darkcomet | 45d59275a88878dc40fb0940044acb9c1ef65adfaab39431327b106f31bccb63

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Size

691KB
MD5

0357870e7612851c5999f99a45c70a4f
SHA1

33c20db77f4af7509849e3655f5c711a0ccae0c6
SHA256

45d59275a88878dc40fb0940044acb9c1ef65adfaab39431327b106f31bccb63
SHA512

e6d35b3391ce52f63873d6abd3d904b60d951230d2b87010eafdd10937684ba4c3bc1a7020e9405d09c905004580ea18a3ea1c812c6b7e415cb18334362c1c83
SSDEEP

12288:SAwoSSn3Qx8bLHUG9KRvnt5jeYTZ2AF33HTcywyKhrwYJRF/NcFpBadUnw:Sw3/9yt5PBIh3qYfF/NcFudf

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 46 IoCs

pid	Process
5040	msdcsc.exe
4504	msdcsc.exe
4916	msdcsc.exe
4384	msdcsc.exe
3720	msdcsc.exe
3852	msdcsc.exe
3992	msdcsc.exe
3904	msdcsc.exe
2984	msdcsc.exe
4720	msdcsc.exe
4612	msdcsc.exe
1848	msdcsc.exe
1720	msdcsc.exe
4844	msdcsc.exe
4124	msdcsc.exe
2112	msdcsc.exe
1044	msdcsc.exe
2624	msdcsc.exe
3328	msdcsc.exe
1436	msdcsc.exe
4212	msdcsc.exe
1088	msdcsc.exe
3632	msdcsc.exe
5040	msdcsc.exe
1964	msdcsc.exe
1652	msdcsc.exe
3264	msdcsc.exe
2716	msdcsc.exe
1096	msdcsc.exe
1356	msdcsc.exe
3992	msdcsc.exe
4324	msdcsc.exe
4456	msdcsc.exe
3652	msdcsc.exe
1320	msdcsc.exe
2224	msdcsc.exe
4880	msdcsc.exe
32	msdcsc.exe
3556	msdcsc.exe
752	msdcsc.exe
1072	msdcsc.exe
1904	msdcsc.exe
2300	msdcsc.exe
3856	msdcsc.exe
4752	msdcsc.exe
4356	msdcsc.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 2452 set thread context of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 5040 set thread context of 4504	5040	msdcsc.exe	92
PID 4504 set thread context of 4916	4504	msdcsc.exe	93
PID 4384 set thread context of 3720	4384	msdcsc.exe	95
PID 3720 set thread context of 3852	3720	msdcsc.exe	96
PID 3992 set thread context of 3904	3992	msdcsc.exe	100
PID 3904 set thread context of 2984	3904	msdcsc.exe	101
PID 4720 set thread context of 4612	4720	msdcsc.exe	103
PID 4612 set thread context of 1848	4612	msdcsc.exe	104
PID 1720 set thread context of 4844	1720	msdcsc.exe	106
PID 4844 set thread context of 4124	4844	msdcsc.exe	107
PID 2112 set thread context of 1044	2112	msdcsc.exe	109
PID 1044 set thread context of 2624	1044	msdcsc.exe	110
PID 3328 set thread context of 1436	3328	msdcsc.exe	112
PID 1436 set thread context of 4212	1436	msdcsc.exe	113
PID 1088 set thread context of 3632	1088	msdcsc.exe	115
PID 3632 set thread context of 5040	3632	msdcsc.exe	116
PID 1964 set thread context of 1652	1964	msdcsc.exe	118
PID 1652 set thread context of 3264	1652	msdcsc.exe	119
PID 2716 set thread context of 1096	2716	msdcsc.exe	121
PID 1096 set thread context of 1356	1096	msdcsc.exe	122
PID 3992 set thread context of 4324	3992	msdcsc.exe	124
PID 4324 set thread context of 4456	4324	msdcsc.exe	125
PID 3652 set thread context of 1320	3652	msdcsc.exe	127
PID 1320 set thread context of 2224	1320	msdcsc.exe	128
PID 4880 set thread context of 32	4880	msdcsc.exe	130
PID 32 set thread context of 3556	32	msdcsc.exe	131
PID 752 set thread context of 1072	752	msdcsc.exe	133
PID 1072 set thread context of 1904	1072	msdcsc.exe	134
PID 2300 set thread context of 3856	2300	msdcsc.exe	136
PID 3856 set thread context of 4752	3856	msdcsc.exe	137

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2452-3-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2452-5-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2452-8-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2452-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4504-86-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4504-87-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4504-98-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3720-117-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3904-134-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4612-156-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4844-176-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1044-196-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1436-214-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3632-224-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3632-233-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1652-251-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1096-270-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4324-290-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1320-309-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/32-329-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1072-348-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3856-367-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeSecurityPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeTakeOwnershipPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeLoadDriverPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeSystemProfilePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeSystemtimePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeProfSingleProcessPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeIncBasePriorityPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeCreatePagefilePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeBackupPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeRestorePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeShutdownPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeDebugPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeSystemEnvironmentPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeChangeNotifyPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeRemoteShutdownPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeUndockPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeManageVolumePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeImpersonatePrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeCreateGlobalPrivilege	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: 33	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: 34	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: 35	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: 36	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
Token: SeIncreaseQuotaPrivilege	4916	msdcsc.exe
Token: SeSecurityPrivilege	4916	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4916	msdcsc.exe
Token: SeLoadDriverPrivilege	4916	msdcsc.exe
Token: SeSystemProfilePrivilege	4916	msdcsc.exe
Token: SeSystemtimePrivilege	4916	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4916	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4916	msdcsc.exe
Token: SeCreatePagefilePrivilege	4916	msdcsc.exe
Token: SeBackupPrivilege	4916	msdcsc.exe
Token: SeRestorePrivilege	4916	msdcsc.exe
Token: SeShutdownPrivilege	4916	msdcsc.exe
Token: SeDebugPrivilege	4916	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4916	msdcsc.exe
Token: SeChangeNotifyPrivilege	4916	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4916	msdcsc.exe
Token: SeUndockPrivilege	4916	msdcsc.exe
Token: SeManageVolumePrivilege	4916	msdcsc.exe
Token: SeImpersonatePrivilege	4916	msdcsc.exe
Token: SeCreateGlobalPrivilege	4916	msdcsc.exe
Token: 33	4916	msdcsc.exe
Token: 34	4916	msdcsc.exe
Token: 35	4916	msdcsc.exe
Token: 36	4916	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	3852	msdcsc.exe
Token: SeSecurityPrivilege	3852	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3852	msdcsc.exe
Token: SeLoadDriverPrivilege	3852	msdcsc.exe
Token: SeSystemProfilePrivilege	3852	msdcsc.exe
Token: SeSystemtimePrivilege	3852	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3852	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3852	msdcsc.exe
Token: SeCreatePagefilePrivilege	3852	msdcsc.exe
Token: SeBackupPrivilege	3852	msdcsc.exe
Token: SeRestorePrivilege	3852	msdcsc.exe
Token: SeShutdownPrivilege	3852	msdcsc.exe
Token: SeDebugPrivilege	3852	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3852	msdcsc.exe
Token: SeChangeNotifyPrivilege	3852	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3852	msdcsc.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
5040	msdcsc.exe
4504	msdcsc.exe
4384	msdcsc.exe
3720	msdcsc.exe
3992	msdcsc.exe
3904	msdcsc.exe
4720	msdcsc.exe
4612	msdcsc.exe
1720	msdcsc.exe
4844	msdcsc.exe
2112	msdcsc.exe
1044	msdcsc.exe
3328	msdcsc.exe
1436	msdcsc.exe
1088	msdcsc.exe
3632	msdcsc.exe
1964	msdcsc.exe
1652	msdcsc.exe
2716	msdcsc.exe
1096	msdcsc.exe
3992	msdcsc.exe
4324	msdcsc.exe
3652	msdcsc.exe
1320	msdcsc.exe
4880	msdcsc.exe
32	msdcsc.exe
752	msdcsc.exe
1072	msdcsc.exe
2300	msdcsc.exe
3856	msdcsc.exe
4356	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 3260 wrote to memory of 2452	3260	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	87
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2452 wrote to memory of 2672	2452	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	88
PID 2672 wrote to memory of 5040	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	89
PID 2672 wrote to memory of 5040	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	89
PID 2672 wrote to memory of 5040	2672	JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe	89
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 5040 wrote to memory of 4504	5040	msdcsc.exe	92
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4504 wrote to memory of 4916	4504	msdcsc.exe	93
PID 4916 wrote to memory of 4384	4916	msdcsc.exe	94
PID 4916 wrote to memory of 4384	4916	msdcsc.exe	94
PID 4916 wrote to memory of 4384	4916	msdcsc.exe	94
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 4384 wrote to memory of 3720	4384	msdcsc.exe	95
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96
PID 3720 wrote to memory of 3852	3720	msdcsc.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0357870e7612851c5999f99a45c70a4f.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3904
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        12⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4720
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        15⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        18⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        21⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        24⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        27⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        30⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        33⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        36⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        39⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:32
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        42⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        45⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        48⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
691KB

MD5
0357870e7612851c5999f99a45c70a4f

SHA1
33c20db77f4af7509849e3655f5c711a0ccae0c6

SHA256
45d59275a88878dc40fb0940044acb9c1ef65adfaab39431327b106f31bccb63

SHA512
e6d35b3391ce52f63873d6abd3d904b60d951230d2b87010eafdd10937684ba4c3bc1a7020e9405d09c905004580ea18a3ea1c812c6b7e415cb18334362c1c83

Download Submit
memory/32-329-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/752-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1044-196-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1072-348-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1088-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1096-270-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1320-309-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1436-214-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1652-251-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1720-170-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-158-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1964-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2112-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2300-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2452-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2672-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2672-79-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2672-18-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2672-17-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2672-14-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2672-13-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2716-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-133-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2984-136-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3260-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3260-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3260-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3328-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3632-224-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3632-233-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3652-302-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3720-117-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3720-115-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3852-114-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3852-119-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3856-367-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3904-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3992-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3992-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4124-179-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4324-290-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4384-108-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4504-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4504-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4504-98-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4612-156-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4720-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4720-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4720-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4844-176-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4880-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4880-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4916-95-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4916-96-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4916-99-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/5040-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads