatePrivilege	2024	msdcsc.exe
Token: SeCreateGlobalPrivilege	2024	msdcsc.exe
Token: 33	2024	msdcsc.exe
Token: 34	2024	msdcsc.exe
Token: 35	2024	msdcsc.exe
Token: 36	2024	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4116	msdcsc.exe
Token: SeSecurityPrivilege	4116	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4116	msdcsc.exe
Token: SeLoadDriverPrivilege	4116	msdcsc.exe
Token: SeSystemProfilePrivilege	4116	msdcsc.exe
Token: SeSystemtimePrivilege	4116	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4116	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4116	msdcsc.exe
Token: SeCreatePagefilePrivilege	4116	msdcsc.exe
Token: SeBackupPrivilege	4116	msdcsc.exe
Token: SeRestorePrivilege	4116	msdcsc.exe
Token: SeShutdownPrivilege	4116	msdcsc.exe
Token: SeDebugPrivilege	4116	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4116	msdcsc.exe
Token: SeChangeNotifyPrivilege	4116	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4116	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c0e0ef92f69f8a30ca35b125b74b8294.exec0e0ef92f69f8a30ca35b125b74b8294.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 1736 wrote to memory of 2348	1736	c0e0ef92f69f8a30ca35b125b74b8294.exe	c0e0ef92f69f8a30ca35b125b74b8294.exe
PID 2348 wrote to memory of 4676	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2348 wrote to memory of 4676	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 2348 wrote to memory of 4676	2348	c0e0ef92f69f8a30ca35b125b74b8294.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 4676 wrote to memory of 2024	4676	msdcsc.exe	msdcsc.exe
PID 2024 wrote to memory of 3168	2024	msdcsc.exe	msdcsc.exe
PID 2024 wrote to memory of 3168	2024	msdcsc.exe	msdcsc.exe
PID 2024 wrote to memory of 3168	2024	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 3168 wrote to memory of 4116	3168	msdcsc.exe	msdcsc.exe
PID 4116 wrote to memory of 5116	4116	msdcsc.exe	msdcsc.exe
PID 4116 wrote to memory of 5116	4116	msdcsc.exe	msdcsc.exe
PID 4116 wrote to memory of 5116	4116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe
PID 5116 wrote to memory of 3616	5116	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe
"C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe
"C:\Users\Admin\AppData\Local\Temp\c0e0ef92f69f8a30ca35b125b74b8294.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3616

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1448

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2768

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5020

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4212

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4072

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2304

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2012

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4676

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3820

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4216

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1308

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1008

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3008

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1708

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3872

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3988

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4944

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1604

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3384

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1836

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4892

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4756

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4856

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3684

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5016

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2400

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3688

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2544

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2844

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
38⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3324

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3220

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4528

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1572

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4448

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3548

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4636

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1520

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4488

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4972

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe"
48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2884

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\system32\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4056

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe
"C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\msdcsc.exe"
50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
Filesize
75KB

MD5
99aa7de47b3f40501d703342cde755a8

SHA1
c5faabff8e9a87a850d770c73efd826b66b25030

SHA256
8fa5a59485250341082f1e43ce3ba8661be46d576a623d1d3ca288e814ff5e16

SHA512
36d8ac858bf130cbb45889f8ddba734d167020b1e812ad8b020ab22a8e7934484012b21b89736d5452f92257fdaa1d8d72a6c2742d6bee6bfffec61e493fff22

Download Submit
C:\Windows\SysWOW64\MSDCSC\jXzF8jNN2epT\jXzF8jNN2epT\msdcsc.exe
Filesize
389KB

MD5
9129ae01440df70879bfee4370681c74

SHA1
fb9e58ff1a5d772d42c3776f79fd22392d36ba34

SHA256
018f903689124ef1d6e839092b34edb2b0ab6fa55d9db11b0a57cac0e4f620a7

SHA512
9a9996b668da56081e5c1aedc92623945166d87a0eec4520b1ed3b8b808eec2f5f95eae186160b0d892f1b385c5be5878957b684621a24d2b0e3952a6640f6d6

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
484KB

MD5
c0e0ef92f69f8a30ca35b125b74b8294

SHA1
2ca329e5230bdb1e2f1e4ab5db928a3ccfce86ce

SHA256
14d82a8323d815e4a8d888a6b95d04b2279b2d618c3cc1487643f7b477041232

SHA512
414f5e430bdfced787703692879a89888fc2c42ab6d1741c3acbcd79f73ff941caae4eea151f5d3137d79d3c24ba92faf45b6f3572782391a0ec0c4630ee3831

Download Submit
memory/1008-252-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1604-333-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1708-279-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1736-10-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-362-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2024-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2024-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2024-39-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2304-173-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2348-6-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-13-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2348-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-11-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-2-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-4-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-8-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2348-7-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2400-441-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2544-468-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2768-117-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2884-625-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3168-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3324-495-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3480-649-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3616-91-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3616-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3684-414-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3988-306-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4116-65-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4116-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4116-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4212-144-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4216-225-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4448-549-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4528-522-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4636-576-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4676-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4676-198-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4756-387-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/5116-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads