Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe
-
Size
708KB
-
MD5
7d6816ca8761c9611542c326105efbbf
-
SHA1
8ad553cd6ee105cf6050b8017ecf88319fc4ff8c
-
SHA256
f37dc2aab4817b85c6b2caf9c5ed0790d4613fd9248207c7c37270c13aafed4c
-
SHA512
3d62ec55922034b43828ad2232b89b72db0a08af7bcff1047ed27c6174f18ddb6e76f7433584e02e548abcdd2eb77d143ef8d3dce744fc18d667a2d85764b853
-
SSDEEP
12288:GkgiBS7Q7MKrOtxf+zbp6+rZg5vqxsIM3Ep5DPEL1Corj5pRXQhYuRv86:ZV8U7MVxIFbZgpqfR5o3j5PACyj
Malware Config
Extracted
darkcomet
Guest16
mynet.m3th.org:8745
DC_MUTEX-2AE3ZR7
-
gencode
MRTgxCEg0e7q
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 25 IoCs
Processes:
lodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exepid process 2900 lodctr.exe 2596 lodctr.exe 2712 lodctr.exe 2916 lodctr.exe 2272 lodctr.exe 2976 lodctr.exe 812 lodctr.exe 2308 lodctr.exe 1872 lodctr.exe 1980 lodctr.exe 2012 lodctr.exe 1940 lodctr.exe 308 lodctr.exe 1596 lodctr.exe 2356 lodctr.exe 2788 lodctr.exe 1084 lodctr.exe 2112 lodctr.exe 952 lodctr.exe 600 lodctr.exe 1672 lodctr.exe 1408 lodctr.exe 1116 lodctr.exe 2224 lodctr.exe 2364 lodctr.exe -
Loads dropped DLL 1 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exepid process 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exedescription pid process target process PID 1604 set thread context of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
lodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exeAppLaunch.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exe7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exelodctr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lodctr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exepid process 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1612 AppLaunch.exe Token: SeSecurityPrivilege 1612 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1612 AppLaunch.exe Token: SeLoadDriverPrivilege 1612 AppLaunch.exe Token: SeSystemProfilePrivilege 1612 AppLaunch.exe Token: SeSystemtimePrivilege 1612 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1612 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1612 AppLaunch.exe Token: SeCreatePagefilePrivilege 1612 AppLaunch.exe Token: SeBackupPrivilege 1612 AppLaunch.exe Token: SeRestorePrivilege 1612 AppLaunch.exe Token: SeShutdownPrivilege 1612 AppLaunch.exe Token: SeDebugPrivilege 1612 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1612 AppLaunch.exe Token: SeChangeNotifyPrivilege 1612 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1612 AppLaunch.exe Token: SeUndockPrivilege 1612 AppLaunch.exe Token: SeManageVolumePrivilege 1612 AppLaunch.exe Token: SeImpersonatePrivilege 1612 AppLaunch.exe Token: SeCreateGlobalPrivilege 1612 AppLaunch.exe Token: 33 1612 AppLaunch.exe Token: 34 1612 AppLaunch.exe Token: 35 1612 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 1612 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exedescription pid process target process PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 1612 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe AppLaunch.exe PID 1604 wrote to memory of 2900 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2900 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2900 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2900 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2596 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2596 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2596 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2596 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2712 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2712 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2712 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2712 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2916 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2916 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2916 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2916 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2272 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2272 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2272 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2272 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2976 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2976 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2976 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2976 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 812 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 812 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 812 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 812 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2308 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2308 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2308 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2308 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1872 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1872 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1872 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1872 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1980 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1980 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1980 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1980 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2012 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2012 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2012 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 2012 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1940 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1940 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1940 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe PID 1604 wrote to memory of 1940 1604 7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe lodctr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d6816ca8761c9611542c326105efbbf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:812 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:308 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lodctr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57a42e78aa3fbb2ae0ff164c239c1fd81
SHA1a492a76a98f67c17ae93d6d619e173eed6eaaae4
SHA25678604f7e3b34d01ac8204694cdc77bdb6e72612beb5f70719e7236ff029711a8
SHA512238945d8463275d9a4d658429190120ccc138531d19202bceba0e13a7464e50970c1ee7ed9af1f980c53460fad1931efc25629061d6cb8dbebda5c13b94116e0