5e7924badff6e80d8de2ae47526f7ecad763ea70827df3044e13fb6afc87155f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf839ad3ea2c2ff760faefd519b34e9f.exe
Size

120KB
MD5

bf839ad3ea2c2ff760faefd519b34e9f
SHA1

2f28876e02775a246b133f632a1aa8d0d238bb28
SHA256

5e7924badff6e80d8de2ae47526f7ecad763ea70827df3044e13fb6afc87155f
SHA512

81bee189e17310a4bdf00dd2fcab0633959edef1e96ac7c4969359f2ca3c8842474b693b144eea2749e54254babfebb627aa7a439df33ba395a6f947ac5ff51e
SSDEEP

1536:rqka8wstji9A1g22OHe1Zn+pfp9wbkARrNaaeHVqzuqka8wstji9A1z:fa8P4ad819+pfMjriMzwa8P4aJ

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 46 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe
1468	attrib.exe
2108	attrib.exe
3520	attrib.exe
3216	attrib.exe
1284	attrib.exe
4004	attrib.exe
1292	attrib.exe
1248	attrib.exe
4356	attrib.exe
2872	attrib.exe
3460	attrib.exe
2632	attrib.exe
4820	attrib.exe
4516	attrib.exe
4368	attrib.exe
4712	attrib.exe
1208	attrib.exe
4420	attrib.exe
3344	attrib.exe
2900	attrib.exe
4860	attrib.exe
2464	attrib.exe
1948	attrib.exe
4336	attrib.exe
4680	attrib.exe
3616	attrib.exe
3060	attrib.exe
3676	attrib.exe
1248	attrib.exe
3224	attrib.exe
3756	attrib.exe
3424	attrib.exe
312	attrib.exe
4592	attrib.exe
64	attrib.exe
2904	attrib.exe
4860	attrib.exe
2996	attrib.exe
5092	attrib.exe
1188	attrib.exe
4852	attrib.exe
1080	attrib.exe
4336	attrib.exe
2852	attrib.exe
1700	attrib.exe

Executes dropped EXE 46 IoCs

pid	Process
3168	winservice.exe
3164	winservice.exe
4548	winservice.exe
720	winservice.exe
216	winservice.exe
3344	winservice.exe
2616	winservice.exe
4144	winservice.exe
4616	winservice.exe
1208	winservice.exe
208	winservice.exe
4036	winservice.exe
4456	winservice.exe
2668	winservice.exe
4080	winservice.exe
4336	winservice.exe
3744	winservice.exe
4544	winservice.exe
2728	winservice.exe
4864	winservice.exe
3820	winservice.exe
4456	winservice.exe
4164	winservice.exe
3680	winservice.exe
2548	winservice.exe
2336	winservice.exe
1892	winservice.exe
1752	winservice.exe
4636	winservice.exe
4396	winservice.exe
3992	winservice.exe
2876	winservice.exe
1284	winservice.exe
3936	winservice.exe
2308	winservice.exe
2580	winservice.exe
2552	winservice.exe
4776	winservice.exe
4636	winservice.exe
4036	winservice.exe
3704	winservice.exe
2916	winservice.exe
1600	winservice.exe
4248	winservice.exe
3992	winservice.exe
772	winservice.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	bf839ad3ea2c2ff760faefd519b34e9f.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	cmd.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\winservice.exe	cmd.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\winservice.exe	attrib.exe
File created	C:\Windows\SysWOW64\705.5475.bat	winservice.exe

Runs ping.exe 1 TTPs 47 IoCs

Remote System Discovery

T1018

pid	Process
1876	PING.EXE
4776	PING.EXE
3964	PING.EXE
3252	PING.EXE
4164	PING.EXE
3936	PING.EXE
8	PING.EXE
2548	PING.EXE
5048	PING.EXE
3284	PING.EXE
4868	PING.EXE
3712	PING.EXE
4076	PING.EXE
3192	PING.EXE
2752	PING.EXE
1516	PING.EXE
2312	PING.EXE
2904	PING.EXE
3712	PING.EXE
3732	PING.EXE
4980	PING.EXE
1700	PING.EXE
1208	PING.EXE
4644	PING.EXE
3400	PING.EXE
2080	PING.EXE
1096	PING.EXE
2216	PING.EXE
1172	PING.EXE
3740	PING.EXE
5036	PING.EXE
4812	PING.EXE
3484	PING.EXE
1944	PING.EXE
4280	PING.EXE
4600	PING.EXE
5048	PING.EXE
1328	PING.EXE
4132	PING.EXE
1248	PING.EXE
1452	PING.EXE
4176	PING.EXE
1280	PING.EXE
224	PING.EXE
1516	PING.EXE
4888	PING.EXE
1360	PING.EXE

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
4612	bf839ad3ea2c2ff760faefd519b34e9f.exe
3168	winservice.exe
3164	winservice.exe
4548	winservice.exe
720	winservice.exe
216	winservice.exe
3344	winservice.exe
2616	winservice.exe
4144	winservice.exe
4616	winservice.exe
1208	winservice.exe
208	winservice.exe
4036	winservice.exe
4456	winservice.exe
2668	winservice.exe
4080	winservice.exe
4336	winservice.exe
3744	winservice.exe
4544	winservice.exe
2728	winservice.exe
4864	winservice.exe
3820	winservice.exe
4456	winservice.exe
4164	winservice.exe
3680	winservice.exe
2548	winservice.exe
2336	winservice.exe
1892	winservice.exe
1752	winservice.exe
4636	winservice.exe
4396	winservice.exe
3992	winservice.exe
2876	winservice.exe
1284	winservice.exe
3936	winservice.exe
2308	winservice.exe
2580	winservice.exe
2552	winservice.exe
4776	winservice.exe
4636	winservice.exe
4036	winservice.exe
3704	winservice.exe
2916	winservice.exe
1600	winservice.exe
4248	winservice.exe
3992	winservice.exe
772	winservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1256	4612	bf839ad3ea2c2ff760faefd519b34e9f.exe	88
PID 4612 wrote to memory of 1256	4612	bf839ad3ea2c2ff760faefd519b34e9f.exe	88
PID 4612 wrote to memory of 1256	4612	bf839ad3ea2c2ff760faefd519b34e9f.exe	88
PID 1256 wrote to memory of 1248	1256	cmd.exe	90
PID 1256 wrote to memory of 1248	1256	cmd.exe	90
PID 1256 wrote to memory of 1248	1256	cmd.exe	90
PID 1256 wrote to memory of 2668	1256	cmd.exe	94
PID 1256 wrote to memory of 2668	1256	cmd.exe	94
PID 1256 wrote to memory of 2668	1256	cmd.exe	94
PID 1256 wrote to memory of 3168	1256	cmd.exe	95
PID 1256 wrote to memory of 3168	1256	cmd.exe	95
PID 1256 wrote to memory of 3168	1256	cmd.exe	95
PID 3168 wrote to memory of 3420	3168	winservice.exe	96
PID 3168 wrote to memory of 3420	3168	winservice.exe	96
PID 3168 wrote to memory of 3420	3168	winservice.exe	96
PID 3420 wrote to memory of 3712	3420	cmd.exe	98
PID 3420 wrote to memory of 3712	3420	cmd.exe	98
PID 3420 wrote to memory of 3712	3420	cmd.exe	98
PID 3420 wrote to memory of 1468	3420	cmd.exe	103
PID 3420 wrote to memory of 1468	3420	cmd.exe	103
PID 3420 wrote to memory of 1468	3420	cmd.exe	103
PID 3420 wrote to memory of 3164	3420	cmd.exe	104
PID 3420 wrote to memory of 3164	3420	cmd.exe	104
PID 3420 wrote to memory of 3164	3420	cmd.exe	104
PID 3164 wrote to memory of 3132	3164	winservice.exe	105
PID 3164 wrote to memory of 3132	3164	winservice.exe	105
PID 3164 wrote to memory of 3132	3164	winservice.exe	105
PID 3132 wrote to memory of 1452	3132	cmd.exe	107
PID 3132 wrote to memory of 1452	3132	cmd.exe	107
PID 3132 wrote to memory of 1452	3132	cmd.exe	107
PID 3132 wrote to memory of 312	3132	cmd.exe	109
PID 3132 wrote to memory of 312	3132	cmd.exe	109
PID 3132 wrote to memory of 312	3132	cmd.exe	109
PID 3132 wrote to memory of 4548	3132	cmd.exe	110
PID 3132 wrote to memory of 4548	3132	cmd.exe	110
PID 3132 wrote to memory of 4548	3132	cmd.exe	110
PID 4548 wrote to memory of 3964	4548	winservice.exe	111
PID 4548 wrote to memory of 3964	4548	winservice.exe	111
PID 4548 wrote to memory of 3964	4548	winservice.exe	111
PID 3964 wrote to memory of 3400	3964	cmd.exe	113
PID 3964 wrote to memory of 3400	3964	cmd.exe	113
PID 3964 wrote to memory of 3400	3964	cmd.exe	113
PID 3964 wrote to memory of 4592	3964	cmd.exe	115
PID 3964 wrote to memory of 4592	3964	cmd.exe	115
PID 3964 wrote to memory of 4592	3964	cmd.exe	115
PID 3964 wrote to memory of 720	3964	cmd.exe	116
PID 3964 wrote to memory of 720	3964	cmd.exe	116
PID 3964 wrote to memory of 720	3964	cmd.exe	116
PID 720 wrote to memory of 3936	720	winservice.exe	117
PID 720 wrote to memory of 3936	720	winservice.exe	117
PID 720 wrote to memory of 3936	720	winservice.exe	117
PID 3936 wrote to memory of 4164	3936	cmd.exe	119
PID 3936 wrote to memory of 4164	3936	cmd.exe	119
PID 3936 wrote to memory of 4164	3936	cmd.exe	119
PID 3936 wrote to memory of 3060	3936	cmd.exe	121
PID 3936 wrote to memory of 3060	3936	cmd.exe	121
PID 3936 wrote to memory of 3060	3936	cmd.exe	121
PID 3936 wrote to memory of 216	3936	cmd.exe	122
PID 3936 wrote to memory of 216	3936	cmd.exe	122
PID 3936 wrote to memory of 216	3936	cmd.exe	122
PID 216 wrote to memory of 3152	216	winservice.exe	123
PID 216 wrote to memory of 3152	216	winservice.exe	123
PID 216 wrote to memory of 3152	216	winservice.exe	123
PID 3152 wrote to memory of 3732	3152	cmd.exe	125

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
64	attrib.exe
1248	attrib.exe
3224	attrib.exe
1284	attrib.exe
2668	attrib.exe
3676	attrib.exe
1248	attrib.exe
2996	attrib.exe
3216	attrib.exe
1948	attrib.exe
4004	attrib.exe
4712	attrib.exe
4420	attrib.exe
2872	attrib.exe
3060	attrib.exe
4680	attrib.exe
2632	attrib.exe
3616	attrib.exe
1292	attrib.exe
5092	attrib.exe
1700	attrib.exe
312	attrib.exe
4336	attrib.exe
4516	attrib.exe
4368	attrib.exe
1208	attrib.exe
3756	attrib.exe
4592	attrib.exe
3460	attrib.exe
3344	attrib.exe
2900	attrib.exe
1188	attrib.exe
4860	attrib.exe
1080	attrib.exe
3424	attrib.exe
2464	attrib.exe
4860	attrib.exe
2852	attrib.exe
1468	attrib.exe
4852	attrib.exe
4820	attrib.exe
4336	attrib.exe
2904	attrib.exe
2108	attrib.exe
3520	attrib.exe
4356	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bf839ad3ea2c2ff760faefd519b34e9f.exe
"C:\Users\Admin\AppData\Local\Temp\bf839ad3ea2c2ff760faefd519b34e9f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.1
    3⤵
    - Runs ping.exe
    PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\winservice.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2668
- - C:\Windows\SysWOW64\winservice.exe
    "C:\Windows\system32\winservice.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        5⤵
        Runs ping.exe
        
        PID:3712
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1468
    - - C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        7⤵
        Runs ping.exe
        
        PID:1452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:312
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        9⤵
        Runs ping.exe
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4592
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        11⤵
        Runs ping.exe
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3060
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        13⤵
        Runs ping.exe
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        13⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4852
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        14⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        15⤵
        Runs ping.exe
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3460
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        16⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        17⤵
        Runs ping.exe
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        17⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:64
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        18⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        19⤵
        Runs ping.exe
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4336
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        20⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        21⤵
        Runs ping.exe
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        21⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4680
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        22⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        23⤵
        Runs ping.exe
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2632
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        24⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        25⤵
        Runs ping.exe
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        25⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1080
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        26⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        27⤵
        Runs ping.exe
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4820
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        28⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        29⤵
        Runs ping.exe
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        29⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3676
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        30⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        31⤵
        Runs ping.exe
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4516
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        32⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        33⤵
        Runs ping.exe
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4368
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        34⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        35⤵
        Runs ping.exe
        
        PID:1328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        35⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4004
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        36⤵
        
        PID:772
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        37⤵
        Runs ping.exe
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        37⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3616
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        38⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        39⤵
        Runs ping.exe
        
        PID:4868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        39⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1248
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        40⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        41⤵
        Runs ping.exe
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        41⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4712
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        42⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        43⤵
        Runs ping.exe
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        43⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4336
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        44⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        45⤵
        Runs ping.exe
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        45⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1208
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        46⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        47⤵
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        47⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3224
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        48⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        49⤵
        Runs ping.exe
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        49⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2904
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        50⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        51⤵
        Runs ping.exe
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        51⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3756
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        52⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        53⤵
        Runs ping.exe
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        53⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1292
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        54⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        55⤵
        Runs ping.exe
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        55⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2108
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        56⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        57⤵
        Runs ping.exe
        
        PID:224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        57⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4420
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        58⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        59⤵
        Runs ping.exe
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        59⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1248
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        60⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        61⤵
        Runs ping.exe
        
        PID:8
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        61⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4860
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        62⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        63⤵
        Runs ping.exe
        
        PID:2312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        63⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3344
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        64⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        65⤵
        Runs ping.exe
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        65⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2852
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        66⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        67⤵
        Runs ping.exe
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        67⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2996
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        67⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        68⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        69⤵
        Runs ping.exe
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        69⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3520
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        69⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        70⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        71⤵
        Runs ping.exe
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        71⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2900
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        72⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        73⤵
        Runs ping.exe
        
        PID:5036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        73⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1700
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        73⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        74⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        75⤵
        Runs ping.exe
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        75⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5092
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        75⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        76⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        77⤵
        Runs ping.exe
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        77⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3216
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        77⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        78⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        79⤵
        Runs ping.exe
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        79⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1188
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        79⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        80⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        81⤵
        Runs ping.exe
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        81⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1948
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        81⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        82⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        83⤵
        Runs ping.exe
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        83⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3424
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        83⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        84⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        85⤵
        Runs ping.exe
        
        PID:1208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        85⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4356
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        85⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        86⤵
        
        PID:224
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        87⤵
        Runs ping.exe
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        87⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1284
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        87⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        88⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        89⤵
        Runs ping.exe
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        89⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4860
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        89⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        90⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        91⤵
        Runs ping.exe
        
        PID:4176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        91⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2464
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        91⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        92⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        93⤵
        Runs ping.exe
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\winservice.exe"
        93⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2872
        
        C:\Windows\SysWOW64\winservice.exe
        
        "C:\Windows\system32\winservice.exe"
        93⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\705.5475.bat
        94⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.1
        95⤵
        Runs ping.exe
        
        PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\705.5475.bat

Filesize
312B

MD5
ed0364126b17ff18a2c897c600576693

SHA1
5be37cc08d3de4c97474e7ab82f2d723523f4a60

SHA256
c3eee682589477768ddef9b594c5b483f81e4d39e5cf8cea2e3b25cb037917f9

SHA512
fb840f9b971cd5637f238c3d27de854ab842677e8e09876b2be315638adc9912da03b712de84a9fda585d93bb406bfacd88c0c6b45323c3765573dac2cd80504

Download Submit
C:\Windows\SysWOW64\705.5475.bat

Filesize
240B

MD5
7809be270b98c3072fea24debc519f4d

SHA1
65802bdfc40ed5628f00f84012f19b18fe1d03ab

SHA256
960565aa925a5a39454e67b61d3feec9ae9e9eed0f472194d724176ef1988828

SHA512
72000be21a58a22e0ad42669bf14c2f94be163b892dfb2d0e9259f2cff38f64465bc3ef8967481b2d021cb6d43a2446d39be8d026d84ff526598171c6daf0040

Download Submit
C:\Windows\SysWOW64\winservice.exe

Filesize
120KB

MD5
bf839ad3ea2c2ff760faefd519b34e9f

SHA1
2f28876e02775a246b133f632a1aa8d0d238bb28

SHA256
5e7924badff6e80d8de2ae47526f7ecad763ea70827df3044e13fb6afc87155f

SHA512
81bee189e17310a4bdf00dd2fcab0633959edef1e96ac7c4969359f2ca3c8842474b693b144eea2749e54254babfebb627aa7a439df33ba395a6f947ac5ff51e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads