Analysis
-
max time kernel
72s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-12-2024 01:47
General
-
Target
c03e82a6e39314c54928043841d1ffbb_JaffaCakes118.exe
-
Size
758KB
-
MD5
c03e82a6e39314c54928043841d1ffbb
-
SHA1
27b8cfb85bab4bafc30e697d1e2550252ae45970
-
SHA256
d9347e1034921f6be1f6de18b355912010a5bc39b5b3575111bf41c7645258d1
-
SHA512
1ba89c6b8a4e67027b28151772f4f5d155523bf9a28c9caba3f32b4b0d6670cf5c51fcc1005c02ab9a682c37d8184e1ae0a21ae3431712ea7289af47838274bd
-
SSDEEP
12288:xXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Ux:dnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jh
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
xoman.no-ip.org:1604
Mutex
DC_MUTEX-F54S21D
Attributes
-
InstallPath
System32\SysConf.exe
-
gencode
bdPMrREfdjtV
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
SysConf
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c03e82a6e39314c54928043841d1ffbb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c03e82a6e39314c54928043841d1ffbb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c03e82a6e39314c54928043841d1ffbb_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\c03e82a6e39314c54928043841d1ffbb_JaffaCakes118.exe" +s +h3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\System32\SysConf.exe"C:\Windows\system32\System32\SysConf.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\SysConf.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\SysConf.exe" +s +h4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32" +s +h4⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\SysConf.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\SysConf.exe" +s +h4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\SysConf.exe" +s +h5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV" +s +h5⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h6⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h7⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h7⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h8⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h8⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h9⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h10⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h11⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h13⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h14⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h14⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h15⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h16⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h16⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h17⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h17⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h18⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h19⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h19⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h20⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h20⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h21⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h21⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 34821⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h22⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h22⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h23⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h23⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h24⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h24⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h25⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h25⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h26⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h26⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h27⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h27⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h28⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h28⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h29⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h29⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h29⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h30⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h29⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h30⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h31⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h30⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h31⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h32⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h32⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"31⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h32⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h33⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h33⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h34⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h34⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h35⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h35⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h36⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h36⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h37⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h37⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h38⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h38⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"37⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h39⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h39⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h40⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h40⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"39⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h40⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h41⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h41⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h42⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h42⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"41⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h43⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h43⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h44⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h44⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h45⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h45⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h46⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h46⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h47⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h46⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h47⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h48⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h48⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h49⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h48⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h49⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h49⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV150⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h50⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h49⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h50⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"49⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h51⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h51⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"50⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h52⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h52⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h53⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h53⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h54⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h54⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"53⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h55⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h55⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h56⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h55⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h56⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"55⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h57⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h57⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"56⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h58⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h58⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"57⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h59⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h58⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h59⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h60⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h60⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h61⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h60⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h61⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h62⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h62⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"61⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h63⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h63⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"62⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h64⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h63⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h64⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"63⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h65⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h65⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h66⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h66⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"65⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h67⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h67⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"66⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h67⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h68⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h68⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"67⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h69⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"68⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h70⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h70⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h71⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h71⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h72⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h72⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"71⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h73⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h73⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"72⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h74⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h74⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"73⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h75⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h75⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"74⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h76⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h76⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"75⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h76⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h77⤵
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h77⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"76⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h78⤵
- Sets file to hidden
- Drops file in System32 directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h77⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h78⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"77⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h79⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h79⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"78⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h79⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV180⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h80⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h80⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"79⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h81⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h81⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"80⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h82⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h82⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"81⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h83⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h83⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"82⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h84⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h84⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"83⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h85⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h85⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"84⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h86⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h86⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"85⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h86⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h87⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h86⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h87⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"86⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h88⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h87⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV188⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h88⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"87⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h89⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h89⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"88⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h90⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h90⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"89⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h91⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h91⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"90⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h92⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h92⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"91⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h93⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h93⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"92⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h94⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h94⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"93⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h95⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h95⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"94⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h96⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h96⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"95⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h97⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h97⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"96⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h98⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h98⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"97⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h99⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h99⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad98⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"98⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h100⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h99⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1100⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h100⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"99⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h101⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h101⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad100⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"100⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h102⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h102⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"101⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h103⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h103⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad102⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"102⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h104⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h104⤵
- Sets file to hidden
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"103⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe" +s +h105⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV" +s +h104⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad104⤵
-
-
C:\Windows\SysWOW64\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"C:\Windows\system32\System32\bdPMrREfdjtV\bdPMrREfdjtV\SysConf.exe"104⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5668 -ip 56681⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758KB
MD5c03e82a6e39314c54928043841d1ffbb
SHA127b8cfb85bab4bafc30e697d1e2550252ae45970
SHA256d9347e1034921f6be1f6de18b355912010a5bc39b5b3575111bf41c7645258d1
SHA5121ba89c6b8a4e67027b28151772f4f5d155523bf9a28c9caba3f32b4b0d6670cf5c51fcc1005c02ab9a682c37d8184e1ae0a21ae3431712ea7289af47838274bd
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB