Analysis Overview
SHA256
11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e
Threat Level: Known bad
The file 192c731e822a64cce6dc9a6725d7b651_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Modifies WinLogon for persistence
Sets file to hidden
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Views/modifies file attributes
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 06:48
Reported
2024-06-28 06:51
Platform
win7-20240611-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\926.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\926.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\926.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\926.exe
C:\Users\Admin\AppData\Local\Temp\926.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\926.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\926.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
Network
Files
memory/2240-0-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\926.exe
| MD5 | 92cebc5cd470ea94f6cf3c228a09f903 |
| SHA1 | 982e38abbb25f8783569326c9dd2c5e51fb051f9 |
| SHA256 | 11e73e162c3f6dab132b6d7dd33bae321f30a6a703f9c082a79359c501d2d887 |
| SHA512 | 62be2cc36bb5bf376b73bbb09c1c2577d98a56bfae844bd6963ca746936209121da05549ca9923793c0318420c8bc4aa3777c8f91d1ca7b055f67319bfc1ea0e |
memory/2240-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/2736-11-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2736-21-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2848-34-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2928-46-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2240-51-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/964-60-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1688-73-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3000-81-0x0000000000400000-0x00000000004BD000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2056-94-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2260-101-0x00000000775D0000-0x00000000776CA000-memory.dmp
memory/2260-100-0x00000000776D0000-0x00000000777EF000-memory.dmp
memory/1800-105-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1700-116-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2704-130-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2920-138-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/968-150-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1304-162-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1488-173-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2484-182-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1580-191-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2808-200-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2968-209-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1720-218-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2832-221-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1448-230-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2348-239-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2360-248-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 06:48
Reported
2024-06-28 06:51
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
Sets file to hidden
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\30ibXWq2y5dh\\30ibXWq2y5dh\\msdcsc.exe" | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\186.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\186.exe
C:\Users\Admin\AppData\Local\Temp\186.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\186.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\186.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\30ibXWq2y5dh\msdcsc.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\30ibXWq2y5dh\msdcsc.exe
"C:\Windows\system32\MSDCSC\30ibXWq2y5dh\msdcsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/4292-0-0x00007FFC4ED55000-0x00007FFC4ED56000-memory.dmp
memory/4292-1-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp
memory/4292-2-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp
memory/4292-3-0x000000001B6D0000-0x000000001B776000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\186.exe
| MD5 | 92cebc5cd470ea94f6cf3c228a09f903 |
| SHA1 | 982e38abbb25f8783569326c9dd2c5e51fb051f9 |
| SHA256 | 11e73e162c3f6dab132b6d7dd33bae321f30a6a703f9c082a79359c501d2d887 |
| SHA512 | 62be2cc36bb5bf376b73bbb09c1c2577d98a56bfae844bd6963ca746936209121da05549ca9923793c0318420c8bc4aa3777c8f91d1ca7b055f67319bfc1ea0e |
memory/4208-8-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/4292-10-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp
memory/4208-14-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4208-73-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1624-135-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5084-196-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4996-258-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2184-320-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4488-382-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/452-444-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2404-506-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2072-568-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4440-630-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4736-692-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1200-754-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3796-816-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2576-878-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5024-940-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5328-1002-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5824-1064-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5168-1126-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5640-1188-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/6044-1250-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4368-1312-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/6024-1374-0x0000000000400000-0x00000000004BD000-memory.dmp