Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 22:22
Behavioral task
behavioral1
Sample
f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe
-
Size
351KB
-
MD5
f0fbcf1170872bbe1ed04d118bc59a24
-
SHA1
3ce2e875b4a2c8f7315303c2b74f1ad593de681e
-
SHA256
bc53a12b9f9b91b8b559e5725a35f0570cc9e00b28c0e317efd22da0fb202292
-
SHA512
90b6f08cfab9e4971bca771dc8156a473d4ca7b475d1f6fc270b1ad86cdf04642d2c8124f84bb1f4bd94c830b31fdff33f986133bbe38b49882f14bd6f3ef84d
-
SSDEEP
6144:5D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZBgaPlbL:5l8E4w5huat7UovONzbXw
Malware Config
Extracted
darkcomet
1221
alexondutyshack.no-ip.org:1604
alexondutyshack.no-ip.org:8080
alexondutyshack.no-ip.org:5147
DC_MUTEX-1118UEH
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Uku7Ze6bP4Ye
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe -
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1064 attrib.exe 3488 attrib.exe 1328 attrib.exe 3852 attrib.exe 1192 attrib.exe 5032 attrib.exe 4528 attrib.exe 1392 attrib.exe 3052 attrib.exe 3112 attrib.exe 4380 attrib.exe 1772 attrib.exe 536 attrib.exe 1784 attrib.exe 4408 attrib.exe 3956 attrib.exe 1292 attrib.exe 3832 attrib.exe 2928 attrib.exe 2104 attrib.exe 1724 attrib.exe 684 attrib.exe 1396 attrib.exe 468 attrib.exe 2488 attrib.exe 4012 attrib.exe 5104 attrib.exe 464 attrib.exe 2096 attrib.exe 4876 attrib.exe 2240 attrib.exe 2104 attrib.exe 2240 attrib.exe 3492 attrib.exe 2684 attrib.exe 3496 attrib.exe 3076 attrib.exe 2060 attrib.exe 2332 attrib.exe 180 attrib.exe 3776 attrib.exe 3780 attrib.exe 4980 attrib.exe 4964 attrib.exe 5060 attrib.exe 812 attrib.exe -
Checks computer location settings 2 TTPs 23 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation msdcsc.exe -
Executes dropped EXE 23 IoCs
pid Process 4564 msdcsc.exe 3488 msdcsc.exe 556 msdcsc.exe 3592 msdcsc.exe 3512 msdcsc.exe 3332 msdcsc.exe 4324 msdcsc.exe 2292 msdcsc.exe 2844 msdcsc.exe 2684 msdcsc.exe 928 msdcsc.exe 2252 msdcsc.exe 1020 msdcsc.exe 2704 msdcsc.exe 2016 msdcsc.exe 4004 msdcsc.exe 1908 msdcsc.exe 2700 msdcsc.exe 2276 msdcsc.exe 2732 msdcsc.exe 2720 msdcsc.exe 3640 msdcsc.exe 2296 msdcsc.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Uku7Ze6bP4Ye\\Uku7Ze6bP4Ye\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe attrib.exe -
resource yara_rule behavioral2/memory/2348-0-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/files/0x0008000000023c14-6.dat upx behavioral2/memory/2348-63-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/4564-126-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3488-127-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3488-189-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/556-249-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3592-311-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3512-373-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3332-435-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/4324-496-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2844-558-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2292-559-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2844-620-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2684-682-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/928-744-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2252-806-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/1020-868-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2704-930-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2016-992-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/4004-1054-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/1908-1116-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2700-1178-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2276-1240-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2732-1302-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/2720-1364-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral2/memory/3640-1425-0x0000000000400000-0x00000000004EC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSecurityPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemtimePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeBackupPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeRestorePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeShutdownPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeDebugPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeUndockPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeManageVolumePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeImpersonatePrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 33 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 34 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 35 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: 36 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4564 msdcsc.exe Token: SeSecurityPrivilege 4564 msdcsc.exe Token: SeTakeOwnershipPrivilege 4564 msdcsc.exe Token: SeLoadDriverPrivilege 4564 msdcsc.exe Token: SeSystemProfilePrivilege 4564 msdcsc.exe Token: SeSystemtimePrivilege 4564 msdcsc.exe Token: SeProfSingleProcessPrivilege 4564 msdcsc.exe Token: SeIncBasePriorityPrivilege 4564 msdcsc.exe Token: SeCreatePagefilePrivilege 4564 msdcsc.exe Token: SeBackupPrivilege 4564 msdcsc.exe Token: SeRestorePrivilege 4564 msdcsc.exe Token: SeShutdownPrivilege 4564 msdcsc.exe Token: SeDebugPrivilege 4564 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4564 msdcsc.exe Token: SeChangeNotifyPrivilege 4564 msdcsc.exe Token: SeRemoteShutdownPrivilege 4564 msdcsc.exe Token: SeUndockPrivilege 4564 msdcsc.exe Token: SeManageVolumePrivilege 4564 msdcsc.exe Token: SeImpersonatePrivilege 4564 msdcsc.exe Token: SeCreateGlobalPrivilege 4564 msdcsc.exe Token: 33 4564 msdcsc.exe Token: 34 4564 msdcsc.exe Token: 35 4564 msdcsc.exe Token: 36 4564 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3488 msdcsc.exe Token: SeSecurityPrivilege 3488 msdcsc.exe Token: SeTakeOwnershipPrivilege 3488 msdcsc.exe Token: SeLoadDriverPrivilege 3488 msdcsc.exe Token: SeSystemProfilePrivilege 3488 msdcsc.exe Token: SeSystemtimePrivilege 3488 msdcsc.exe Token: SeProfSingleProcessPrivilege 3488 msdcsc.exe Token: SeIncBasePriorityPrivilege 3488 msdcsc.exe Token: SeCreatePagefilePrivilege 3488 msdcsc.exe Token: SeBackupPrivilege 3488 msdcsc.exe Token: SeRestorePrivilege 3488 msdcsc.exe Token: SeShutdownPrivilege 3488 msdcsc.exe Token: SeDebugPrivilege 3488 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3488 msdcsc.exe Token: SeChangeNotifyPrivilege 3488 msdcsc.exe Token: SeRemoteShutdownPrivilege 3488 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1696 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 91 PID 2348 wrote to memory of 1696 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 91 PID 2348 wrote to memory of 1696 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 91 PID 2348 wrote to memory of 4856 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 92 PID 2348 wrote to memory of 4856 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 92 PID 2348 wrote to memory of 4856 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 92 PID 1696 wrote to memory of 4980 1696 cmd.exe 95 PID 1696 wrote to memory of 4980 1696 cmd.exe 95 PID 1696 wrote to memory of 4980 1696 cmd.exe 95 PID 4856 wrote to memory of 1396 4856 cmd.exe 96 PID 4856 wrote to memory of 1396 4856 cmd.exe 96 PID 4856 wrote to memory of 1396 4856 cmd.exe 96 PID 2348 wrote to memory of 4564 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 97 PID 2348 wrote to memory of 4564 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 97 PID 2348 wrote to memory of 4564 2348 f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe 97 PID 4564 wrote to memory of 4804 4564 msdcsc.exe 104 PID 4564 wrote to memory of 4804 4564 msdcsc.exe 104 PID 4564 wrote to memory of 4804 4564 msdcsc.exe 104 PID 4564 wrote to memory of 4968 4564 msdcsc.exe 106 PID 4564 wrote to memory of 4968 4564 msdcsc.exe 106 PID 4564 wrote to memory of 4968 4564 msdcsc.exe 106 PID 4804 wrote to memory of 536 4804 cmd.exe 108 PID 4804 wrote to memory of 536 4804 cmd.exe 108 PID 4804 wrote to memory of 536 4804 cmd.exe 108 PID 4968 wrote to memory of 1292 4968 cmd.exe 109 PID 4968 wrote to memory of 1292 4968 cmd.exe 109 PID 4968 wrote to memory of 1292 4968 cmd.exe 109 PID 4564 wrote to memory of 3488 4564 msdcsc.exe 110 PID 4564 wrote to memory of 3488 4564 msdcsc.exe 110 PID 4564 wrote to memory of 3488 4564 msdcsc.exe 110 PID 3488 wrote to memory of 1672 3488 msdcsc.exe 111 PID 3488 wrote to memory of 1672 3488 msdcsc.exe 111 PID 3488 wrote to memory of 1672 3488 msdcsc.exe 111 PID 3488 wrote to memory of 3024 3488 msdcsc.exe 113 PID 3488 wrote to memory of 3024 3488 msdcsc.exe 113 PID 3488 wrote to memory of 3024 3488 msdcsc.exe 113 PID 1672 wrote to memory of 4964 1672 cmd.exe 115 PID 1672 wrote to memory of 4964 1672 cmd.exe 115 PID 1672 wrote to memory of 4964 1672 cmd.exe 115 PID 3024 wrote to memory of 3832 3024 cmd.exe 116 PID 3024 wrote to memory of 3832 3024 cmd.exe 116 PID 3024 wrote to memory of 3832 3024 cmd.exe 116 PID 3488 wrote to memory of 556 3488 msdcsc.exe 117 PID 3488 wrote to memory of 556 3488 msdcsc.exe 117 PID 3488 wrote to memory of 556 3488 msdcsc.exe 117 PID 556 wrote to memory of 4384 556 msdcsc.exe 118 PID 556 wrote to memory of 4384 556 msdcsc.exe 118 PID 556 wrote to memory of 4384 556 msdcsc.exe 118 PID 556 wrote to memory of 4696 556 msdcsc.exe 120 PID 556 wrote to memory of 4696 556 msdcsc.exe 120 PID 556 wrote to memory of 4696 556 msdcsc.exe 120 PID 4384 wrote to memory of 468 4384 cmd.exe 122 PID 4384 wrote to memory of 468 4384 cmd.exe 122 PID 4384 wrote to memory of 468 4384 cmd.exe 122 PID 4696 wrote to memory of 1064 4696 cmd.exe 123 PID 4696 wrote to memory of 1064 4696 cmd.exe 123 PID 4696 wrote to memory of 1064 4696 cmd.exe 123 PID 556 wrote to memory of 3592 556 msdcsc.exe 124 PID 556 wrote to memory of 3592 556 msdcsc.exe 124 PID 556 wrote to memory of 3592 556 msdcsc.exe 124 PID 3592 wrote to memory of 2860 3592 msdcsc.exe 127 PID 3592 wrote to memory of 2860 3592 msdcsc.exe 127 PID 3592 wrote to memory of 2860 3592 msdcsc.exe 127 PID 3592 wrote to memory of 1096 3592 msdcsc.exe 129 -
Views/modifies file attributes 1 TTPs 46 IoCs
