darkcomet | 718208741ba5d91b828e357adeb9622f9710c0d422f14846fce044c43adbfbf3

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Size

692KB
MD5

4819ac7420498073e2f939de3bdcf120
SHA1

bd1a83e2b4987bee30a0f14cbaf685b26821d4e7
SHA256

718208741ba5d91b828e357adeb9622f9710c0d422f14846fce044c43adbfbf3
SHA512

ce1c2d4693a62bf8e832479c355caa4c79b38c6682a966390938bde724e5980ac87b7c081dc76809bd8f2d63ef3fa995f889b039c12c653ca9e0286cf27f8148
SSDEEP

12288:cXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452US:KnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JC

Score

10^/10

darkcomet 12 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

tomcol.no-ip.info:1604

Mutex

DC_MUTEX-FWUB5XJ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
u84K4144AzcZ
install
true
offline_keylogger
true
password
tomcol
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 46 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2100	attrib.exe
2056	attrib.exe
2044	attrib.exe
840	attrib.exe
2736	attrib.exe
2096	attrib.exe
2204	attrib.exe
284	attrib.exe
2588	attrib.exe
1104	attrib.exe
1904	attrib.exe
1084	attrib.exe
2356	attrib.exe
744	attrib.exe
2472	attrib.exe
1868	attrib.exe
2004	attrib.exe
3016	attrib.exe
2064	attrib.exe
2700	attrib.exe
1120	attrib.exe
1712	attrib.exe
2844	attrib.exe
2496	attrib.exe
2444	attrib.exe
1332	attrib.exe
852	attrib.exe
2184	attrib.exe
2692	attrib.exe
2112	attrib.exe
980	attrib.exe
2988	attrib.exe
1792	attrib.exe
1460	attrib.exe
2512	attrib.exe
2940	attrib.exe
2620	attrib.exe
2732	attrib.exe
2732	attrib.exe
1652	attrib.exe
1396	attrib.exe
1560	attrib.exe
2108	attrib.exe
2812	attrib.exe
1212	attrib.exe
912	attrib.exe

Deletes itself 1 IoCs

pid	Process
2936	notepad.exe

Executes dropped EXE 23 IoCs

pid	Process
748	msdcsc.exe
1692	msdcsc.exe
2596	msdcsc.exe
2308	msdcsc.exe
2136	msdcsc.exe
820	msdcsc.exe
2176	msdcsc.exe
2456	msdcsc.exe
2044	msdcsc.exe
1120	msdcsc.exe
3016	msdcsc.exe
1608	msdcsc.exe
2636	msdcsc.exe
2396	msdcsc.exe
2228	msdcsc.exe
2296	msdcsc.exe
1888	msdcsc.exe
1200	msdcsc.exe
2780	msdcsc.exe
2312	msdcsc.exe
1508	msdcsc.exe
2068	msdcsc.exe
2376	msdcsc.exe

Loads dropped DLL 46 IoCs

pid	Process
2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
748	msdcsc.exe
748	msdcsc.exe
1692	msdcsc.exe
1692	msdcsc.exe
2596	msdcsc.exe
2596	msdcsc.exe
2308	msdcsc.exe
2308	msdcsc.exe
2136	msdcsc.exe
2136	msdcsc.exe
820	msdcsc.exe
820	msdcsc.exe
2176	msdcsc.exe
2176	msdcsc.exe
2456	msdcsc.exe
2456	msdcsc.exe
2044	msdcsc.exe
2044	msdcsc.exe
1120	msdcsc.exe
1120	msdcsc.exe
3016	msdcsc.exe
3016	msdcsc.exe
1608	msdcsc.exe
1608	msdcsc.exe
2636	msdcsc.exe
2636	msdcsc.exe
2396	msdcsc.exe
2396	msdcsc.exe
2228	msdcsc.exe
2228	msdcsc.exe
2296	msdcsc.exe
2296	msdcsc.exe
1888	msdcsc.exe
1888	msdcsc.exe
1200	msdcsc.exe
1200	msdcsc.exe
2780	msdcsc.exe
2780	msdcsc.exe
2312	msdcsc.exe
2312	msdcsc.exe
1508	msdcsc.exe
1508	msdcsc.exe
2068	msdcsc.exe
2068	msdcsc.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\u84K4144AzcZ\\u84K4144AzcZ\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeSecurityPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeBackupPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeRestorePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeShutdownPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeDebugPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeUndockPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: 33	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: 34	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: 35	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	748	msdcsc.exe
Token: SeSecurityPrivilege	748	msdcsc.exe
Token: SeTakeOwnershipPrivilege	748	msdcsc.exe
Token: SeLoadDriverPrivilege	748	msdcsc.exe
Token: SeSystemProfilePrivilege	748	msdcsc.exe
Token: SeSystemtimePrivilege	748	msdcsc.exe
Token: SeProfSingleProcessPrivilege	748	msdcsc.exe
Token: SeIncBasePriorityPrivilege	748	msdcsc.exe
Token: SeCreatePagefilePrivilege	748	msdcsc.exe
Token: SeBackupPrivilege	748	msdcsc.exe
Token: SeRestorePrivilege	748	msdcsc.exe
Token: SeShutdownPrivilege	748	msdcsc.exe
Token: SeDebugPrivilege	748	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	748	msdcsc.exe
Token: SeChangeNotifyPrivilege	748	msdcsc.exe
Token: SeRemoteShutdownPrivilege	748	msdcsc.exe
Token: SeUndockPrivilege	748	msdcsc.exe
Token: SeManageVolumePrivilege	748	msdcsc.exe
Token: SeImpersonatePrivilege	748	msdcsc.exe
Token: SeCreateGlobalPrivilege	748	msdcsc.exe
Token: 33	748	msdcsc.exe
Token: 34	748	msdcsc.exe
Token: 35	748	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1692	msdcsc.exe
Token: SeSecurityPrivilege	1692	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1692	msdcsc.exe
Token: SeLoadDriverPrivilege	1692	msdcsc.exe
Token: SeSystemProfilePrivilege	1692	msdcsc.exe
Token: SeSystemtimePrivilege	1692	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1692	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1692	msdcsc.exe
Token: SeCreatePagefilePrivilege	1692	msdcsc.exe
Token: SeBackupPrivilege	1692	msdcsc.exe
Token: SeRestorePrivilege	1692	msdcsc.exe
Token: SeShutdownPrivilege	1692	msdcsc.exe
Token: SeDebugPrivilege	1692	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1692	msdcsc.exe
Token: SeChangeNotifyPrivilege	1692	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1692	msdcsc.exe
Token: SeUndockPrivilege	1692	msdcsc.exe
Token: SeManageVolumePrivilege	1692	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1892	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1892	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1892	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1892	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2576	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	33
PID 2120 wrote to memory of 2576	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	33
PID 2120 wrote to memory of 2576	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	33
PID 2120 wrote to memory of 2576	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	33
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2936	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2732	1892	cmd.exe	37
PID 1892 wrote to memory of 2732	1892	cmd.exe	37
PID 1892 wrote to memory of 2732	1892	cmd.exe	37
PID 1892 wrote to memory of 2732	1892	cmd.exe	37
PID 2576 wrote to memory of 2444	2576	cmd.exe	36
PID 2576 wrote to memory of 2444	2576	cmd.exe	36
PID 2576 wrote to memory of 2444	2576	cmd.exe	36
PID 2576 wrote to memory of 2444	2576	cmd.exe	36
PID 2120 wrote to memory of 748	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	38
PID 2120 wrote to memory of 748	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	38
PID 2120 wrote to memory of 748	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	38
PID 2120 wrote to memory of 748	2120	4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe	38
PID 748 wrote to memory of 2660	748	msdcsc.exe	39
PID 748 wrote to memory of 2660	748	msdcsc.exe	39
PID 748 wrote to memory of 2660	748	msdcsc.exe	39
PID 748 wrote to memory of 2660	748	msdcsc.exe	39
PID 748 wrote to memory of 2452	748	msdcsc.exe	40
PID 748 wrote to memory of 2452	748	msdcsc.exe	40
PID 748 wrote to memory of 2452	748	msdcsc.exe	40
PID 748 wrote to memory of 2452	748	msdcsc.exe	40
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42
PID 748 wrote to memory of 2268	748	msdcsc.exe	42

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2940	attrib.exe
2056	attrib.exe
1120	attrib.exe
840	attrib.exe
1332	attrib.exe
2356	attrib.exe
2184	attrib.exe
2512	attrib.exe
2844	attrib.exe
2112	attrib.exe
2988	attrib.exe
1792	attrib.exe
2100	attrib.exe
2732	attrib.exe
1868	attrib.exe
2108	attrib.exe
2812	attrib.exe
2064	attrib.exe
2004	attrib.exe
2444	attrib.exe
2096	attrib.exe
1652	attrib.exe
2692	attrib.exe
1396	attrib.exe
980	attrib.exe
744	attrib.exe
2472	attrib.exe
2700	attrib.exe
1712	attrib.exe
1084	attrib.exe
1212	attrib.exe
2588	attrib.exe
2496	attrib.exe
1904	attrib.exe
3016	attrib.exe
852	attrib.exe
2736	attrib.exe
284	attrib.exe
1104	attrib.exe
2620	attrib.exe
2732	attrib.exe
1560	attrib.exe
1460	attrib.exe
2204	attrib.exe
2044	attrib.exe
912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\4819ac7420498073e2f939de3bdcf120_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2444
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:2936
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:840
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
    "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
      4⤵
      PID:604
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3016
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
      "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        5⤵
        
        PID:1152
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        5⤵
        
        PID:1820
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:980
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:776
    - - C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        6⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        6⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2356
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:2312
      - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        7⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        7⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        8⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        9⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        10⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2108
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        11⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2472
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        12⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        13⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2096
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        13⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        13⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:688
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        13⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        14⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        14⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        14⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        15⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        16⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        15⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2204
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
        15⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        16⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        17⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        16⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        17⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        17⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        17⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        18⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        17⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        18⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        18⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2004
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        19⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        20⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        19⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        20⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
        19⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        20⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        20⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        21⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:284
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        21⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        21⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        22⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1104
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        21⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        22⤵
        
        PID:472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe" +s +h
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        22⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        23⤵
        
        PID:556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        23⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2588
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\msdcsc.exe"
        23⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        24⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\msdcsc.exe" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        24⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\u84K4144AzcZ\u84K4144AzcZ\msdcsc.exe"
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
692KB

MD5
4819ac7420498073e2f939de3bdcf120

SHA1
bd1a83e2b4987bee30a0f14cbaf685b26821d4e7

SHA256
718208741ba5d91b828e357adeb9622f9710c0d422f14846fce044c43adbfbf3

SHA512
ce1c2d4693a62bf8e832479c355caa4c79b38c6682a966390938bde724e5980ac87b7c081dc76809bd8f2d63ef3fa995f889b039c12c653ca9e0286cf27f8148

Download Submit
memory/748-77-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2120-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2120-36-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2936-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2936-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads