Analysis
-
max time kernel
78s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
14/10/2024, 20:55
General
-
Target
4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe
-
Size
993KB
-
MD5
4424ff327fc46ccbf1e122212df6f6c0
-
SHA1
b1d555f699b5c1f04cf05b5a09f7c03195275b71
-
SHA256
34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0b
-
SHA512
91c752aa8d6e5f27f783f16c518ea41c3d3cd1d11eb610447a4b268ffa280489c51ca70ed46b4797aa5d8f8d581e98f6e97c45a62b4ac25fe9b5b7429846d9cf
-
SSDEEP
24576:2AojG2m6TtySYXU9/UwlPGhnxy4i9XCWsu5agFya3T5OeZINOh:A/PtySL9/UwluhnhuyWZagdTcuIQh
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Dyn-NoIp
C2
rezausa.no-ip.org:3030
rezausa.dyndns.org:3030
Mutex
DC_MUTEX-S2T3FWA
Attributes
-
InstallPath
taskhost.exe
-
gencode
MR9sLp0UQRG4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 42 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 42 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 42 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Identifies Wine through registry keys 2 TTPs 42 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 42 IoCs
-
Checks whether UAC is enabled 1 TTPs 42 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 42 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4424ff327fc46ccbf1e122212df6f6c0_JaffaCakes118.exe" +s +h4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\taskhost.exe"C:\Windows\system32\taskhost.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskhost.exeC:\Windows\SysWOW64\taskhost.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\taskhost.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\taskhost.exe" +s +h6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h6⤵
- Sets file to hidden
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\taskhost.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4" +s +h8⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h10⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h12⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h12⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h14⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h16⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"15⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h18⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h18⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"17⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h20⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h20⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"19⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h22⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h21⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"21⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h24⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"23⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h26⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"25⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h27⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h28⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h27⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h28⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"27⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h30⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h30⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"29⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h32⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h31⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h32⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"31⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h33⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h34⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h33⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h34⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"33⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"35⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h38⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h38⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"37⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h39⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h40⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h40⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"39⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h42⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h42⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"41⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h43⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h44⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h44⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"43⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h46⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h46⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"45⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h48⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h48⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"47⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h50⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h50⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"49⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h51⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h52⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h52⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"51⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h54⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h53⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h54⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"53⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h56⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h56⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"55⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe56⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h58⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h58⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"57⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h60⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h60⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"59⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h62⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h62⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"61⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe62⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h64⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h64⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"63⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h66⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h66⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"65⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe66⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h68⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"67⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h70⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h70⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"69⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe70⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h71⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h72⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h72⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"71⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h74⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h73⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h74⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"73⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h76⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h76⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"75⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe76⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h78⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h78⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"77⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe78⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h80⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h79⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h80⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"79⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe80⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h82⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"81⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe82⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h84⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h84⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"83⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe84⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h86⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h86⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"85⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe86⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h88⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h88⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"87⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe88⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h90⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h90⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"89⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe90⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h92⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h92⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"91⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe92⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h94⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h94⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"93⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe94⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h96⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h96⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"95⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe96⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h98⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h98⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"97⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe98⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h100⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h100⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"99⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe100⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h102⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h102⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"101⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe102⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h104⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h104⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"103⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe104⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h106⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h106⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"105⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe106⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h108⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h108⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad107⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"107⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe108⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h110⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h110⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad109⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"109⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe110⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h112⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h112⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad111⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"111⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe112⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h114⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h114⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad113⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"113⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe114⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h116⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h116⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad115⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"115⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe116⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h118⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h118⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad117⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"117⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe118⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h120⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h120⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad119⤵
-
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"119⤵
-
C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exeC:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe120⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-