pid Process 4964 attrib.exe 5104 attrib.exe 5060 attrib.exe 180 attrib.exe 3852 attrib.exe 2104 attrib.exe 3776 attrib.exe 1396 attrib.exe 536 attrib.exe 4012 attrib.exe 2928 attrib.exe 2240 attrib.exe 1772 attrib.exe 2488 attrib.exe 3488 attrib.exe 4408 attrib.exe 2096 attrib.exe 4380 attrib.exe 1392 attrib.exe 1064 attrib.exe 3112 attrib.exe 3492 attrib.exe 3076 attrib.exe 684 attrib.exe 3496 attrib.exe 3780 attrib.exe 2240 attrib.exe 468 attrib.exe 1784 attrib.exe 812 attrib.exe 2332 attrib.exe 1328 attrib.exe 4980 attrib.exe 3832 attrib.exe 4876 attrib.exe 1192 attrib.exe 2684 attrib.exe 2060 attrib.exe 5032 attrib.exe 1292 attrib.exe 2104 attrib.exe 464 attrib.exe 3956 attrib.exe 1724 attrib.exe 4528 attrib.exe 3052 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f0fbcf1170872bbe1ed04d118bc59a24_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1396
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1292
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3832
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:468
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h5⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1064
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h6⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3112
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h6⤵PID:1096
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2104
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h7⤵PID:1864
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h7⤵
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4012
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h8⤵PID:1056
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h9⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h8⤵PID:1960
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2928
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h9⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h9⤵PID:3848
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5104
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h10⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4408
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h10⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:464
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h11⤵PID:3292
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2096
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h12⤵PID:1008
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h13⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h12⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h13⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3956
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h13⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h13⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3492
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h14⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h14⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1724
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h15⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h15⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2332
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h16⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h16⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4380
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h17⤵PID:2416
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h17⤵PID:1048
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3496
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h18⤵PID:4660
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h18⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:180
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h19⤵PID:4952
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h20⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h19⤵PID:3496
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:684
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h20⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h20⤵PID:664
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3776
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h21⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h22⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h21⤵PID:368
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3780
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h22⤵PID:2072
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h22⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5032
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h23⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h23⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h24⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1392
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h24⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\msdcsc.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h24⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye" +s +h25⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2240
-
-
-
C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"C:\Windows\system32\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye\msdcsc.exe" +s +h25⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Uku7Ze6bP4Ye\Uku7Ze6bP4Ye" +s +h25⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
351KB
MD5f0fbcf1170872bbe1ed04d118bc59a24
SHA13ce2e875b4a2c8f7315303c2b74f1ad593de681e
SHA256bc53a12b9f9b91b8b559e5725a35f0570cc9e00b28c0e317efd22da0fb202292
SHA51290b6f08cfab9e4971bca771dc8156a473d4ca7b475d1f6fc270b1ad86cdf04642d2c8124f84bb1f4bd94c830b31fdff33f986133bbe38b49882f14bd6f3ef84d