Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25/10/2024, 01:29
General
-
Target
75a6e471f546f407031f9d7dc71e3fe9_JaffaCakes118.exe
-
Size
867KB
-
MD5
75a6e471f546f407031f9d7dc71e3fe9
-
SHA1
4e95d3aab37c18fe8227f5bff852f202c0eeb3eb
-
SHA256
9b8a5b8cbd57e504d47454e1e1b3c85e39de4d2d941cd3b90c3c54d99a12c63f
-
SHA512
635afb5a8ac26243a21872758948c16a4c1a1a16a5e23bbcb7827ccf53e207c92eabe1f30f40ccb0cd8e0bb103916d950173b179876801282c306746743a6fb8
-
SSDEEP
24576:z9CdFrar4Guj/gYOX/VbBXcV31iXhzDtFCi8OLrIoU9jx:zodFr+huj/K/XXO1iXNDtFCROLrujx
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
-
Sets file to hidden 1 TTPs 52 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 54 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 27 IoCs
-
Drops file in System32 directory 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 52 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a6e471f546f407031f9d7dc71e3fe9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\75a6e471f546f407031f9d7dc71e3fe9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hh.exe"C:\Users\Admin\AppData\Local\Temp\hh.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hh.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\hh.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\hh.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 45⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 46⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"6⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 48⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"8⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 49⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"9⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 410⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 411⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"11⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 412⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"12⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 413⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 414⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"14⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 415⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h16⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"15⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 416⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h17⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"16⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 417⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"17⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"17⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 418⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"18⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 419⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h20⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"19⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 420⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h21⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"20⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 421⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"21⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 422⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h23⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"22⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"22⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 423⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"23⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 424⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h24⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h25⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"24⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 425⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"25⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 426⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h27⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h26⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h27⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"26⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 427⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h28⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h28⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"27⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"27⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 428⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h29⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h29⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"28⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"28⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 429⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.devid.info.exe"C:\Users\Admin\AppData\Local\Temp\129660.devid.info.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19775052651164897806-18649838961684695883-1989070087-1864114646-1588095307-755794087"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD50464f7cd5a269ce6d73e113ff88e40c2
SHA1e3536313e6444849ae348bdeac2b7c7ae0f35c73
SHA2560c5309e712ab405e1ea0e5b44ca653df714f5a6f1c009fd5e858d7f6966e1d5a
SHA51211fc5b0c14037fe1e337358abe3936ff1d54cbbdcebb443db91caec1ec347cbe8c1254fa17892904979acb633ab067316c412fc225ca26e79018dbeb221f5a06
-
Filesize
54KB
MD5c4b470269324517ee838789c7cf5e606
SHA17005597d55fb26c6260e0772f301c79f030e6d56
SHA2565f9b898315ad8192e87e21a499fd87d31b886513bb39d368476174aaa89a2bf9
SHA512dbadca544434a847238bf107e59aa84bf8df9df899d0c2da2ee62cc28e12d175a81d4e4e0f85d7c394323bf66fb4ac0f413c949700ecdec9a73ed5cf9340aebb
-
Filesize
124KB
MD553b4d555c26e8ab79f37b1a080bd1021
SHA10ecb19d93247302667667537c80091c8b20b52a7
SHA2567ffd04c501481418f40d0e060692380f454f58447ea05368a6377e8e0873fa88
SHA512e388d4d4234fbfd73677c524f0e4123616bd21eb179103b68e6332d9948c202ff0f58f062464f96c401b35306a072533e48caa8c83868eb13fde3047318f9377
-
Filesize
96B
MD5995e05476319ea9d3e4788cd4be7c4d7
SHA1728844ebbe6edbd7100fb4111fdd464e1b1588e2
SHA256ed04a5d4f98937341704abf7d3f45525ad99cdadc75ad2d9758eb3b8a5cabc25
SHA512891f01db8c0e4f8da4eb81fd3419c8caedaf593f9b96cf9cbbccfc11cf88d67b0888a0b70e9b0e93f29e60aa94debb32b9788227abef1fb4307e81a87ace39a9
-
Filesize
25KB
MD569f5462fbb07514b12fbdaded96179a5
SHA1a46a12c4925b1fb4950c8b2cbb8642c254817fff
SHA2568a94fd96bc4a69686fa04576ee5c886368c5a1870ea6d8212332c96bc00267e3
SHA5128b6f7398cabde07035d41973eb75b5a6be7e1c21c36ae2ff034f715e5b7699db93ff4a5bb4456b7a88f95c603d577caa112298cde41fcb5580e92b69a0b07d46
-
Filesize
35KB
MD5ccf453c1d9ef8f5720d409df6e5d149e
SHA12c298fd46ebb8eee934b9d6d447feaea9f1e9f12
SHA25603b9ee5ce4c4eaefcdb042555594cc2133344f173f0b30068a83563fee5b864e
SHA5120f757f7350ae16e3dd8526095b2ea63c6bd5640d99afdc1311d34f62a4011de7768b7b6516da182a6b99c76e7fd706daf980376572f8ffc2e4fe0f907754c29b
-
Filesize
831KB
MD5fbd1bf7fbed25ea9ba00f02dfdd9df86
SHA10d0bdc9132c72ff3de86d32b4659b5a7bb4b613c
SHA256171eb2b75643e66deb5cc6b1a7c6f9633e72fafd6012e7a17e1d97f9c2a513d0
SHA5125577328bfe7bb521cf3c8e1a9872ef251a42e2c7d5f86fc9c4275edf7ec59295d8f354a1c7568cab588bd63719edd3de12a769fe0423a2a6173c246e780a3834
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
884KB
-
Filesize
136KB
-
Filesize
884KB