Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 22:22
Behavioral task
behavioral1
Sample
f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe
-
Size
351KB
-
MD5
f0fbcf1170872bbe1ed04d118bc59a24
-
SHA1
3ce2e875b4a2c8f7315303c2b74f1ad593de681e
-
SHA256
bc53a12b9f9b91b8b559e5725a35f0570cc9e00b28c0e317efd22da0fb202292
-
SHA512
90b6f08cfab9e4971bca771dc8156a473d4ca7b475d1f6fc270b1ad86cdf04642d2c8124f84bb1f4bd94c830b31fdff33f986133bbe38b49882f14bd6f3ef84d
-
SSDEEP
6144:5D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZBgaPlbL:5l8E4w5huat7UovONzbXw
Malware Config
Extracted
darkcomet
1221
alexondutyshack.no-ip.org:1604
alexondutyshack.no-ip.org:8080
alexondutyshack.no-ip.org:5147
DC_MUTEX-1118UEH
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Uku7Ze6bP4Ye
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe -
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 544 attrib.exe 2028 attrib.exe 2384 attrib.exe 2728 attrib.exe 960 attrib.exe 1620 attrib.exe 2060 attrib.exe 1224 attrib.exe 1948 attrib.exe 2732 attrib.exe 2280 attrib.exe 2120 attrib.exe 2336 attrib.exe 2288 attrib.exe 904 attrib.exe 2304 attrib.exe 2848 attrib.exe 2552 attrib.exe 1588 attrib.exe 2508 attrib.exe 2864 attrib.exe 1808 attrib.exe 2972 attrib.exe 572 attrib.exe 2968 attrib.exe 968 attrib.exe 2948 attrib.exe 2764 attrib.exe 1944 attrib.exe 1176 attrib.exe 1604 attrib.exe 1996 attrib.exe 1760 attrib.exe 1360 attrib.exe 2392 attrib.exe 1512 attrib.exe 1760 attrib.exe 1788 attrib.exe 2252 attrib.exe 1684 attrib.exe 2956 attrib.exe 3004 attrib.exe 1896 attrib.exe 692 attrib.exe 1108 attrib.exe 2608 attrib.exe -
Executes dropped EXE 23 IoCs
pid Process 2596 msdcsc.exe 2948 msdcsc.exe 1052 msdcsc.exe 880 msdcsc.exe 376 msdcsc.exe 1400 msdcsc.exe 2488 msdcsc.exe 888 msdcsc.exe 2684 msdcsc.exe 2960 msdcsc.exe 2512 msdcsc.exe 2264 msdcsc.exe 968 msdcsc.exe 1928 msdcsc.exe 2916 msdcsc.exe 2056 msdcsc.exe 1884 msdcsc.exe 1912 msdcsc.exe 1108 msdcsc.exe 1660 msdcsc.exe 2680 msdcsc.exe 1008 msdcsc.exe 2584 msdcsc.exe -
Loads dropped DLL 46 IoCs
pid Process 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 2596 msdcsc.exe 2596 msdcsc.exe 2948 msdcsc.exe 2948 msdcsc.exe 1052 msdcsc.exe 1052 msdcsc.exe 880 msdcsc.exe 880 msdcsc.exe 376 msdcsc.exe 376 msdcsc.exe 1400 msdcsc.exe 1400 msdcsc.exe 2488 msdcsc.exe 2488 msdcsc.exe 888 msdcsc.exe 888 msdcsc.exe 2684 msdcsc.exe 2684 msdcsc.exe 2960 msdcsc.exe 2960 msdcsc.exe 2512 msdcsc.exe 2512 msdcsc.exe 2264 msdcsc.exe 2264 msdcsc.exe 968 msdcsc.exe 968 msdcsc.exe 1928 msdcsc.exe 1928 msdcsc.exe 2916 msdcsc.exe 2916 msdcsc.exe 2056 msdcsc.exe 2056 msdcsc.exe 1884 msdcsc.exe 1884 msdcsc.exe 1912 msdcsc.exe 1912 msdcsc.exe 1108 msdcsc.exe 1108 msdcsc.exe 1660 msdcsc.exe 1660 msdcsc.exe 2680 msdcsc.exe 2680 msdcsc.exe 1008 msdcsc.exe 1008 msdcsc.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe -
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/files/0x0007000000019261-5.dat upx behavioral1/memory/2336-13-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2596-14-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2948-30-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2596-27-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2948-41-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1052-42-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/880-60-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1052-57-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1052-53-0x0000000003FE0000-0x00000000040CC000-memory.dmp upx behavioral1/memory/880-70-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/376-72-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/376-86-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1400-87-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2488-91-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1400-93-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/888-100-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2488-99-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2684-113-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/888-111-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2684-127-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2960-130-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2512-142-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2960-141-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2512-156-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2264-157-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2264-169-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/968-171-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/968-184-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1928-187-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1928-196-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2916-197-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2056-207-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2916-206-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2056-216-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1884-218-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1108-228-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1912-227-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1108-237-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1660-246-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1008-258-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2680-257-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1008-261-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/2584-263-0x0000000000400000-0x00000000004EC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSecurityPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemtimePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeBackupPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeRestorePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeShutdownPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeDebugPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeUndockPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeManageVolumePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeImpersonatePrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 33 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 34 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 35 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2596 msdcsc.exe Token: SeSecurityPrivilege 2596 msdcsc.exe Token: SeTakeOwnershipPrivilege 2596 msdcsc.exe Token: SeLoadDriverPrivilege 2596 msdcsc.exe Token: SeSystemProfilePrivilege 2596 msdcsc.exe Token: SeSystemtimePrivilege 2596 msdcsc.exe Token: SeProfSingleProcessPrivilege 2596 msdcsc.exe Token: SeIncBasePriorityPrivilege 2596 msdcsc.exe Token: SeCreatePagefilePrivilege 2596 msdcsc.exe Token: SeBackupPrivilege 2596 msdcsc.exe Token: SeRestorePrivilege 2596 msdcsc.exe Token: SeShutdownPrivilege 2596 msdcsc.exe Token: SeDebugPrivilege 2596 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2596 msdcsc.exe Token: SeChangeNotifyPrivilege 2596 msdcsc.exe Token: SeRemoteShutdownPrivilege 2596 msdcsc.exe Token: SeUndockPrivilege 2596 msdcsc.exe Token: SeManageVolumePrivilege 2596 msdcsc.exe Token: SeImpersonatePrivilege 2596 msdcsc.exe Token: SeCreateGlobalPrivilege 2596 msdcsc.exe Token: 33 2596 msdcsc.exe Token: 34 2596 msdcsc.exe Token: 35 2596 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2948 msdcsc.exe Token: SeSecurityPrivilege 2948 msdcsc.exe Token: SeTakeOwnershipPrivilege 2948 msdcsc.exe Token: SeLoadDriverPrivilege 2948 msdcsc.exe Token: SeSystemProfilePrivilege 2948 msdcsc.exe Token: SeSystemtimePrivilege 2948 msdcsc.exe Token: SeProfSingleProcessPrivilege 2948 msdcsc.exe Token: SeIncBasePriorityPrivilege 2948 msdcsc.exe Token: SeCreatePagefilePrivilege 2948 msdcsc.exe Token: SeBackupPrivilege 2948 msdcsc.exe Token: SeRestorePrivilege 2948 msdcsc.exe Token: SeShutdownPrivilege 2948 msdcsc.exe Token: SeDebugPrivilege 2948 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2948 msdcsc.exe Token: SeChangeNotifyPrivilege 2948 msdcsc.exe Token: SeRemoteShutdownPrivilege 2948 msdcsc.exe Token: SeUndockPrivilege 2948 msdcsc.exe Token: SeManageVolumePrivilege 2948 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2360 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2360 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2360 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2360 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2692 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2692 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2692 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2692 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 31 PID 2360 wrote to memory of 2764 2360 cmd.exe 34 PID 2360 wrote to memory of 2764 2360 cmd.exe 34 PID 2360 wrote to memory of 2764 2360 cmd.exe 34 PID 2360 wrote to memory of 2764 2360 cmd.exe 34 PID 2692 wrote to memory of 2848 2692 cmd.exe 35 PID 2692 wrote to memory of 2848 2692 cmd.exe 35 PID 2692 wrote to memory of 2848 2692 cmd.exe 35 PID 2692 wrote to memory of 2848 2692 cmd.exe 35 PID 2336 wrote to memory of 2596 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2596 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2596 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 36 PID 2336 wrote to memory of 2596 2336 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2452 2596 msdcsc.exe 37 PID 2596 wrote to memory of 2452 2596 msdcsc.exe 37 PID 2596 wrote to memory of 2452 2596 msdcsc.exe 37 PID 2596 wrote to memory of 2452 2596 msdcsc.exe 37 PID 2596 wrote to memory of 444 2596 msdcsc.exe 39 PID 2596 wrote to memory of 444 2596 msdcsc.exe 39 PID 2596 wrote to memory of 444 2596 msdcsc.exe 39 PID 2596 wrote to memory of 444 2596 msdcsc.exe 39 PID 2452 wrote to memory of 2552 2452 cmd.exe 41 PID 2452 wrote to memory of 2552 2452 cmd.exe 41 PID 2452 wrote to memory of 2552 2452 cmd.exe 41 PID 2452 wrote to memory of 2552 2452 cmd.exe 41 PID 444 wrote to memory of 2956 444 cmd.exe 42 PID 444 wrote to memory of 2956 444 cmd.exe 42 PID 444 wrote to memory of 2956 444 cmd.exe 42 PID 444 wrote to memory of 2956 444 cmd.exe 42 PID 2596 wrote to memory of 2948 2596 msdcsc.exe 43 PID 2596 wrote to memory of 2948 2596 msdcsc.exe 43 PID 2596 wrote to memory of 2948 2596 msdcsc.exe 43 PID 2596 wrote to memory of 2948 2596 msdcsc.exe 43 PID 2948 wrote to memory of 2184 2948 msdcsc.exe 44 PID 2948 wrote to memory of 2184 2948 msdcsc.exe 44 PID 2948 wrote to memory of 2184 2948 msdcsc.exe 44 PID 2948 wrote to memory of 2184 2948 msdcsc.exe 44 PID 2948 wrote to memory of 1688 2948 msdcsc.exe 45 PID 2948 wrote to memory of 1688 2948 msdcsc.exe 45 PID 2948 wrote to memory of 1688 2948 msdcsc.exe 45 PID 2948 wrote to memory of 1688 2948 msdcsc.exe 45 PID 2948 wrote to memory of 1052 2948 msdcsc.exe 48 PID 2948 wrote to memory of 1052 2948 msdcsc.exe 48 PID 2948 wrote to memory of 1052 2948 msdcsc.exe 48 PID 2948 wrote to memory of 1052 2948 msdcsc.exe 48 PID 1688 wrote to memory of 1944 1688 cmd.exe 49 PID 1688 wrote to memory of 1944 1688 cmd.exe 49 PID 1688 wrote to memory of 1944 1688 cmd.exe 49 PID 1688 wrote to memory of 1944 1688 cmd.exe 49 PID 2184 wrote to memory of 544 2184 cmd.exe 50 PID 2184 wrote to memory of 544 2184 cmd.exe 50 PID 2184 wrote to memory of 544 2184 cmd.exe 50 PID 2184 wrote to memory of 544 2184 cmd.exe 50 PID 1052 wrote to memory of 1416 1052 msdcsc.exe 51 PID 1052 wrote to memory of 1416 1052 msdcsc.exe 51 PID 1052 wrote to memory of 1416 1052 msdcsc.exe 51 PID 1052 wrote to memory of 1416 1052 msdcsc.exe 51 -
Views/modifies file attributes 1 TTPs 46 IoCs
pid Process 2336 attrib.exe 1788 attrib.exe 1684 attrib.exe 960 attrib.exe 968 attrib.exe 2972 attrib.exe 904 attrib.exe 1944 attrib.exe 572 attrib.exe 2384 attrib.exe 1512 attrib.exe 1760 attrib.exe 2948 attrib.exe 544 attrib.exe 2028 attrib.exe 2120 attrib.exe 2280 attrib.exe 2968 attrib.exe 1996 attrib.exe 1620 attrib.exe 2552 attrib.exe 2060 attrib.exe 1224 attrib.exe 2252 attrib.exe 1760 attrib.exe 1808 attrib.exe 1588 attrib.exe 692 attrib.exe 2864 attrib.exe 1604 attrib.exe 2608 attrib.exe 2728 attrib.exe 2848 attrib.exe 2956 attrib.exe 3004 attrib.exe 1948 attrib.exe 2508 attrib.exe 1108 attrib.exe 1176 attrib.exe 1360 attrib.exe 2764 attrib.exe 2732 attrib.exe 1896 attrib.exe 2288 attrib.exe 2392 attrib.exe 2304 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2848
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2956
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:544
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1944
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h5⤵PID:1416
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h5⤵PID:1304
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2060
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h6⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h6⤵PID:2348
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2384
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h7⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h7⤵PID:1484
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h8⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1588
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h8⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h9⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h8⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h9⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3004
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h9⤵PID:1496
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h9⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1512
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h10⤵PID:2676
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h10⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2732
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h11⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2968
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h12⤵PID:1944
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h12⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h13⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2280
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h13⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h13⤵PID:2152
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h14⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:692
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h14⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h14⤵
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1788
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h15⤵PID:2364
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h15⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1176
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h16⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h16⤵PID:1724
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h17⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2728
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h17⤵PID:2828
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h17⤵PID:1716
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2252
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h18⤵PID:1868
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h18⤵PID:2628
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h19⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1760
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h19⤵PID:2564
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h19⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:960
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h20⤵PID:2456
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h20⤵PID:2096
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1620
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h21⤵PID:2744
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h21⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:968
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h22⤵PID:2720
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h23⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h22⤵PID:2248
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:904
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h23⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h23⤵PID:2968
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2608
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h24⤵
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h24⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2304
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
351KB
MD5f0fbcf1170872bbe1ed04d118bc59a24
SHA13ce2e875b4a2c8f7315303c2b74f1ad593de681e
SHA256bc53a12b9f9b91b8b559e5725a35f0570cc9e00b28c0e317efd22da0fb202292
SHA51290b6f08cfab9e4971bca771dc8156a473d4ca7b475d1f6fc270b1ad86cdf04642d2c8124f84bb1f4bd94c830b31fdff33f986133bbe38b49882f14bd6f3ef84d