Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-12-2024 16:29
General
-
Target
0cb080c8fe1f959b91761bfda632078ea3f5b52a1b6ca8c8c5ea7ac8f2c1a20aN.exe
-
Size
742KB
-
MD5
cb59fc47fcd2ea6c4354d60230b67c50
-
SHA1
7416dd76ebd488b308d73d6d27dd1101a92e0772
-
SHA256
0cb080c8fe1f959b91761bfda632078ea3f5b52a1b6ca8c8c5ea7ac8f2c1a20a
-
SHA512
1c103d9a11cb38543d2f83d254b1465898127ac1e29a34c6b98c8b77685aa48bf2c8a99e697a794403c67fa3bccd6386273697844734fba4023d9f46b82db29e
-
SSDEEP
12288:UrAeSye4BLE0RnRO0GiAlQUZM6GR9jrHNCqZO0ZaF8RivkDOn7Ypca1oymIW2J83:CAZyUNtiCK6c9jrtL8WnDAE2RIuws
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Dragonica
C2
192.168.0.13:1604
85.168.104.237:1604
Mutex
DC_MUTEX-AE11EHH
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3E1WoVyr3qxU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cb080c8fe1f959b91761bfda632078ea3f5b52a1b6ca8c8c5ea7ac8f2c1a20aN.exe"C:\Users\Admin\AppData\Local\Temp\0cb080c8fe1f959b91761bfda632078ea3f5b52a1b6ca8c8c5ea7ac8f2c1a20aN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ztmp3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp85650.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp85650.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp38410.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp38410.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp85650.bat "C:\Users\Admin\AppData\Local\Temp\0cb080c8fe1f959b91761bfda632078ea3f5b52a1b6ca8c8c5ea7ac8f2c1a20aN.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exemakeitbounce.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe" +s +h5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h10⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h12⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h14⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h15⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h16⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"15⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h17⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h18⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h19⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h20⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h21⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h22⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h23⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h24⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h25⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h26⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"25⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h27⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h26⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h27⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h28⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h28⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h29⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h29⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h30⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h30⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h31⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h31⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h31⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h32⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h32⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h33⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h32⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h33⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h34⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h34⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h35⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h35⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h35⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h36⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h36⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h36⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h37⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h37⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h38⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h38⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h39⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h39⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h39⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h40⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h40⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h41⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h41⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h42⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h41⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV142⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h42⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h43⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h43⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h43⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV144⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h44⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h44⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h45⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h45⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h46⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h46⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"45⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h47⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h47⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h48⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h47⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h48⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h49⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h48⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h49⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h50⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h50⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h51⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h51⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"50⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h52⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h52⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h52⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h53⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h52⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h53⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h54⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h54⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"53⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h55⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h54⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h55⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h56⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h56⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"55⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h56⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h57⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h56⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h57⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h57⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h58⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h58⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h59⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h59⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h60⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h59⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h60⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h60⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h61⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h61⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h62⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h62⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h63⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h63⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h64⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h64⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h64⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h65⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h64⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h65⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h66⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h66⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"65⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h67⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h66⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h67⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"66⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h68⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h68⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"67⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h69⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h69⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h70⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h69⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h70⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h70⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h71⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h71⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"70⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h72⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h72⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"71⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h73⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h73⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"72⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h74⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h74⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"73⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h74⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h75⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h75⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"74⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV176⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h76⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h76⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"75⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h76⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h77⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h77⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"76⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h78⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h78⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"77⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h79⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h79⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"78⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h80⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h80⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"79⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h81⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h81⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"80⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h82⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h82⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"81⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h83⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h82⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h83⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"82⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h84⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h84⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"83⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h85⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h85⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"84⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h85⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV186⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h86⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h86⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"85⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h86⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h87⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h86⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h87⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"86⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h88⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h88⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"87⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h89⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h89⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"88⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h90⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h90⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"89⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h90⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h91⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h90⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h91⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"90⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h91⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h92⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h91⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h92⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"91⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h93⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h93⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"92⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h94⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h94⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"93⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h95⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h95⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"94⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h96⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h96⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"95⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h97⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h96⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h97⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"96⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h98⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h98⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"97⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h99⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h98⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h99⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"98⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h100⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h100⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"99⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h101⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h101⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"100⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h102⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h101⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h102⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"101⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h103⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h103⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"102⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h104⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h103⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1104⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h104⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"103⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h105⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h104⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h105⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"104⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h105⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h106⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h106⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"105⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h106⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h107⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h106⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h107⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"106⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h107⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h108⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h108⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"107⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h108⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h109⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h108⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h109⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"108⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h110⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h110⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"109⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h111⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h111⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"110⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h112⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h112⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"111⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h112⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h113⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h112⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h113⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"112⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h114⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h114⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"113⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h115⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h115⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"114⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h116⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"115⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h117⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h117⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"116⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h117⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1118⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h117⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1118⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h118⤵
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"117⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h118⤵
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h119⤵
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"119⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h120⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\makeitbounce.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp85650.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp85650.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp38410.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp38410.exe"2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 8072 -s 3841⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662KB
MD5f57e7d7a992641105d4db7d480e1c3dc
SHA1cc5c600c55b2e07d6e0dff98fef45c6616b748ff
SHA2561ae85a4b1f2504adbe262692045a25032ae9802d87aee53147807e979c2e57a9
SHA5122a5af4fb5690e45c0209f49227c50949da884e772d906c22e2e84b9d5cf4bc69145e7130f6d969bab9f39cd01a3f054cc5dcb2ccb13f6f9c79514d48953559ae
-
Filesize
15B
MD53c52638971ead82b5929d605c1314ee0
SHA17318148a40faca203ac402dff51bbb04e638545c
SHA2565614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab
SHA51246f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b
-
Filesize
218B
MD56a7a12b80092e428ba29e9f4e98b3457
SHA1a25ffd08d7adb8c46fc15163f8bc7b573edc8412
SHA2564ac5b998a80ae7f20d1a5ae91cc445eceb35c00adc7640096ee1545734718aae
SHA512c98f250a2b4014906d96647694fcc0d40f5520e4a4f572d5fc6d40226294e2af71c8f9fa9e0401bff5d9fdd81ba09d8d395b5da1c75a9d4e24e5c64b86d1ec73
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB