asyncrat | 5e95ac29974541f3cf409d7ca483033c991e644b04f8d2dba7c2e08941511a22

Analysis

max time kernel
54s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2025, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file2.exe
Size

968KB
MD5

8e8c0b5bf7b262756a59095da213ee90
SHA1

e3a84452231879057925e565a2f6592cb8e2ebdd
SHA256

047ab1b39a89a4bf9cb51c810dc7a4d62e3f848df566ec9884393c60d0988039
SHA512

1bde8ffa4fea4539ff889ce0625eb0caed5250881eb8f56456cc092610550948552ecdff0c3c786df97e592399fc3084c4e0fa798cb916860349fbbe5a5c38db
SSDEEP

24576:43Z1xuVVjfFoynPaVBUR8f+kN10EB4gGApfkxI:4pQDgok30JjAL

Score

10^/10

asyncrat darkcomet nanocore default guest16 defense_evasion discovery keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

jvjv2044duck33.duckdns.org:8808

Mutex

0fC8zJGwBBNm

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-VSPAW1U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
WsSXJDBChA4p
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC MEDIA PLAYE.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x001d00000002b191-15.dat	family_asyncrat

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4772	attrib.exe
3708	attrib.exe

Executes dropped EXE 14 IoCs

pid	Process
2452	VLC MEDIA PLAYE.EXE
1988	WINDOWS DEFENDER.EXE
4084	WINDOWS SECURITY NANO.EXE
4956	msdcsc.exe
5652	msdcsc.exe
2212	msdcsc.exe
4088	csrss.exe
724	msdcsc.exe
5332	msdcsc.exe
2696	msdcsc.exe
4676	msdcsc.exe
1308	msdcsc.exe
5924	msdcsc.exe
3704	msdcsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC MEDIA PLAYE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	WINDOWS SECURITY NANO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WINDOWS SECURITY NANO.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	WINDOWS SECURITY NANO.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS SECURITY NANO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VLC MEDIA PLAYE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS DEFENDER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2864	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	VLC MEDIA PLAYE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
1988	WINDOWS DEFENDER.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE
4084	WINDOWS SECURITY NANO.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4084	WINDOWS SECURITY NANO.EXE
4956	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeSecurityPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeTakeOwnershipPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeLoadDriverPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeSystemProfilePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeSystemtimePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeProfSingleProcessPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeIncBasePriorityPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeCreatePagefilePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeBackupPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeRestorePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeShutdownPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeDebugPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeSystemEnvironmentPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeChangeNotifyPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeRemoteShutdownPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeUndockPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeManageVolumePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeImpersonatePrivilege	2452	VLC MEDIA PLAYE.EXE
Token: SeCreateGlobalPrivilege	2452	VLC MEDIA PLAYE.EXE
Token: 33	2452	VLC MEDIA PLAYE.EXE
Token: 34	2452	VLC MEDIA PLAYE.EXE
Token: 35	2452	VLC MEDIA PLAYE.EXE
Token: 36	2452	VLC MEDIA PLAYE.EXE
Token: SeIncreaseQuotaPrivilege	4956	msdcsc.exe
Token: SeSecurityPrivilege	4956	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4956	msdcsc.exe
Token: SeLoadDriverPrivilege	4956	msdcsc.exe
Token: SeSystemProfilePrivilege	4956	msdcsc.exe
Token: SeSystemtimePrivilege	4956	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4956	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4956	msdcsc.exe
Token: SeCreatePagefilePrivilege	4956	msdcsc.exe
Token: SeBackupPrivilege	4956	msdcsc.exe
Token: SeRestorePrivilege	4956	msdcsc.exe
Token: SeShutdownPrivilege	4956	msdcsc.exe
Token: SeDebugPrivilege	4956	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4956	msdcsc.exe
Token: SeChangeNotifyPrivilege	4956	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4956	msdcsc.exe
Token: SeUndockPrivilege	4956	msdcsc.exe
Token: SeManageVolumePrivilege	4956	msdcsc.exe
Token: SeImpersonatePrivilege	4956	msdcsc.exe
Token: SeCreateGlobalPrivilege	4956	msdcsc.exe
Token: 33	4956	msdcsc.exe
Token: 34	4956	msdcsc.exe
Token: 35	4956	msdcsc.exe
Token: 36	4956	msdcsc.exe
Token: SeDebugPrivilege	4084	WINDOWS SECURITY NANO.EXE
Token: SeIncreaseQuotaPrivilege	5652	msdcsc.exe
Token: SeSecurityPrivilege	5652	msdcsc.exe
Token: SeTakeOwnershipPrivilege	5652	msdcsc.exe
Token: SeLoadDriverPrivilege	5652	msdcsc.exe
Token: SeSystemProfilePrivilege	5652	msdcsc.exe
Token: SeSystemtimePrivilege	5652	msdcsc.exe
Token: SeProfSingleProcessPrivilege	5652	msdcsc.exe
Token: SeIncBasePriorityPrivilege	5652	msdcsc.exe
Token: SeCreatePagefilePrivilege	5652	msdcsc.exe
Token: SeBackupPrivilege	5652	msdcsc.exe
Token: SeRestorePrivilege	5652	msdcsc.exe
Token: SeShutdownPrivilege	5652	msdcsc.exe
Token: SeDebugPrivilege	5652	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	5652	msdcsc.exe
Token: SeChangeNotifyPrivilege	5652	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2452	2920	file2.exe	78
PID 2920 wrote to memory of 2452	2920	file2.exe	78
PID 2920 wrote to memory of 2452	2920	file2.exe	78
PID 2920 wrote to memory of 1988	2920	file2.exe	79
PID 2920 wrote to memory of 1988	2920	file2.exe	79
PID 2920 wrote to memory of 1988	2920	file2.exe	79
PID 2920 wrote to memory of 4084	2920	file2.exe	80
PID 2920 wrote to memory of 4084	2920	file2.exe	80
PID 2920 wrote to memory of 4084	2920	file2.exe	80
PID 2452 wrote to memory of 1048	2452	VLC MEDIA PLAYE.EXE	83
PID 2452 wrote to memory of 1048	2452	VLC MEDIA PLAYE.EXE	83
PID 2452 wrote to memory of 1048	2452	VLC MEDIA PLAYE.EXE	83
PID 2452 wrote to memory of 4472	2452	VLC MEDIA PLAYE.EXE	85
PID 2452 wrote to memory of 4472	2452	VLC MEDIA PLAYE.EXE	85
PID 2452 wrote to memory of 4472	2452	VLC MEDIA PLAYE.EXE	85
PID 2324 wrote to memory of 4956	2324	cmd.exe	86
PID 2324 wrote to memory of 4956	2324	cmd.exe	86
PID 2324 wrote to memory of 4956	2324	cmd.exe	86
PID 1048 wrote to memory of 4772	1048	cmd.exe	90
PID 1048 wrote to memory of 4772	1048	cmd.exe	90
PID 1048 wrote to memory of 4772	1048	cmd.exe	90
PID 2640 wrote to memory of 5652	2640	cmd.exe	93
PID 2640 wrote to memory of 5652	2640	cmd.exe	93
PID 2640 wrote to memory of 5652	2640	cmd.exe	93
PID 4472 wrote to memory of 3708	4472	cmd.exe	94
PID 4472 wrote to memory of 3708	4472	cmd.exe	94
PID 4472 wrote to memory of 3708	4472	cmd.exe	94
PID 2452 wrote to memory of 2212	2452	VLC MEDIA PLAYE.EXE	95
PID 2452 wrote to memory of 2212	2452	VLC MEDIA PLAYE.EXE	95
PID 2452 wrote to memory of 2212	2452	VLC MEDIA PLAYE.EXE	95
PID 1988 wrote to memory of 5372	1988	WINDOWS DEFENDER.EXE	96
PID 1988 wrote to memory of 5372	1988	WINDOWS DEFENDER.EXE	96
PID 1988 wrote to memory of 5372	1988	WINDOWS DEFENDER.EXE	96
PID 1988 wrote to memory of 3824	1988	WINDOWS DEFENDER.EXE	98
PID 1988 wrote to memory of 3824	1988	WINDOWS DEFENDER.EXE	98
PID 1988 wrote to memory of 3824	1988	WINDOWS DEFENDER.EXE	98
PID 3824 wrote to memory of 2864	3824	cmd.exe	100
PID 3824 wrote to memory of 2864	3824	cmd.exe	100
PID 3824 wrote to memory of 2864	3824	cmd.exe	100
PID 5372 wrote to memory of 2128	5372	cmd.exe	101
PID 5372 wrote to memory of 2128	5372	cmd.exe	101
PID 5372 wrote to memory of 2128	5372	cmd.exe	101
PID 3824 wrote to memory of 4088	3824	cmd.exe	102
PID 3824 wrote to memory of 4088	3824	cmd.exe	102
PID 3824 wrote to memory of 4088	3824	cmd.exe	102
PID 4728 wrote to memory of 724	4728	cmd.exe	105
PID 4728 wrote to memory of 724	4728	cmd.exe	105
PID 4728 wrote to memory of 724	4728	cmd.exe	105
PID 4292 wrote to memory of 5332	4292	cmd.exe	108
PID 4292 wrote to memory of 5332	4292	cmd.exe	108
PID 4292 wrote to memory of 5332	4292	cmd.exe	108
PID 244 wrote to memory of 2696	244	cmd.exe	111
PID 244 wrote to memory of 2696	244	cmd.exe	111
PID 244 wrote to memory of 2696	244	cmd.exe	111
PID 2124 wrote to memory of 4676	2124	cmd.exe	114
PID 2124 wrote to memory of 4676	2124	cmd.exe	114
PID 2124 wrote to memory of 4676	2124	cmd.exe	114
PID 4784 wrote to memory of 1308	4784	cmd.exe	117
PID 4784 wrote to memory of 1308	4784	cmd.exe	117
PID 4784 wrote to memory of 1308	4784	cmd.exe	117
PID 3236 wrote to memory of 5924	3236	cmd.exe	120
PID 3236 wrote to memory of 5924	3236	cmd.exe	120
PID 3236 wrote to memory of 5924	3236	cmd.exe	120
PID 664 wrote to memory of 3704	664	cmd.exe	123

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4772	attrib.exe
3708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file2.exe
"C:\Users\Admin\AppData\Local\Temp\file2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Roaming\VLC MEDIA PLAYE.EXE
  "C:\Users\Admin\AppData\Roaming\VLC MEDIA PLAYE.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\VLC MEDIA PLAYE.EXE" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Roaming\VLC MEDIA PLAYE.EXE" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Roaming" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3708
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2212
- C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDER.EXE
  "C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5372
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7119.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2864
  - - C:\Users\Admin\AppData\Roaming\csrss.exe
      "C:\Users\Admin\AppData\Roaming\csrss.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4088
- C:\Users\Admin\AppData\Roaming\WINDOWS SECURITY NANO.EXE
  "C:\Users\Admin\AppData\Roaming\WINDOWS SECURITY NANO.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\TCP Subsystem\tcpss.exe
1⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3704

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7119.tmp.bat

Filesize
149B

MD5
536ccc870110981dfa7656c285a96053

SHA1
3d63d8bb9d5d05fc00f216faf7f9e432da3c4627

SHA256
56617728780784c65236c331de86d49c5a235db5b3b99758cbdc28f1e7d80725

SHA512
2f772179855522b58dfce719eb56edfe4ab84f19683b8e23df674fc285c265ba6dbeb5b7f096d1a239b0fa98a1d53ff4d2e39eecea21fabdc4018859fe7dc707

Download Submit
C:\Users\Admin\AppData\Roaming\VLC MEDIA PLAYE.EXE

Filesize
658KB

MD5
de8155dd13365377edb85032384b10cb

SHA1
cb23083134afbf04d2fda5981cf4ac05b65afe86

SHA256
ad4b6815581ce764ee631e5d2cc588fe0b5bb607de8499d21316544940db224b

SHA512
8cbcca98eef2417932d1bb6acb59c72ca1944b6480551dee372ae2bc50a3f66bfc3cfd834f932b36e63df9b930febec9f1e34a0d54b162e126e91c55a2d95d6a

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDER.EXE

Filesize
47KB

MD5
96da127f30d555f809b5a781eeadb5d4

SHA1
6742daf92406b52d5b98fcf3c8b96aca2f691404

SHA256
f2e3e68a10f9f07b031e2fd3d7d73553ee4639a5e1c2a0775ac0a2ddbeff5e53

SHA512
2c7f2d0bfb65e532f1c1068a93f92c2cd17682de70d8ee84cab47d3b3e80f87d97d16e0d41dee027f3381e5abe9d19f8b2604da7769d36243695be1d79b3be52

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS SECURITY NANO.EXE

Filesize
209KB

MD5
172214b69dfbf053c83ff8e6b70842bc

SHA1
02e321757925f21b18c96d2e23d6e9a755df59ab

SHA256
da01598ba05a9467fa7cf76d9d212df75886eeeea30a633654dcdf29d8be90d9

SHA512
6b02e7dffd64a8cc7b83e7dcbfbd8d4dfb99f7cc13d5056ffb00efb51f7cf0431bb270b8afa394dbeb4e7b3558261c0ea6bd3a542bd82afd9fbc9c5227f83a42

Download Submit
memory/724-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1308-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1988-48-0x00000000049C0000-0x0000000004A5C000-memory.dmp

Filesize
624KB

Download
memory/1988-33-0x0000000000050000-0x0000000000062000-memory.dmp

Filesize
72KB

Download
memory/1988-30-0x00000000735AE000-0x00000000735AF000-memory.dmp

Filesize
4KB

Download
memory/2212-46-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2452-31-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2452-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2696-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3704-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4084-32-0x0000000072FE1000-0x0000000072FE2000-memory.dmp

Filesize
4KB

Download
memory/4084-57-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/4084-59-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/4084-36-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/4084-37-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/4676-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4956-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5332-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5652-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5924-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download